Windows Analysis Report
sixikmerozx.exe

Overview

General Information

Sample Name: sixikmerozx.exe
Analysis ID: 680418
MD5: 74b12614d25239ca01d1e15146b9971a
SHA1: 4be20e783a8b8202620f7d7af9536e49395ea6e4
SHA256: 76b8f5ae8f1dabd71afebd7d1ed933ae69072bb1065d330dbb46b7334efffc60
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: sixikmerozx.exe Virustotal: Detection: 23% Perma Link
Yara detected FormBook
Source: Yara match File source: 4.0.sixikmerozx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sixikmerozx.exe.4b16438.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.520124794.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.519220440.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.301670618.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.390288440.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.372555173.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276811535.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.518308713.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.sonicsmeditation.com/m6gi/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: sixikmerozx.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.0.sixikmerozx.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.sixikmerozx.exe.9d0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 00000015.00000002.520124794.00000000034A0000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.sonicsmeditation.com/m6gi/"], "decoy": ["Al84h56eBywJreCo44UJFw==", "Ki3z3ZODRoyfTtg=", "wgcCbYt4ObGAOI28FJI=", "qJXp08a+RlxCJGolm1FRgC4=", "jSKP89Q8O7cNuMXg2+L/AA==", "MaF6RuHGGVGyjsr5Brg3lBU0dGFmK68=", "eLeVf1zKukiyLl3F2/aK+STK3g==", "raaI7/DGJUdOOn0sw6DUGwIr1g==", "NpD0zH2v7mnF", "FUbJ/QxuYcNVug==", "TYlhmaynBhj8bqDW45zQQMBb", "cUy5CyWToedIsA==", "r1mwjVRTBgMg64rZ", "dM26IucWm8+yF2qkOhE5dSQ=", "ye7Px42v7mnF", "4E8+GeNce/tI/DAs/M5g1oDaoJgY", "uiEQ98sd9pUoTaw7knjT", "IuVYsZUPPuv/c6Tf6pzQQMBb", "tfb/aJGEP+lH/BRMaSq4+HnaoJgY", "2x0ld2U08m1mQI28FJI=", "aDOm89A8V+Ub0V7Z2+L/AA==", "f9k6gVK8KCZhVpI5fVSfnyY=", "RccgdDOPqTVv1CzpYjVVRkhn1YQO6Q==", "UVRJqJycH0dA9Aa9OJm9BbzaoJgY", "79lGOysam51wP428FJI=", "39+6GetiYcNVug==", "Ab0eiYgC9YvzYIn2PwsnGR5O04wm9pHU", "n83XMvqAX+9byuGM2+L/AA==", "ExsLQcxOXg2beBJ1xGzb", "dvRcPsNkYcNVug==", "vzUmCczDP9gPsPJtsoy0sq2Zh0Y=", "3/HKIe9mOt0wYJjO", "SUgNecYWYcNVug==", "3mjkOQdoYdJ2zhzL", "um3PGvpcFQRouA==", "bDap9dMrJrnMYhJ1xGzb", "H/Rhu9rCTgkY8pfIUhUhIafHC0Q=", "v/zRollKmL3SwjGkKZg=", "ezL702mv7mnF", "x4rFWFO5tlJXs+7UIur5IrrPGiTdZTvY", "fD8OWysOhLCZUvL5wHHdIk9n1YQO6Q==", "vVbPGtHtOeEwYJjO", "DM8wAZIA80TRgM+M0g==", "h/nTnTkj868U7j17ike59yRJqNTdZTvY", "I1M3M+vamVC5f76tdF6s4MWpikw=", "vQnvu1Mt2mV0aH3E", "yB1tRt+2LawfrQ==", "RZuD1tWuhQ/cyw1Uww==", "vgULYSLpXlUpEq2ebH+QFCFT", "YE26nVPJDBTLrf4xoyrM", "vzQT36EeUvdXPHt1xGzb", "XAV1yoTd6p4zKnd1xGzb", "pBPz5uBSTc8zLXh1xGzb", "5z06j52Vbe8jDYlPloje", "AvuFIcdAWu33YX91xGzb", "V1s/rKupM2NpQI28FJI=", "GFxJlJyKSO8BYnZ1xGzb", "tq4oDr8qXoNlhfT6u5o=", "F4ZiJ8IRNNPlY6HswKcVRllr1YQO6Q==", "N6QDVy6emCh1Exaf3g==", "OOU5E7UeUYhisNIXGKzQQMBb", "jfzrzpCv7mnF", "ayGUAgt9z/2Q8PqsNRE5dSQ=", "BpwJeIGv7mnF"]}

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\sixikmerozx.exe Unpacked PE file: 0.2.sixikmerozx.exe.9d0000.0.unpack
Uses 32bit PE files
Source: sixikmerozx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: sixikmerozx.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: netsh.pdb source: sixikmerozx.exe, 00000004.00000003.434338386.0000000001211000.00000004.00000020.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000002.441011712.0000000001213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: sixikmerozx.exe, 00000004.00000003.291189709.0000000001494000.00000004.00000800.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000002.441427893.0000000001630000.00000040.00000800.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000003.278796648.00000000012F8000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000003.445473308.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.537921897.0000000003CDF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000003.440306228.0000000003837000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.535423781.0000000003BC0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: sixikmerozx.exe, 00000004.00000003.434338386.0000000001211000.00000004.00000020.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000002.441011712.0000000001213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: sixikmerozx.exe, sixikmerozx.exe, 00000004.00000003.291189709.0000000001494000.00000004.00000800.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000002.441427893.0000000001630000.00000040.00000800.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000003.278796648.00000000012F8000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000003.445473308.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.537921897.0000000003CDF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000003.440306228.0000000003837000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.535423781.0000000003BC0000.00000040.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_0538E308
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_0538C91C

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.sonicsmeditation.com/m6gi/
Source: sixikmerozx.exe, 00000000.00000002.291889881.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://boards.4chan.org
Source: sixikmerozx.exe, 00000000.00000002.291889881.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://boards.4chan.org/b/
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: sixikmerozx.exe, 00000000.00000002.291889881.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://images.4chan.org/
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: sixikmerozx.exe, 00000000.00000002.305679953.00000000093D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 4.0.sixikmerozx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sixikmerozx.exe.4b16438.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.520124794.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.519220440.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.301670618.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.390288440.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.372555173.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276811535.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.518308713.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.0.sixikmerozx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.0.sixikmerozx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.sixikmerozx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.sixikmerozx.exe.4b16438.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.sixikmerozx.exe.4b16438.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.sixikmerozx.exe.4b16438.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.520124794.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.520124794.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.520124794.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.519220440.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.519220440.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.519220440.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.301670618.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.301670618.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.301670618.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.390288440.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.390288440.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.390288440.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.372555173.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.372555173.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.372555173.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.276811535.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.276811535.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.276811535.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.518308713.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.518308713.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.518308713.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: sixikmerozx.exe PID: 1436, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: sixikmerozx.exe PID: 5360, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: netsh.exe PID: 2560, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: sixikmerozx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.0.sixikmerozx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.0.sixikmerozx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.sixikmerozx.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.sixikmerozx.exe.4b16438.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.sixikmerozx.exe.4b16438.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.sixikmerozx.exe.4b16438.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.520124794.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.520124794.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.520124794.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.519220440.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.519220440.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.519220440.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.301670618.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.301670618.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.301670618.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.390288440.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.390288440.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.390288440.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.372555173.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.372555173.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.372555173.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.276811535.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.276811535.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.276811535.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.518308713.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.518308713.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.518308713.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: sixikmerozx.exe PID: 1436, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: sixikmerozx.exe PID: 5360, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: netsh.exe PID: 2560, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D8C380 0_2_02D8C380
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D821D2 0_2_02D821D2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D8170A 0_2_02D8170A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D80472 0_2_02D80472
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D80FC8 0_2_02D80FC8
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D85230 0_2_02D85230
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D85222 0_2_02D85222
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D856C8 0_2_02D856C8
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D856B9 0_2_02D856B9
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D85450 0_2_02D85450
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D85440 0_2_02D85440
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D84BD0 0_2_02D84BD0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D84BE0 0_2_02D84BE0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D85880 0_2_02D85880
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D849E8 0_2_02D849E8
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D83E20 0_2_02D83E20
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D80F08 0_2_02D80F08
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D80F29 0_2_02D80F29
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_02D81C68 0_2_02D81C68
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_05382118 0_2_05382118
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_05383528 0_2_05383528
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_053897C4 0_2_053897C4
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_05382108 0_2_05382108
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_05380007 0_2_05380007
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_05380040 0_2_05380040
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_053800E2 0_2_053800E2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_0538035B 0_2_0538035B
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_05382F40 0_2_05382F40
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_0538B830 0_2_0538B830
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 0_2_0538B820 0_2_0538B820
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01674120 4_2_01674120
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165F900 4_2_0165F900
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0172E824 4_2_0172E824
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711002 4_2_01711002
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_017228EC 4_2_017228EC
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016820A0 4_2_016820A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_017220A8 4_2_017220A8
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166B090 4_2_0166B090
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01722B28 4_2_01722B28
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171DBD2 4_2_0171DBD2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_017103DA 4_2_017103DA
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168EBB0 4_2_0168EBB0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_017222AE 4_2_017222AE
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01721D55 4_2_01721D55
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01650D20 4_2_01650D20
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01722D07 4_2_01722D07
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166D5E0 4_2_0166D5E0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_017225DD 4_2_017225DD
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01682581 4_2_01682581
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171D466 4_2_0171D466
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166841F 4_2_0166841F
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01721FF1 4_2_01721FF1
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0172DFCE 4_2_0172DFCE
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01676E30 4_2_01676E30
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171D616 4_2_0171D616
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01722EF7 4_2_01722EF7
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: String function: 0165B150 appears 39 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_01699910
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016999A0 NtCreateSection,LdrInitializeThunk, 4_2_016999A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_01699860
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699840 NtDelayExecution,LdrInitializeThunk, 4_2_01699840
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016998F0 NtReadVirtualMemory,LdrInitializeThunk, 4_2_016998F0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699A50 NtCreateFile,LdrInitializeThunk, 4_2_01699A50
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699A20 NtResumeThread,LdrInitializeThunk, 4_2_01699A20
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699A00 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_01699A00
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699540 NtReadFile,LdrInitializeThunk, 4_2_01699540
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016995D0 NtClose,LdrInitializeThunk, 4_2_016995D0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699710 NtQueryInformationToken,LdrInitializeThunk, 4_2_01699710
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699FE0 NtCreateMutant,LdrInitializeThunk, 4_2_01699FE0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016997A0 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_016997A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699780 NtMapViewOfSection,LdrInitializeThunk, 4_2_01699780
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_01699660
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016996E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_016996E0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699950 NtQueueApcThread, 4_2_01699950
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016999D0 NtCreateProcessEx, 4_2_016999D0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0169B040 NtSuspendThread, 4_2_0169B040
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699820 NtEnumerateKey, 4_2_01699820
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016998A0 NtWriteVirtualMemory, 4_2_016998A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699B00 NtSetValueKey, 4_2_01699B00
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0169A3B0 NtGetContextThread, 4_2_0169A3B0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699A10 NtQuerySection, 4_2_01699A10
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699A80 NtOpenDirectoryObject, 4_2_01699A80
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699560 NtWriteFile, 4_2_01699560
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699520 NtWaitForSingleObject, 4_2_01699520
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0169AD30 NtSetContextThread, 4_2_0169AD30
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016995F0 NtQueryInformationFile, 4_2_016995F0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699760 NtOpenProcess, 4_2_01699760
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0169A770 NtOpenThread, 4_2_0169A770
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699770 NtSetInformationFile, 4_2_01699770
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699730 NtQueryVirtualMemory, 4_2_01699730
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0169A710 NtOpenProcessToken, 4_2_0169A710
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699670 NtQueryInformationProcess, 4_2_01699670
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699650 NtQueryValueKey, 4_2_01699650
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699610 NtEnumerateValueKey, 4_2_01699610
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016996D0 NtCreateKey, 4_2_016996D0
Sample file is different than original file name gathered from version info
Source: sixikmerozx.exe, 00000000.00000003.269005802.0000000009965000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000000.00000000.250657423.0000000000B33000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSByteArrayTypeI.exe: vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000000.00000002.291889881.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000000.00000002.309975499.0000000009AF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000000.00000002.309852930.0000000009AD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000000.00000002.310647914.0000000009D30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000000.00000002.296671497.00000000047A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000000.00000002.296671497.00000000047A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000004.00000003.292600493.00000000015B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000004.00000002.448884300.000000000174F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000004.00000003.289072567.000000000140E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000004.00000003.434338386.0000000001211000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenetsh.exej% vs sixikmerozx.exe
Source: sixikmerozx.exe, 00000004.00000003.434429695.000000000122F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenetsh.exej% vs sixikmerozx.exe
Source: sixikmerozx.exe Binary or memory string: OriginalFilenameSByteArrayTypeI.exe: vs sixikmerozx.exe
PE file contains strange resources
Source: sixikmerozx.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sixikmerozx.exe Virustotal: Detection: 23%
Source: sixikmerozx.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sixikmerozx.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\sixikmerozx.exe "C:\Users\user\Desktop\sixikmerozx.exe"
Source: C:\Users\user\Desktop\sixikmerozx.exe Process created: C:\Users\user\Desktop\sixikmerozx.exe C:\Users\user\Desktop\sixikmerozx.exe
Source: C:\Users\user\Desktop\sixikmerozx.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Users\user\Desktop\sixikmerozx.exe Process created: C:\Users\user\Desktop\sixikmerozx.exe C:\Users\user\Desktop\sixikmerozx.exe Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sixikmerozx.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/1@0/0
Source: sixikmerozx.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\sixikmerozx.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: sixikmerozx.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: sixikmerozx.exe Static file information: File size 1479168 > 1048576
Source: sixikmerozx.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: sixikmerozx.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15b800
Source: sixikmerozx.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: netsh.pdb source: sixikmerozx.exe, 00000004.00000003.434338386.0000000001211000.00000004.00000020.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000002.441011712.0000000001213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: sixikmerozx.exe, 00000004.00000003.291189709.0000000001494000.00000004.00000800.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000002.441427893.0000000001630000.00000040.00000800.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000003.278796648.00000000012F8000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000003.445473308.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.537921897.0000000003CDF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000003.440306228.0000000003837000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.535423781.0000000003BC0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: netsh.pdbGCTL source: sixikmerozx.exe, 00000004.00000003.434338386.0000000001211000.00000004.00000020.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000002.441011712.0000000001213000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: sixikmerozx.exe, sixikmerozx.exe, 00000004.00000003.291189709.0000000001494000.00000004.00000800.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000002.441427893.0000000001630000.00000040.00000800.00020000.00000000.sdmp, sixikmerozx.exe, 00000004.00000003.278796648.00000000012F8000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000003.445473308.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.537921897.0000000003CDF000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000003.440306228.0000000003837000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.535423781.0000000003BC0000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\sixikmerozx.exe Unpacked PE file: 0.2.sixikmerozx.exe.9d0000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\sixikmerozx.exe Unpacked PE file: 0.2.sixikmerozx.exe.9d0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016AD0D1 push ecx; ret 4_2_016AD0E4
Source: initial sample Static PE information: section name: .text entropy: 7.317701629090079
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.295805632.0000000003274000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sixikmerozx.exe PID: 1436, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: sixikmerozx.exe, 00000000.00000002.295805632.0000000003274000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: sixikmerozx.exe, 00000000.00000002.295805632.0000000003274000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\sixikmerozx.exe TID: 4400 Thread sleep time: -45877s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe TID: 5784 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01725BA5 rdtsc 4_2_01725BA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\sixikmerozx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\sixikmerozx.exe API coverage: 6.0 %
Source: C:\Users\user\Desktop\sixikmerozx.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Thread delayed: delay time: 45877 Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000007.00000000.363187022.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: sixikmerozx.exe, 00000000.00000002.295805632.0000000003274000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.296325983.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000007.00000000.378098529.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: sixikmerozx.exe, 00000000.00000002.295805632.0000000003274000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.363846054.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.363846054.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000007.00000000.418515327.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.356448622.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000007.00000000.363846054.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000007.00000000.337948019.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: sixikmerozx.exe, 00000000.00000002.295805632.0000000003274000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.363187022.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000007.00000000.363846054.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Source: netsh.exe, 00000015.00000002.521889810.0000000003564000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: sixikmerozx.exe, 00000000.00000002.295805632.0000000003274000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01725BA5 rdtsc 4_2_01725BA5
Enables debug privileges
Source: C:\Users\user\Desktop\sixikmerozx.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165C962 mov eax, dword ptr fs:[00000030h] 4_2_0165C962
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165B171 mov eax, dword ptr fs:[00000030h] 4_2_0165B171
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165B171 mov eax, dword ptr fs:[00000030h] 4_2_0165B171
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167B944 mov eax, dword ptr fs:[00000030h] 4_2_0167B944
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167B944 mov eax, dword ptr fs:[00000030h] 4_2_0167B944
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01674120 mov eax, dword ptr fs:[00000030h] 4_2_01674120
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01674120 mov eax, dword ptr fs:[00000030h] 4_2_01674120
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01674120 mov eax, dword ptr fs:[00000030h] 4_2_01674120
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01674120 mov eax, dword ptr fs:[00000030h] 4_2_01674120
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01674120 mov ecx, dword ptr fs:[00000030h] 4_2_01674120
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168513A mov eax, dword ptr fs:[00000030h] 4_2_0168513A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168513A mov eax, dword ptr fs:[00000030h] 4_2_0168513A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01659100 mov eax, dword ptr fs:[00000030h] 4_2_01659100
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01659100 mov eax, dword ptr fs:[00000030h] 4_2_01659100
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01659100 mov eax, dword ptr fs:[00000030h] 4_2_01659100
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0165B1E1
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0165B1E1
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0165B1E1
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016E41E8 mov eax, dword ptr fs:[00000030h] 4_2_016E41E8
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016861A0 mov eax, dword ptr fs:[00000030h] 4_2_016861A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016861A0 mov eax, dword ptr fs:[00000030h] 4_2_016861A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D69A6 mov eax, dword ptr fs:[00000030h] 4_2_016D69A6
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D51BE mov eax, dword ptr fs:[00000030h] 4_2_016D51BE
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D51BE mov eax, dword ptr fs:[00000030h] 4_2_016D51BE
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D51BE mov eax, dword ptr fs:[00000030h] 4_2_016D51BE
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D51BE mov eax, dword ptr fs:[00000030h] 4_2_016D51BE
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167C182 mov eax, dword ptr fs:[00000030h] 4_2_0167C182
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168A185 mov eax, dword ptr fs:[00000030h] 4_2_0168A185
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01682990 mov eax, dword ptr fs:[00000030h] 4_2_01682990
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01712073 mov eax, dword ptr fs:[00000030h] 4_2_01712073
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01721074 mov eax, dword ptr fs:[00000030h] 4_2_01721074
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01670050 mov eax, dword ptr fs:[00000030h] 4_2_01670050
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01670050 mov eax, dword ptr fs:[00000030h] 4_2_01670050
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168002D mov eax, dword ptr fs:[00000030h] 4_2_0168002D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168002D mov eax, dword ptr fs:[00000030h] 4_2_0168002D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168002D mov eax, dword ptr fs:[00000030h] 4_2_0168002D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168002D mov eax, dword ptr fs:[00000030h] 4_2_0168002D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168002D mov eax, dword ptr fs:[00000030h] 4_2_0168002D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166B02A mov eax, dword ptr fs:[00000030h] 4_2_0166B02A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166B02A mov eax, dword ptr fs:[00000030h] 4_2_0166B02A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166B02A mov eax, dword ptr fs:[00000030h] 4_2_0166B02A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166B02A mov eax, dword ptr fs:[00000030h] 4_2_0166B02A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01724015 mov eax, dword ptr fs:[00000030h] 4_2_01724015
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01724015 mov eax, dword ptr fs:[00000030h] 4_2_01724015
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D7016 mov eax, dword ptr fs:[00000030h] 4_2_016D7016
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D7016 mov eax, dword ptr fs:[00000030h] 4_2_016D7016
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D7016 mov eax, dword ptr fs:[00000030h] 4_2_016D7016
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016540E1 mov eax, dword ptr fs:[00000030h] 4_2_016540E1
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016540E1 mov eax, dword ptr fs:[00000030h] 4_2_016540E1
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016540E1 mov eax, dword ptr fs:[00000030h] 4_2_016540E1
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016558EC mov eax, dword ptr fs:[00000030h] 4_2_016558EC
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016EB8D0 mov eax, dword ptr fs:[00000030h] 4_2_016EB8D0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016EB8D0 mov ecx, dword ptr fs:[00000030h] 4_2_016EB8D0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016EB8D0 mov eax, dword ptr fs:[00000030h] 4_2_016EB8D0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016EB8D0 mov eax, dword ptr fs:[00000030h] 4_2_016EB8D0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016EB8D0 mov eax, dword ptr fs:[00000030h] 4_2_016EB8D0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016EB8D0 mov eax, dword ptr fs:[00000030h] 4_2_016EB8D0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016990AF mov eax, dword ptr fs:[00000030h] 4_2_016990AF
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016820A0 mov eax, dword ptr fs:[00000030h] 4_2_016820A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016820A0 mov eax, dword ptr fs:[00000030h] 4_2_016820A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016820A0 mov eax, dword ptr fs:[00000030h] 4_2_016820A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016820A0 mov eax, dword ptr fs:[00000030h] 4_2_016820A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016820A0 mov eax, dword ptr fs:[00000030h] 4_2_016820A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016820A0 mov eax, dword ptr fs:[00000030h] 4_2_016820A0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168F0BF mov ecx, dword ptr fs:[00000030h] 4_2_0168F0BF
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168F0BF mov eax, dword ptr fs:[00000030h] 4_2_0168F0BF
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168F0BF mov eax, dword ptr fs:[00000030h] 4_2_0168F0BF
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01659080 mov eax, dword ptr fs:[00000030h] 4_2_01659080
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D3884 mov eax, dword ptr fs:[00000030h] 4_2_016D3884
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D3884 mov eax, dword ptr fs:[00000030h] 4_2_016D3884
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165DB60 mov ecx, dword ptr fs:[00000030h] 4_2_0165DB60
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01683B7A mov eax, dword ptr fs:[00000030h] 4_2_01683B7A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01683B7A mov eax, dword ptr fs:[00000030h] 4_2_01683B7A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165DB40 mov eax, dword ptr fs:[00000030h] 4_2_0165DB40
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01728B58 mov eax, dword ptr fs:[00000030h] 4_2_01728B58
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165F358 mov eax, dword ptr fs:[00000030h] 4_2_0165F358
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171131B mov eax, dword ptr fs:[00000030h] 4_2_0171131B
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016803E2 mov eax, dword ptr fs:[00000030h] 4_2_016803E2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016803E2 mov eax, dword ptr fs:[00000030h] 4_2_016803E2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016803E2 mov eax, dword ptr fs:[00000030h] 4_2_016803E2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016803E2 mov eax, dword ptr fs:[00000030h] 4_2_016803E2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016803E2 mov eax, dword ptr fs:[00000030h] 4_2_016803E2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016803E2 mov eax, dword ptr fs:[00000030h] 4_2_016803E2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167DBE9 mov eax, dword ptr fs:[00000030h] 4_2_0167DBE9
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D53CA mov eax, dword ptr fs:[00000030h] 4_2_016D53CA
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D53CA mov eax, dword ptr fs:[00000030h] 4_2_016D53CA
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01684BAD mov eax, dword ptr fs:[00000030h] 4_2_01684BAD
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01684BAD mov eax, dword ptr fs:[00000030h] 4_2_01684BAD
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01684BAD mov eax, dword ptr fs:[00000030h] 4_2_01684BAD
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01725BA5 mov eax, dword ptr fs:[00000030h] 4_2_01725BA5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01661B8F mov eax, dword ptr fs:[00000030h] 4_2_01661B8F
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01661B8F mov eax, dword ptr fs:[00000030h] 4_2_01661B8F
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0170D380 mov ecx, dword ptr fs:[00000030h] 4_2_0170D380
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168B390 mov eax, dword ptr fs:[00000030h] 4_2_0168B390
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171138A mov eax, dword ptr fs:[00000030h] 4_2_0171138A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01682397 mov eax, dword ptr fs:[00000030h] 4_2_01682397
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0170B260 mov eax, dword ptr fs:[00000030h] 4_2_0170B260
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0170B260 mov eax, dword ptr fs:[00000030h] 4_2_0170B260
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01728A62 mov eax, dword ptr fs:[00000030h] 4_2_01728A62
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0169927A mov eax, dword ptr fs:[00000030h] 4_2_0169927A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171EA55 mov eax, dword ptr fs:[00000030h] 4_2_0171EA55
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01659240 mov eax, dword ptr fs:[00000030h] 4_2_01659240
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01659240 mov eax, dword ptr fs:[00000030h] 4_2_01659240
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01659240 mov eax, dword ptr fs:[00000030h] 4_2_01659240
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01659240 mov eax, dword ptr fs:[00000030h] 4_2_01659240
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016E4257 mov eax, dword ptr fs:[00000030h] 4_2_016E4257
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01694A2C mov eax, dword ptr fs:[00000030h] 4_2_01694A2C
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01694A2C mov eax, dword ptr fs:[00000030h] 4_2_01694A2C
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171AA16 mov eax, dword ptr fs:[00000030h] 4_2_0171AA16
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171AA16 mov eax, dword ptr fs:[00000030h] 4_2_0171AA16
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01668A0A mov eax, dword ptr fs:[00000030h] 4_2_01668A0A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165AA16 mov eax, dword ptr fs:[00000030h] 4_2_0165AA16
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165AA16 mov eax, dword ptr fs:[00000030h] 4_2_0165AA16
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01655210 mov eax, dword ptr fs:[00000030h] 4_2_01655210
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01655210 mov ecx, dword ptr fs:[00000030h] 4_2_01655210
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01655210 mov eax, dword ptr fs:[00000030h] 4_2_01655210
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01655210 mov eax, dword ptr fs:[00000030h] 4_2_01655210
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01673A1C mov eax, dword ptr fs:[00000030h] 4_2_01673A1C
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01682AE4 mov eax, dword ptr fs:[00000030h] 4_2_01682AE4
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01682ACB mov eax, dword ptr fs:[00000030h] 4_2_01682ACB
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016552A5 mov eax, dword ptr fs:[00000030h] 4_2_016552A5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016552A5 mov eax, dword ptr fs:[00000030h] 4_2_016552A5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016552A5 mov eax, dword ptr fs:[00000030h] 4_2_016552A5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016552A5 mov eax, dword ptr fs:[00000030h] 4_2_016552A5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016552A5 mov eax, dword ptr fs:[00000030h] 4_2_016552A5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166AAB0 mov eax, dword ptr fs:[00000030h] 4_2_0166AAB0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166AAB0 mov eax, dword ptr fs:[00000030h] 4_2_0166AAB0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168FAB0 mov eax, dword ptr fs:[00000030h] 4_2_0168FAB0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168D294 mov eax, dword ptr fs:[00000030h] 4_2_0168D294
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168D294 mov eax, dword ptr fs:[00000030h] 4_2_0168D294
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167C577 mov eax, dword ptr fs:[00000030h] 4_2_0167C577
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167C577 mov eax, dword ptr fs:[00000030h] 4_2_0167C577
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01693D43 mov eax, dword ptr fs:[00000030h] 4_2_01693D43
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D3540 mov eax, dword ptr fs:[00000030h] 4_2_016D3540
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01677D50 mov eax, dword ptr fs:[00000030h] 4_2_01677D50
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01728D34 mov eax, dword ptr fs:[00000030h] 4_2_01728D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171E539 mov eax, dword ptr fs:[00000030h] 4_2_0171E539
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01663D34 mov eax, dword ptr fs:[00000030h] 4_2_01663D34
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01684D3B mov eax, dword ptr fs:[00000030h] 4_2_01684D3B
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01684D3B mov eax, dword ptr fs:[00000030h] 4_2_01684D3B
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01684D3B mov eax, dword ptr fs:[00000030h] 4_2_01684D3B
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165AD30 mov eax, dword ptr fs:[00000030h] 4_2_0165AD30
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016DA537 mov eax, dword ptr fs:[00000030h] 4_2_016DA537
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01708DF1 mov eax, dword ptr fs:[00000030h] 4_2_01708DF1
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166D5E0 mov eax, dword ptr fs:[00000030h] 4_2_0166D5E0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166D5E0 mov eax, dword ptr fs:[00000030h] 4_2_0166D5E0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0171FDE2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0171FDE2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0171FDE2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0171FDE2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6DC9 mov eax, dword ptr fs:[00000030h] 4_2_016D6DC9
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6DC9 mov eax, dword ptr fs:[00000030h] 4_2_016D6DC9
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6DC9 mov eax, dword ptr fs:[00000030h] 4_2_016D6DC9
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6DC9 mov ecx, dword ptr fs:[00000030h] 4_2_016D6DC9
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6DC9 mov eax, dword ptr fs:[00000030h] 4_2_016D6DC9
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6DC9 mov eax, dword ptr fs:[00000030h] 4_2_016D6DC9
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016835A1 mov eax, dword ptr fs:[00000030h] 4_2_016835A1
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01681DB5 mov eax, dword ptr fs:[00000030h] 4_2_01681DB5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01681DB5 mov eax, dword ptr fs:[00000030h] 4_2_01681DB5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01681DB5 mov eax, dword ptr fs:[00000030h] 4_2_01681DB5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_017205AC mov eax, dword ptr fs:[00000030h] 4_2_017205AC
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_017205AC mov eax, dword ptr fs:[00000030h] 4_2_017205AC
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01682581 mov eax, dword ptr fs:[00000030h] 4_2_01682581
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01682581 mov eax, dword ptr fs:[00000030h] 4_2_01682581
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01682581 mov eax, dword ptr fs:[00000030h] 4_2_01682581
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01682581 mov eax, dword ptr fs:[00000030h] 4_2_01682581
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01652D8A mov eax, dword ptr fs:[00000030h] 4_2_01652D8A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01652D8A mov eax, dword ptr fs:[00000030h] 4_2_01652D8A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01652D8A mov eax, dword ptr fs:[00000030h] 4_2_01652D8A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01652D8A mov eax, dword ptr fs:[00000030h] 4_2_01652D8A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01652D8A mov eax, dword ptr fs:[00000030h] 4_2_01652D8A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168FD9B mov eax, dword ptr fs:[00000030h] 4_2_0168FD9B
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168FD9B mov eax, dword ptr fs:[00000030h] 4_2_0168FD9B
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167746D mov eax, dword ptr fs:[00000030h] 4_2_0167746D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168A44B mov eax, dword ptr fs:[00000030h] 4_2_0168A44B
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016EC450 mov eax, dword ptr fs:[00000030h] 4_2_016EC450
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016EC450 mov eax, dword ptr fs:[00000030h] 4_2_016EC450
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168BC2C mov eax, dword ptr fs:[00000030h] 4_2_0168BC2C
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6C0A mov eax, dword ptr fs:[00000030h] 4_2_016D6C0A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6C0A mov eax, dword ptr fs:[00000030h] 4_2_016D6C0A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6C0A mov eax, dword ptr fs:[00000030h] 4_2_016D6C0A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6C0A mov eax, dword ptr fs:[00000030h] 4_2_016D6C0A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711C06 mov eax, dword ptr fs:[00000030h] 4_2_01711C06
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0172740D mov eax, dword ptr fs:[00000030h] 4_2_0172740D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0172740D mov eax, dword ptr fs:[00000030h] 4_2_0172740D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0172740D mov eax, dword ptr fs:[00000030h] 4_2_0172740D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_017114FB mov eax, dword ptr fs:[00000030h] 4_2_017114FB
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6CF0 mov eax, dword ptr fs:[00000030h] 4_2_016D6CF0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6CF0 mov eax, dword ptr fs:[00000030h] 4_2_016D6CF0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D6CF0 mov eax, dword ptr fs:[00000030h] 4_2_016D6CF0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01728CD6 mov eax, dword ptr fs:[00000030h] 4_2_01728CD6
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166849B mov eax, dword ptr fs:[00000030h] 4_2_0166849B
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166FF60 mov eax, dword ptr fs:[00000030h] 4_2_0166FF60
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01728F6A mov eax, dword ptr fs:[00000030h] 4_2_01728F6A
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166EF40 mov eax, dword ptr fs:[00000030h] 4_2_0166EF40
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01654F2E mov eax, dword ptr fs:[00000030h] 4_2_01654F2E
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01654F2E mov eax, dword ptr fs:[00000030h] 4_2_01654F2E
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168E730 mov eax, dword ptr fs:[00000030h] 4_2_0168E730
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168A70E mov eax, dword ptr fs:[00000030h] 4_2_0168A70E
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168A70E mov eax, dword ptr fs:[00000030h] 4_2_0168A70E
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167F716 mov eax, dword ptr fs:[00000030h] 4_2_0167F716
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016EFF10 mov eax, dword ptr fs:[00000030h] 4_2_016EFF10
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016EFF10 mov eax, dword ptr fs:[00000030h] 4_2_016EFF10
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0172070D mov eax, dword ptr fs:[00000030h] 4_2_0172070D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0172070D mov eax, dword ptr fs:[00000030h] 4_2_0172070D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016937F5 mov eax, dword ptr fs:[00000030h] 4_2_016937F5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01668794 mov eax, dword ptr fs:[00000030h] 4_2_01668794
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D7794 mov eax, dword ptr fs:[00000030h] 4_2_016D7794
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D7794 mov eax, dword ptr fs:[00000030h] 4_2_016D7794
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D7794 mov eax, dword ptr fs:[00000030h] 4_2_016D7794
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0166766D mov eax, dword ptr fs:[00000030h] 4_2_0166766D
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167AE73 mov eax, dword ptr fs:[00000030h] 4_2_0167AE73
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167AE73 mov eax, dword ptr fs:[00000030h] 4_2_0167AE73
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167AE73 mov eax, dword ptr fs:[00000030h] 4_2_0167AE73
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167AE73 mov eax, dword ptr fs:[00000030h] 4_2_0167AE73
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0167AE73 mov eax, dword ptr fs:[00000030h] 4_2_0167AE73
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01667E41 mov eax, dword ptr fs:[00000030h] 4_2_01667E41
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01667E41 mov eax, dword ptr fs:[00000030h] 4_2_01667E41
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01667E41 mov eax, dword ptr fs:[00000030h] 4_2_01667E41
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01667E41 mov eax, dword ptr fs:[00000030h] 4_2_01667E41
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01667E41 mov eax, dword ptr fs:[00000030h] 4_2_01667E41
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01667E41 mov eax, dword ptr fs:[00000030h] 4_2_01667E41
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171AE44 mov eax, dword ptr fs:[00000030h] 4_2_0171AE44
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0171AE44 mov eax, dword ptr fs:[00000030h] 4_2_0171AE44
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165E620 mov eax, dword ptr fs:[00000030h] 4_2_0165E620
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0170FE3F mov eax, dword ptr fs:[00000030h] 4_2_0170FE3F
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165C600 mov eax, dword ptr fs:[00000030h] 4_2_0165C600
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165C600 mov eax, dword ptr fs:[00000030h] 4_2_0165C600
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0165C600 mov eax, dword ptr fs:[00000030h] 4_2_0165C600
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01688E00 mov eax, dword ptr fs:[00000030h] 4_2_01688E00
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168A61C mov eax, dword ptr fs:[00000030h] 4_2_0168A61C
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0168A61C mov eax, dword ptr fs:[00000030h] 4_2_0168A61C
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01711608 mov eax, dword ptr fs:[00000030h] 4_2_01711608
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016676E2 mov eax, dword ptr fs:[00000030h] 4_2_016676E2
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016816E0 mov ecx, dword ptr fs:[00000030h] 4_2_016816E0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01728ED6 mov eax, dword ptr fs:[00000030h] 4_2_01728ED6
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016836CC mov eax, dword ptr fs:[00000030h] 4_2_016836CC
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01698EC7 mov eax, dword ptr fs:[00000030h] 4_2_01698EC7
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_0170FEC0 mov eax, dword ptr fs:[00000030h] 4_2_0170FEC0
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016D46A7 mov eax, dword ptr fs:[00000030h] 4_2_016D46A7
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01720EA5 mov eax, dword ptr fs:[00000030h] 4_2_01720EA5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01720EA5 mov eax, dword ptr fs:[00000030h] 4_2_01720EA5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01720EA5 mov eax, dword ptr fs:[00000030h] 4_2_01720EA5
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_016EFE87 mov eax, dword ptr fs:[00000030h] 4_2_016EFE87
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\sixikmerozx.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\sixikmerozx.exe Code function: 4_2_01699910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_01699910
Source: C:\Users\user\Desktop\sixikmerozx.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\sixikmerozx.exe Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: F70000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\sixikmerozx.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\sixikmerozx.exe Memory written: C:\Users\user\Desktop\sixikmerozx.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\sixikmerozx.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\sixikmerozx.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 3968 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\sixikmerozx.exe Process created: C:\Users\user\Desktop\sixikmerozx.exe C:\Users\user\Desktop\sixikmerozx.exe Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe Jump to behavior
Source: explorer.exe, 00000007.00000000.353837420.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.411832560.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.378081100.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000007.00000000.412629773.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.336910522.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.382550165.0000000005920000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.412629773.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.354882417.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.297900097.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.412629773.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.354882417.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.297900097.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.296396083.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.411922520.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.353958083.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000007.00000000.412629773.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.354882417.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.297900097.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Users\user\Desktop\sixikmerozx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\sixikmerozx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\Desktop\sixikmerozx.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 4.0.sixikmerozx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sixikmerozx.exe.4b16438.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.520124794.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.519220440.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.301670618.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.390288440.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.372555173.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276811535.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.518308713.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 4.0.sixikmerozx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.sixikmerozx.exe.4b16438.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.520124794.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.519220440.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.301670618.0000000004B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.390288440.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.372555173.000000000D724000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.276811535.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.518308713.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 680418 Sample: sixikmerozx.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 21 Malicious sample detected (through community Yara rule) 2->21 23 Antivirus detection for URL or domain 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 5 other signatures 2->27 7 sixikmerozx.exe 3 2->7         started        process3 file4 19 C:\Users\user\AppData\...\sixikmerozx.exe.log, ASCII 7->19 dropped 29 Detected unpacking (changes PE section rights) 7->29 31 Detected unpacking (overwrites its own PE header) 7->31 33 Uses netsh to modify the Windows network and firewall settings 7->33 35 Injects a PE file into a foreign processes 7->35 11 sixikmerozx.exe 7->11         started        signatures5 process6 signatures7 37 Modifies the context of a thread in another process (thread injection) 11->37 39 Maps a DLL or memory area into another process 11->39 41 Sample uses process hollowing technique 11->41 43 Queues an APC in another process (thread injection) 11->43 14 netsh.exe 11->14         started        17 explorer.exe 3 11->17 injected process8 signatures9 45 Modifies the context of a thread in another process (thread injection) 14->45 47 Maps a DLL or memory area into another process 14->47
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.sonicsmeditation.com/m6gi/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 low