Windows Analysis Report
o3pLoLD7cc

AV Detection

Source: o3pLoLD7cc.exe

Virustotal: Detection: 42%

Perma Link

Source: Yara match	File source: 5.0.o3pLoLD7cc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.o3pLoLD7cc.exe.424f558.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.270208888.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.507829731.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.508959934.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.506902043.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.352084997.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.331404311.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281181873.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: o3pLoLD7cc.exe

Joe Sandbox ML: detected

Source: 5.0.o3pLoLD7cc.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000005.00000000.270208888.0000000000401000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.barbaramac.com/b30i/"], "decoy": ["rivacustomhomes.com", "foodanddessertblog.com", "ae-pos-package.com", "shantalamarr.com", "bangrey.xyz", "yourjbsaagent.com", "rumoastresamericas.com", "vetlomec.xyz", "israenergy.com", "ibuyjj.xyz", "redlinemuch.net", "plan-hub.site", "kosako.tech", "surowystorms.xyz", "eic.services", "amazoncooperative0.com", "4008630451.com", "fanfanlive.com", "clekgur.com", "3spowersolution.com", "szdispenser.com", "1stchoicemovers.uk", "centexfallenheroes.com", "rlmitte.info", "desertscarabe.xyz", "esco.website", "libertycontractingny.com", "bpcpas.online", "my-ar.style", "aster.tirol", "qingmu555.top", "arihulkkonen.info", "waterworksfields.co.uk", "zrvxr.com", "vfkmachine.com", "sekkocreativ.com", "goldnft.online", "thetrafficlist.com", "finpool.plus", "not-quite-alice.uk", "utblockchain.com", "comp-u-type.com", "inovasaudavel.website", "tlliangjia.com", "escolabr.website", "degenpotatoz.xyz", "miklicrp.city", "cryptocentury.xyz", "freshoutoffucks.net", "freemonoid.tech", "enchant-repining.net", "pvgcorp.com", "theskylights.co.uk", "637z.com", "ibuying.xyz", "nattu.info", "mdhzr.com", "rongan77.top", "xn--educacinenlinea-1rb.com", "abbeywoodlodge.com", "proyectosesbozo.online", "victormartin.xyz", "tind4r.com", "reshu-ekzamen.online"]}

Compliance

Source: o3pLoLD7cc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: o3pLoLD7cc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: o3pLoLD7cc.exe, 00000005.00000002.366873765.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000005.00000003.278160527.0000000000DD7000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000005.00000003.271094206.0000000000C3C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.369274175.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.515761549.000000000311F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.366219204.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.513005579.0000000003000000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: o3pLoLD7cc.exe, o3pLoLD7cc.exe, 00000005.00000002.366873765.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000005.00000003.278160527.0000000000DD7000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000005.00000003.271094206.0000000000C3C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.369274175.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.515761549.000000000311F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.366219204.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.513005579.0000000003000000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: o3pLoLD7cc.exe, 00000005.00000002.366600044.0000000000B38000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: o3pLoLD7cc.exe, 00000005.00000002.366600044.0000000000B38000.00000004.00000020.00020000.00000000.sdmp

Networking

Source: C:\Windows\explorer.exe

Domain query: www.nattu.info

Source: Malware configuration extractor

URLs: www.barbaramac.com/b30i/

Source: unknown

DNS traffic detected: query: www.nattu.info replaycode: Server failure (2)

Source: o3pLoLD7cc.exe, 00000000.00000003.244630124.0000000006116000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: o3pLoLD7cc.exe, 00000000.00000003.243927587.0000000006133000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.wikipediaWt
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: o3pLoLD7cc.exe, 00000000.00000003.251143255.0000000006117000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.273323526.0000000006110000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.251497013.0000000006118000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.255020479.000000000611A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: o3pLoLD7cc.exe, 00000000.00000003.251143255.0000000006117000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.251497013.0000000006118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: o3pLoLD7cc.exe, 00000000.00000003.251143255.0000000006117000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.251497013.0000000006118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comO
Source: o3pLoLD7cc.exe, 00000000.00000003.251143255.0000000006117000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.251497013.0000000006118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsX
Source: o3pLoLD7cc.exe, 00000000.00000003.255020479.000000000611A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: o3pLoLD7cc.exe, 00000000.00000003.251143255.0000000006117000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.251497013.0000000006118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comiced
Source: o3pLoLD7cc.exe, 00000000.00000003.251143255.0000000006117000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.251497013.0000000006118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comk
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: o3pLoLD7cc.exe, 00000000.00000003.246064355.0000000006117000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245933926.0000000006117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: o3pLoLD7cc.exe, 00000000.00000003.246064355.0000000006117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn2
Source: o3pLoLD7cc.exe, 00000000.00000003.246064355.0000000006117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnJ
Source: o3pLoLD7cc.exe, 00000000.00000003.245933926.0000000006117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnmpat2
Source: o3pLoLD7cc.exe, 00000000.00000003.246064355.0000000006117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnr-c
Source: o3pLoLD7cc.exe, 00000000.00000003.252641899.0000000006148000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.255020479.000000000611A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: o3pLoLD7cc.exe, 00000000.00000003.248134109.000000000611B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.248081608.000000000611B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: o3pLoLD7cc.exe, 00000000.00000003.248134109.000000000611B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.248081608.000000000611B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/#
Source: o3pLoLD7cc.exe, 00000000.00000003.248134109.000000000611B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.248081608.000000000611B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: o3pLoLD7cc.exe, 00000000.00000003.248134109.000000000611B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.248081608.000000000611B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: o3pLoLD7cc.exe, 00000000.00000003.248134109.000000000611B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.248081608.000000000611B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/O
Source: o3pLoLD7cc.exe, 00000000.00000003.248134109.000000000611B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.248081608.000000000611B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/X
Source: o3pLoLD7cc.exe, 00000000.00000003.248134109.000000000611B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.248081608.000000000611B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/5
Source: o3pLoLD7cc.exe, 00000000.00000003.248081608.000000000611B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: o3pLoLD7cc.exe, 00000000.00000003.248134109.000000000611B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.248081608.000000000611B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: o3pLoLD7cc.exe, 00000000.00000003.245548384.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245979119.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247559088.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246374848.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246781545.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245108616.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245067478.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247694806.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247023658.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246565619.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245466325.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245843164.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246820959.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247666309.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247445746.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247116878.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244398485.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244484316.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247194983.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244640688.000000000612B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: o3pLoLD7cc.exe, 00000000.00000003.245548384.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245979119.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247559088.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246374848.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246781545.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245108616.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244369021.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245067478.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247694806.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247023658.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246565619.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245466325.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245843164.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246820959.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247666309.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247445746.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247116878.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244398485.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244484316.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247194983.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244285528.000000000612B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com2
Source: o3pLoLD7cc.exe, 00000000.00000003.245548384.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245979119.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247559088.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246374848.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246781545.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245108616.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245067478.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247694806.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247023658.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246565619.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245466325.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245843164.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246820959.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247666309.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247445746.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247116878.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244398485.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244484316.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247194983.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244640688.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247373240.000000000612B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: o3pLoLD7cc.exe, 00000000.00000003.245548384.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245979119.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247559088.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246374848.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246781545.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245108616.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244369021.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245067478.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247694806.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247023658.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246565619.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245466325.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.245843164.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.246820959.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247666309.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247445746.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247116878.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244398485.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244484316.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.247194983.000000000612B000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000003.244285528.000000000612B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: o3pLoLD7cc.exe, 00000000.00000002.284965912.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: www.nattu.info

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: o3pLoLD7cc.exe, 00000000.00000002.277166040.00000000015EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Source: Yara match	File source: 5.0.o3pLoLD7cc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.o3pLoLD7cc.exe.424f558.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.270208888.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.507829731.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.508959934.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.506902043.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.352084997.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.331404311.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281181873.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 5.0.o3pLoLD7cc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.0.o3pLoLD7cc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.o3pLoLD7cc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.o3pLoLD7cc.exe.424f558.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.o3pLoLD7cc.exe.424f558.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.o3pLoLD7cc.exe.424f558.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.270208888.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000000.270208888.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.270208888.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.507829731.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.507829731.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.507829731.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.508959934.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.508959934.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.508959934.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.506902043.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.506902043.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.506902043.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.352084997.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000000.352084997.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.352084997.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.331404311.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000000.331404311.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.331404311.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.281181873.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.281181873.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.281181873.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: o3pLoLD7cc.exe PID: 980, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: o3pLoLD7cc.exe PID: 5140, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 4772, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: o3pLoLD7cc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.0.o3pLoLD7cc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.0.o3pLoLD7cc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.o3pLoLD7cc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.o3pLoLD7cc.exe.424f558.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.o3pLoLD7cc.exe.424f558.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.o3pLoLD7cc.exe.424f558.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.270208888.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000000.270208888.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.270208888.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.507829731.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.507829731.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.507829731.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.508959934.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.508959934.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.508959934.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.506902043.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.506902043.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.506902043.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.352084997.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000000.352084997.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.352084997.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.331404311.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000000.331404311.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.331404311.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.281181873.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.281181873.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.281181873.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: o3pLoLD7cc.exe PID: 980, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: o3pLoLD7cc.exe PID: 5140, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 4772, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 0_2_0197CD04		0_2_0197CD04
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 0_2_0197F0D0		0_2_0197F0D0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 0_2_0197F0C0		0_2_0197F0C0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 0_2_07AB5A40		0_2_07AB5A40
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 0_2_07AB5608		0_2_07AB5608
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 0_2_07AB5618		0_2_07AB5618
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 0_2_07AB6FEA		0_2_07AB6FEA
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 0_2_07AB6FF0		0_2_07AB6FF0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 0_2_07AB5A30		0_2_07AB5A30
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC20A0		5_2_00FC20A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAB090		5_2_00FAB090
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA830		5_2_00FBA830
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051002		5_2_01051002
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0106E824		5_2_0106E824
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010620A8		5_2_010620A8
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB4120		5_2_00FB4120
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010628EC		5_2_010628EC
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9F900		5_2_00F9F900
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01062B28		5_2_01062B28
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0103CB4F		5_2_0103CB4F
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB236		5_2_00FBB236
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105DBD2		5_2_0105DBD2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010503DA		5_2_010503DA
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010423E3		5_2_010423E3
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCABD8		5_2_00FCABD8
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0104FA2B		5_2_0104FA2B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCEBB0		5_2_00FCEBB0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBEB9A		5_2_00FBEB9A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC138B		5_2_00FC138B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010622AE		5_2_010622AE
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBAB40		5_2_00FBAB40
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01062D07		5_2_01062D07
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01061D55		5_2_01061D55
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01052D82		5_2_01052D82
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010625DD		5_2_010625DD
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA841F		5_2_00FA841F
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAD5E0		5_2_00FAD5E0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105D466		5_2_0105D466
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC2581		5_2_00FC2581
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F90D20		5_2_00F90D20
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0106DFCE		5_2_0106DFCE
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB6E30		5_2_00FB6E30
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01061FF1		5_2_01061FF1
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105D616		5_2_0105D616
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01041EB6		5_2_01041EB6
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01062EF7		5_2_01062EF7

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Code function: String function: 00F9B150 appears 145 times

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD98F0 NtReadVirtualMemory,LdrInitializeThunk,		5_2_00FD98F0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9860 NtQuerySystemInformation,LdrInitializeThunk,		5_2_00FD9860
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9840 NtDelayExecution,LdrInitializeThunk,		5_2_00FD9840
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD99A0 NtCreateSection,LdrInitializeThunk,		5_2_00FD99A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_00FD9910
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9A50 NtCreateFile,LdrInitializeThunk,		5_2_00FD9A50
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9A20 NtResumeThread,LdrInitializeThunk,		5_2_00FD9A20
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9A00 NtProtectVirtualMemory,LdrInitializeThunk,		5_2_00FD9A00
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD95D0 NtClose,LdrInitializeThunk,		5_2_00FD95D0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9540 NtReadFile,LdrInitializeThunk,		5_2_00FD9540
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD96E0 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_00FD96E0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9660 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_00FD9660
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD97A0 NtUnmapViewOfSection,LdrInitializeThunk,		5_2_00FD97A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9780 NtMapViewOfSection,LdrInitializeThunk,		5_2_00FD9780
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9710 NtQueryInformationToken,LdrInitializeThunk,		5_2_00FD9710
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD98A0 NtWriteVirtualMemory,		5_2_00FD98A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FDB040 NtSuspendThread,		5_2_00FDB040
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9820 NtEnumerateKey,		5_2_00FD9820
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD99D0 NtCreateProcessEx,		5_2_00FD99D0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9950 NtQueueApcThread,		5_2_00FD9950
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9A80 NtOpenDirectoryObject,		5_2_00FD9A80
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9A10 NtQuerySection,		5_2_00FD9A10
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FDA3B0 NtGetContextThread,		5_2_00FDA3B0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9B00 NtSetValueKey,		5_2_00FD9B00
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD95F0 NtQueryInformationFile,		5_2_00FD95F0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9560 NtWriteFile,		5_2_00FD9560
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FDAD30 NtSetContextThread,		5_2_00FDAD30
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9520 NtWaitForSingleObject,		5_2_00FD9520
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD96D0 NtCreateKey,		5_2_00FD96D0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9670 NtQueryInformationProcess,		5_2_00FD9670
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9650 NtQueryValueKey,		5_2_00FD9650
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9610 NtEnumerateValueKey,		5_2_00FD9610
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9FE0 NtCreateMutant,		5_2_00FD9FE0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FDA770 NtOpenThread,		5_2_00FDA770
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9770 NtSetInformationFile,		5_2_00FD9770
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9760 NtOpenProcess,		5_2_00FD9760
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD9730 NtQueryVirtualMemory,		5_2_00FD9730
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FDA710 NtOpenProcessToken,		5_2_00FDA710

Source: o3pLoLD7cc.exe, 00000000.00000003.257714692.0000000001677000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe, 00000000.00000002.277166040.00000000015EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe, 00000000.00000002.286653487.00000000078E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe, 00000000.00000002.278817916.00000000031C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe, 00000000.00000002.281181873.000000000424F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe, 00000000.00000000.240927992.0000000000ED8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecDisplayClass.exeB vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe, 00000000.00000002.286982354.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe, 00000005.00000002.368365601.000000000108F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe, 00000005.00000002.366738355.0000000000B55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe, 00000005.00000002.366600044.0000000000B38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe, 00000005.00000003.279075399.0000000000EF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe, 00000005.00000003.276271356.0000000000D52000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs o3pLoLD7cc.exe
Source: o3pLoLD7cc.exe	Binary or memory string: OriginalFilenamecDisplayClass.exeB vs o3pLoLD7cc.exe

Source: o3pLoLD7cc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: o3pLoLD7cc.exe

Virustotal: Detection: 42%

Source: o3pLoLD7cc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\o3pLoLD7cc.exe "C:\Users\user\Desktop\o3pLoLD7cc.exe"
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process created: C:\Users\user\Desktop\o3pLoLD7cc.exe C:\Users\user\Desktop\o3pLoLD7cc.exe
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process created: C:\Users\user\Desktop\o3pLoLD7cc.exe C:\Users\user\Desktop\o3pLoLD7cc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\o3pLoLD7cc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process created: C:\Users\user\Desktop\o3pLoLD7cc.exe C:\Users\user\Desktop\o3pLoLD7cc.exe			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process created: C:\Users\user\Desktop\o3pLoLD7cc.exe C:\Users\user\Desktop\o3pLoLD7cc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\o3pLoLD7cc.exe"			Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\o3pLoLD7cc.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/1@1/0

Source: o3pLoLD7cc.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4784:120:WilError_01

Source: o3pLoLD7cc.exe, ProcExpGUI/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.o3pLoLD7cc.exe.e10000.0.unpack, ProcExpGUI/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: o3pLoLD7cc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: o3pLoLD7cc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: o3pLoLD7cc.exe, 00000005.00000002.366873765.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000005.00000003.278160527.0000000000DD7000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000005.00000003.271094206.0000000000C3C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.369274175.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.515761549.000000000311F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.366219204.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.513005579.0000000003000000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: o3pLoLD7cc.exe, o3pLoLD7cc.exe, 00000005.00000002.366873765.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000005.00000003.278160527.0000000000DD7000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000005.00000003.271094206.0000000000C3C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.369274175.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.515761549.000000000311F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.366219204.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.513005579.0000000003000000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: o3pLoLD7cc.exe, 00000005.00000002.366600044.0000000000B38000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: o3pLoLD7cc.exe, 00000005.00000002.366600044.0000000000B38000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: o3pLoLD7cc.exe, ProcExpGUI/Form1.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.o3pLoLD7cc.exe.e10000.0.unpack, ProcExpGUI/Form1.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Code function: 5_2_00FED0D1 push ecx; ret

5_2_00FED0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.7803803280527

Hooking and other Techniques for Hiding and Protection

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xEC

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: Yara match	File source: 00000000.00000002.280526739.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278817916.00000000031C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: o3pLoLD7cc.exe PID: 980, type: MEMORYSTR

Source: o3pLoLD7cc.exe, 00000000.00000002.280526739.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000002.278817916.00000000031C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: o3pLoLD7cc.exe, 00000000.00000002.280526739.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, o3pLoLD7cc.exe, 00000000.00000002.278817916.00000000031C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000004A9904 second address: 00000000004A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000004A9B6E second address: 00000000004A9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe TID: 5760	Thread sleep time: -45877s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe TID: 5788	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Code function: 5_2_00FC6A60 rdtscp

5_2_00FC6A60

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

API coverage: 3.3 %

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Thread delayed: delay time: 45877			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.327549908.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.299296624.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 00000006.00000000.299296624.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: o3pLoLD7cc.exe, 00000000.00000002.278817916.00000000031C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.317136850.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000006.00000000.317172679.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: o3pLoLD7cc.exe, 00000000.00000002.278817916.00000000031C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.299296624.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.345513596.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.319065006.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000006.00000000.328116937.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.299296624.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: o3pLoLD7cc.exe, 00000000.00000002.278817916.00000000031C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000006.00000000.327549908.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000006.00000000.299296624.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l
Source: o3pLoLD7cc.exe, 00000000.00000002.278817916.00000000031C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Code function: 5_2_00FC6A60 rdtscp

5_2_00FC6A60

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F958EC mov eax, dword ptr fs:[00000030h]		5_2_00F958EC
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F940E1 mov eax, dword ptr fs:[00000030h]		5_2_00F940E1
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F940E1 mov eax, dword ptr fs:[00000030h]		5_2_00F940E1
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F940E1 mov eax, dword ptr fs:[00000030h]		5_2_00F940E1
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB8E4 mov eax, dword ptr fs:[00000030h]		5_2_00FBB8E4
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB8E4 mov eax, dword ptr fs:[00000030h]		5_2_00FBB8E4
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCF0BF mov ecx, dword ptr fs:[00000030h]		5_2_00FCF0BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCF0BF mov eax, dword ptr fs:[00000030h]		5_2_00FCF0BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCF0BF mov eax, dword ptr fs:[00000030h]		5_2_00FCF0BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD90AF mov eax, dword ptr fs:[00000030h]		5_2_00FD90AF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F99080 mov eax, dword ptr fs:[00000030h]		5_2_00F99080
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010549A4 mov eax, dword ptr fs:[00000030h]		5_2_010549A4
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010549A4 mov eax, dword ptr fs:[00000030h]		5_2_010549A4
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010549A4 mov eax, dword ptr fs:[00000030h]		5_2_010549A4
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010549A4 mov eax, dword ptr fs:[00000030h]		5_2_010549A4
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010169A6 mov eax, dword ptr fs:[00000030h]		5_2_010169A6
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB0050 mov eax, dword ptr fs:[00000030h]		5_2_00FB0050
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB0050 mov eax, dword ptr fs:[00000030h]		5_2_00FB0050
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010151BE mov eax, dword ptr fs:[00000030h]		5_2_010151BE
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010151BE mov eax, dword ptr fs:[00000030h]		5_2_010151BE
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010151BE mov eax, dword ptr fs:[00000030h]		5_2_010151BE
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010151BE mov eax, dword ptr fs:[00000030h]		5_2_010151BE
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA830 mov eax, dword ptr fs:[00000030h]		5_2_00FBA830
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA830 mov eax, dword ptr fs:[00000030h]		5_2_00FBA830
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA830 mov eax, dword ptr fs:[00000030h]		5_2_00FBA830
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA830 mov eax, dword ptr fs:[00000030h]		5_2_00FBA830
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAB02A mov eax, dword ptr fs:[00000030h]		5_2_00FAB02A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAB02A mov eax, dword ptr fs:[00000030h]		5_2_00FAB02A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAB02A mov eax, dword ptr fs:[00000030h]		5_2_00FAB02A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAB02A mov eax, dword ptr fs:[00000030h]		5_2_00FAB02A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC002D mov eax, dword ptr fs:[00000030h]		5_2_00FC002D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC002D mov eax, dword ptr fs:[00000030h]		5_2_00FC002D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC002D mov eax, dword ptr fs:[00000030h]		5_2_00FC002D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC002D mov eax, dword ptr fs:[00000030h]		5_2_00FC002D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC002D mov eax, dword ptr fs:[00000030h]		5_2_00FC002D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010241E8 mov eax, dword ptr fs:[00000030h]		5_2_010241E8
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01064015 mov eax, dword ptr fs:[00000030h]		5_2_01064015
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01064015 mov eax, dword ptr fs:[00000030h]		5_2_01064015
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01017016 mov eax, dword ptr fs:[00000030h]		5_2_01017016
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01017016 mov eax, dword ptr fs:[00000030h]		5_2_01017016
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01017016 mov eax, dword ptr fs:[00000030h]		5_2_01017016
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9B1E1 mov eax, dword ptr fs:[00000030h]		5_2_00F9B1E1
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9B1E1 mov eax, dword ptr fs:[00000030h]		5_2_00F9B1E1
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9B1E1 mov eax, dword ptr fs:[00000030h]		5_2_00F9B1E1
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov eax, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov eax, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov eax, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB99BF mov eax, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC61A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC61A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC61A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC61A0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC2990 mov eax, dword ptr fs:[00000030h]		5_2_00FC2990
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC4190 mov eax, dword ptr fs:[00000030h]		5_2_00FC4190
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01061074 mov eax, dword ptr fs:[00000030h]		5_2_01061074
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01052073 mov eax, dword ptr fs:[00000030h]		5_2_01052073
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBC182 mov eax, dword ptr fs:[00000030h]		5_2_00FBC182
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCA185 mov eax, dword ptr fs:[00000030h]		5_2_00FCA185
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01013884 mov eax, dword ptr fs:[00000030h]		5_2_01013884
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01013884 mov eax, dword ptr fs:[00000030h]		5_2_01013884
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9B171 mov eax, dword ptr fs:[00000030h]		5_2_00F9B171
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9B171 mov eax, dword ptr fs:[00000030h]		5_2_00F9B171
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9C962 mov eax, dword ptr fs:[00000030h]		5_2_00F9C962
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB944 mov eax, dword ptr fs:[00000030h]		5_2_00FBB944
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB944 mov eax, dword ptr fs:[00000030h]		5_2_00FBB944
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC513A mov eax, dword ptr fs:[00000030h]		5_2_00FC513A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC513A mov eax, dword ptr fs:[00000030h]		5_2_00FC513A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0102B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0102B8D0 mov ecx, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0102B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0102B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0102B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0102B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB4120 mov eax, dword ptr fs:[00000030h]		5_2_00FB4120
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB4120 mov eax, dword ptr fs:[00000030h]		5_2_00FB4120
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB4120 mov eax, dword ptr fs:[00000030h]		5_2_00FB4120
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB4120 mov eax, dword ptr fs:[00000030h]		5_2_00FB4120
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB4120 mov ecx, dword ptr fs:[00000030h]		5_2_00FB4120
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F99100 mov eax, dword ptr fs:[00000030h]		5_2_00F99100
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F99100 mov eax, dword ptr fs:[00000030h]		5_2_00F99100
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F99100 mov eax, dword ptr fs:[00000030h]		5_2_00F99100
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC2AE4 mov eax, dword ptr fs:[00000030h]		5_2_00FC2AE4
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105131B mov eax, dword ptr fs:[00000030h]		5_2_0105131B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC2ACB mov eax, dword ptr fs:[00000030h]		5_2_00FC2ACB
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAAAB0 mov eax, dword ptr fs:[00000030h]		5_2_00FAAAB0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAAAB0 mov eax, dword ptr fs:[00000030h]		5_2_00FAAAB0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCFAB0 mov eax, dword ptr fs:[00000030h]		5_2_00FCFAB0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F952A5 mov eax, dword ptr fs:[00000030h]		5_2_00F952A5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F952A5 mov eax, dword ptr fs:[00000030h]		5_2_00F952A5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F952A5 mov eax, dword ptr fs:[00000030h]		5_2_00F952A5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F952A5 mov eax, dword ptr fs:[00000030h]		5_2_00F952A5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F952A5 mov eax, dword ptr fs:[00000030h]		5_2_00F952A5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01068B58 mov eax, dword ptr fs:[00000030h]		5_2_01068B58
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCD294 mov eax, dword ptr fs:[00000030h]		5_2_00FCD294
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCD294 mov eax, dword ptr fs:[00000030h]		5_2_00FCD294
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0104D380 mov ecx, dword ptr fs:[00000030h]		5_2_0104D380
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD927A mov eax, dword ptr fs:[00000030h]		5_2_00FD927A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105138A mov eax, dword ptr fs:[00000030h]		5_2_0105138A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01065BA5 mov eax, dword ptr fs:[00000030h]		5_2_01065BA5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F99240 mov eax, dword ptr fs:[00000030h]		5_2_00F99240
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F99240 mov eax, dword ptr fs:[00000030h]		5_2_00F99240
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F99240 mov eax, dword ptr fs:[00000030h]		5_2_00F99240
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F99240 mov eax, dword ptr fs:[00000030h]		5_2_00F99240
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010153CA mov eax, dword ptr fs:[00000030h]		5_2_010153CA
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010153CA mov eax, dword ptr fs:[00000030h]		5_2_010153CA
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD4A2C mov eax, dword ptr fs:[00000030h]		5_2_00FD4A2C
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD4A2C mov eax, dword ptr fs:[00000030h]		5_2_00FD4A2C
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB3A1C mov eax, dword ptr fs:[00000030h]		5_2_00FB3A1C
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010423E3 mov ecx, dword ptr fs:[00000030h]		5_2_010423E3
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010423E3 mov ecx, dword ptr fs:[00000030h]		5_2_010423E3
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010423E3 mov eax, dword ptr fs:[00000030h]		5_2_010423E3
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F95210 mov eax, dword ptr fs:[00000030h]		5_2_00F95210
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F95210 mov ecx, dword ptr fs:[00000030h]		5_2_00F95210
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F95210 mov eax, dword ptr fs:[00000030h]		5_2_00F95210
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F95210 mov eax, dword ptr fs:[00000030h]		5_2_00F95210
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9AA16 mov eax, dword ptr fs:[00000030h]		5_2_00F9AA16
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9AA16 mov eax, dword ptr fs:[00000030h]		5_2_00F9AA16
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA8A0A mov eax, dword ptr fs:[00000030h]		5_2_00FA8A0A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBDBE9 mov eax, dword ptr fs:[00000030h]		5_2_00FBDBE9
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105AA16 mov eax, dword ptr fs:[00000030h]		5_2_0105AA16
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105AA16 mov eax, dword ptr fs:[00000030h]		5_2_0105AA16
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC53C5 mov eax, dword ptr fs:[00000030h]		5_2_00FC53C5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105EA55 mov eax, dword ptr fs:[00000030h]		5_2_0105EA55
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC4BAD mov eax, dword ptr fs:[00000030h]		5_2_00FC4BAD
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC4BAD mov eax, dword ptr fs:[00000030h]		5_2_00FC4BAD
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC4BAD mov eax, dword ptr fs:[00000030h]		5_2_00FC4BAD
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01024257 mov eax, dword ptr fs:[00000030h]		5_2_01024257
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBEB9A mov eax, dword ptr fs:[00000030h]		5_2_00FBEB9A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBEB9A mov eax, dword ptr fs:[00000030h]		5_2_00FBEB9A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0104B260 mov eax, dword ptr fs:[00000030h]		5_2_0104B260
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0104B260 mov eax, dword ptr fs:[00000030h]		5_2_0104B260
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01068A62 mov eax, dword ptr fs:[00000030h]		5_2_01068A62
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC2397 mov eax, dword ptr fs:[00000030h]		5_2_00FC2397
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCB390 mov eax, dword ptr fs:[00000030h]		5_2_00FCB390
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA1B8F mov eax, dword ptr fs:[00000030h]		5_2_00FA1B8F
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA1B8F mov eax, dword ptr fs:[00000030h]		5_2_00FA1B8F
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC138B mov eax, dword ptr fs:[00000030h]		5_2_00FC138B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC138B mov eax, dword ptr fs:[00000030h]		5_2_00FC138B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC138B mov eax, dword ptr fs:[00000030h]		5_2_00FC138B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC3B7A mov eax, dword ptr fs:[00000030h]		5_2_00FC3B7A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC3B7A mov eax, dword ptr fs:[00000030h]		5_2_00FC3B7A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9DB60 mov ecx, dword ptr fs:[00000030h]		5_2_00F9DB60
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9F358 mov eax, dword ptr fs:[00000030h]		5_2_00F9F358
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9DB40 mov eax, dword ptr fs:[00000030h]		5_2_00F9DB40
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01068D34 mov eax, dword ptr fs:[00000030h]		5_2_01068D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0101A537 mov eax, dword ptr fs:[00000030h]		5_2_0101A537
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105E539 mov eax, dword ptr fs:[00000030h]		5_2_0105E539
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01013540 mov eax, dword ptr fs:[00000030h]		5_2_01013540
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01043D40 mov eax, dword ptr fs:[00000030h]		5_2_01043D40
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA849B mov eax, dword ptr fs:[00000030h]		5_2_00FA849B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB746D mov eax, dword ptr fs:[00000030h]		5_2_00FB746D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010605AC mov eax, dword ptr fs:[00000030h]		5_2_010605AC
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010605AC mov eax, dword ptr fs:[00000030h]		5_2_010605AC
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCA44B mov eax, dword ptr fs:[00000030h]		5_2_00FCA44B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC3C3E mov eax, dword ptr fs:[00000030h]		5_2_00FC3C3E
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC3C3E mov eax, dword ptr fs:[00000030h]		5_2_00FC3C3E
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC3C3E mov eax, dword ptr fs:[00000030h]		5_2_00FC3C3E
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016DC9 mov eax, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016DC9 mov eax, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016DC9 mov eax, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016DC9 mov ecx, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016DC9 mov eax, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016DC9 mov eax, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCBC2C mov eax, dword ptr fs:[00000030h]		5_2_00FCBC2C
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0105FDE2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0105FDE2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0105FDE2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0105FDE2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01048DF1 mov eax, dword ptr fs:[00000030h]		5_2_01048DF1
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0106740D mov eax, dword ptr fs:[00000030h]		5_2_0106740D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0106740D mov eax, dword ptr fs:[00000030h]		5_2_0106740D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0106740D mov eax, dword ptr fs:[00000030h]		5_2_0106740D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016C0A mov eax, dword ptr fs:[00000030h]		5_2_01016C0A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016C0A mov eax, dword ptr fs:[00000030h]		5_2_01016C0A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016C0A mov eax, dword ptr fs:[00000030h]		5_2_01016C0A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016C0A mov eax, dword ptr fs:[00000030h]		5_2_01016C0A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAD5E0 mov eax, dword ptr fs:[00000030h]		5_2_00FAD5E0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAD5E0 mov eax, dword ptr fs:[00000030h]		5_2_00FAD5E0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC1DB5 mov eax, dword ptr fs:[00000030h]		5_2_00FC1DB5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC1DB5 mov eax, dword ptr fs:[00000030h]		5_2_00FC1DB5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC1DB5 mov eax, dword ptr fs:[00000030h]		5_2_00FC1DB5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0102C450 mov eax, dword ptr fs:[00000030h]		5_2_0102C450
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0102C450 mov eax, dword ptr fs:[00000030h]		5_2_0102C450
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC35A1 mov eax, dword ptr fs:[00000030h]		5_2_00FC35A1
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCFD9B mov eax, dword ptr fs:[00000030h]		5_2_00FCFD9B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCFD9B mov eax, dword ptr fs:[00000030h]		5_2_00FCFD9B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F92D8A mov eax, dword ptr fs:[00000030h]		5_2_00F92D8A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F92D8A mov eax, dword ptr fs:[00000030h]		5_2_00F92D8A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F92D8A mov eax, dword ptr fs:[00000030h]		5_2_00F92D8A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F92D8A mov eax, dword ptr fs:[00000030h]		5_2_00F92D8A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F92D8A mov eax, dword ptr fs:[00000030h]		5_2_00F92D8A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC2581 mov eax, dword ptr fs:[00000030h]		5_2_00FC2581
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC2581 mov eax, dword ptr fs:[00000030h]		5_2_00FC2581
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC2581 mov eax, dword ptr fs:[00000030h]		5_2_00FC2581
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC2581 mov eax, dword ptr fs:[00000030h]		5_2_00FC2581
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBC577 mov eax, dword ptr fs:[00000030h]		5_2_00FBC577
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBC577 mov eax, dword ptr fs:[00000030h]		5_2_00FBC577
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB8D76 mov eax, dword ptr fs:[00000030h]		5_2_00FB8D76
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB8D76 mov eax, dword ptr fs:[00000030h]		5_2_00FB8D76
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB8D76 mov eax, dword ptr fs:[00000030h]		5_2_00FB8D76
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB8D76 mov eax, dword ptr fs:[00000030h]		5_2_00FB8D76
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB8D76 mov eax, dword ptr fs:[00000030h]		5_2_00FB8D76
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB7D50 mov eax, dword ptr fs:[00000030h]		5_2_00FB7D50
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD3D43 mov eax, dword ptr fs:[00000030h]		5_2_00FD3D43
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC4D3B mov eax, dword ptr fs:[00000030h]		5_2_00FC4D3B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC4D3B mov eax, dword ptr fs:[00000030h]		5_2_00FC4D3B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC4D3B mov eax, dword ptr fs:[00000030h]		5_2_00FC4D3B
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9AD30 mov eax, dword ptr fs:[00000030h]		5_2_00F9AD30
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01068CD6 mov eax, dword ptr fs:[00000030h]		5_2_01068CD6
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCF527 mov eax, dword ptr fs:[00000030h]		5_2_00FCF527
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCF527 mov eax, dword ptr fs:[00000030h]		5_2_00FCF527
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCF527 mov eax, dword ptr fs:[00000030h]		5_2_00FCF527
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016CF0 mov eax, dword ptr fs:[00000030h]		5_2_01016CF0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016CF0 mov eax, dword ptr fs:[00000030h]		5_2_01016CF0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01016CF0 mov eax, dword ptr fs:[00000030h]		5_2_01016CF0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010514FB mov eax, dword ptr fs:[00000030h]		5_2_010514FB
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0106070D mov eax, dword ptr fs:[00000030h]		5_2_0106070D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0106070D mov eax, dword ptr fs:[00000030h]		5_2_0106070D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0102FF10 mov eax, dword ptr fs:[00000030h]		5_2_0102FF10
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0102FF10 mov eax, dword ptr fs:[00000030h]		5_2_0102FF10
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA76E2 mov eax, dword ptr fs:[00000030h]		5_2_00FA76E2
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC16E0 mov ecx, dword ptr fs:[00000030h]		5_2_00FC16E0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC36CC mov eax, dword ptr fs:[00000030h]		5_2_00FC36CC
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD8EC7 mov eax, dword ptr fs:[00000030h]		5_2_00FD8EC7
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051751 mov eax, dword ptr fs:[00000030h]		5_2_01051751
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01068F6A mov eax, dword ptr fs:[00000030h]		5_2_01068F6A
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBAE73 mov eax, dword ptr fs:[00000030h]		5_2_00FBAE73
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBAE73 mov eax, dword ptr fs:[00000030h]		5_2_00FBAE73
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBAE73 mov eax, dword ptr fs:[00000030h]		5_2_00FBAE73
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBAE73 mov eax, dword ptr fs:[00000030h]		5_2_00FBAE73
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBAE73 mov eax, dword ptr fs:[00000030h]		5_2_00FBAE73
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01017794 mov eax, dword ptr fs:[00000030h]		5_2_01017794
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01017794 mov eax, dword ptr fs:[00000030h]		5_2_01017794
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01017794 mov eax, dword ptr fs:[00000030h]		5_2_01017794
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA766D mov eax, dword ptr fs:[00000030h]		5_2_00FA766D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9E620 mov eax, dword ptr fs:[00000030h]		5_2_00F9E620
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCA61C mov eax, dword ptr fs:[00000030h]		5_2_00FCA61C
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCA61C mov eax, dword ptr fs:[00000030h]		5_2_00FCA61C
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9C600 mov eax, dword ptr fs:[00000030h]		5_2_00F9C600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9C600 mov eax, dword ptr fs:[00000030h]		5_2_00F9C600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F9C600 mov eax, dword ptr fs:[00000030h]		5_2_00F9C600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov ecx, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov ecx, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov ecx, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov ecx, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC8E00 mov eax, dword ptr fs:[00000030h]		5_2_00FC8E00
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FD37F5 mov eax, dword ptr fs:[00000030h]		5_2_00FD37F5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01051608 mov eax, dword ptr fs:[00000030h]		5_2_01051608
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0104FE3F mov eax, dword ptr fs:[00000030h]		5_2_0104FE3F
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105AE44 mov eax, dword ptr fs:[00000030h]		5_2_0105AE44
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0105AE44 mov eax, dword ptr fs:[00000030h]		5_2_0105AE44
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FA8794 mov eax, dword ptr fs:[00000030h]		5_2_00FA8794
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0102FE87 mov eax, dword ptr fs:[00000030h]		5_2_0102FE87
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAFF60 mov eax, dword ptr fs:[00000030h]		5_2_00FAFF60
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01060EA5 mov eax, dword ptr fs:[00000030h]		5_2_01060EA5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01060EA5 mov eax, dword ptr fs:[00000030h]		5_2_01060EA5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01060EA5 mov eax, dword ptr fs:[00000030h]		5_2_01060EA5
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_010146A7 mov eax, dword ptr fs:[00000030h]		5_2_010146A7
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FAEF40 mov eax, dword ptr fs:[00000030h]		5_2_00FAEF40
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_0104FEC0 mov eax, dword ptr fs:[00000030h]		5_2_0104FEC0
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB73D mov eax, dword ptr fs:[00000030h]		5_2_00FBB73D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBB73D mov eax, dword ptr fs:[00000030h]		5_2_00FBB73D
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCE730 mov eax, dword ptr fs:[00000030h]		5_2_00FCE730
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC3F33 mov eax, dword ptr fs:[00000030h]		5_2_00FC3F33
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_01068ED6 mov eax, dword ptr fs:[00000030h]		5_2_01068ED6
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F94F2E mov eax, dword ptr fs:[00000030h]		5_2_00F94F2E
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00F94F2E mov eax, dword ptr fs:[00000030h]		5_2_00F94F2E
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FC4710 mov eax, dword ptr fs:[00000030h]		5_2_00FC4710
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FBF716 mov eax, dword ptr fs:[00000030h]		5_2_00FBF716
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCA70E mov eax, dword ptr fs:[00000030h]		5_2_00FCA70E
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Code function: 5_2_00FCA70E mov eax, dword ptr fs:[00000030h]		5_2_00FCA70E

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Code function: 5_2_00FD98F0 NtReadVirtualMemory,LdrInitializeThunk,

5_2_00FD98F0

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe

Domain query: www.nattu.info

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 950000

Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Memory written: C:\Users\user\Desktop\o3pLoLD7cc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Thread register set: target process: 3968			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3968			Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process created: C:\Users\user\Desktop\o3pLoLD7cc.exe C:\Users\user\Desktop\o3pLoLD7cc.exe			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Process created: C:\Users\user\Desktop\o3pLoLD7cc.exe C:\Users\user\Desktop\o3pLoLD7cc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\o3pLoLD7cc.exe"			Jump to behavior

Source: explorer.exe, 00000006.00000000.338265777.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.281420988.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.317151720.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000006.00000000.321446052.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.317580119.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.348041590.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.317580119.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.394008415.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.282201994.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.317580119.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.394008415.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.282201994.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.338308814.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.281471557.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.393359143.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000006.00000000.317580119.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.394008415.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.282201994.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Users\user\Desktop\o3pLoLD7cc.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\o3pLoLD7cc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\o3pLoLD7cc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 5.0.o3pLoLD7cc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.o3pLoLD7cc.exe.424f558.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.270208888.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.507829731.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.508959934.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.506902043.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.352084997.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.331404311.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281181873.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 5.0.o3pLoLD7cc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.o3pLoLD7cc.exe.424f558.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.270208888.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.507829731.0000000000900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.508959934.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.506902043.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.352084997.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.331404311.000000000D756000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281181873.000000000424F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY