Windows Analysis Report
0098764345678.exe

Overview

General Information

Sample Name: 0098764345678.exe
Analysis ID: 680503
MD5: 69ec82c711ed34399013471e214a7e64
SHA1: f7fd0fc9eb038b2debf63b0ebec21f48c3fffdd4
SHA256: f71f9af9db20ea569e9a4b528898183f182a9d98a6f8668275c55690b5a59c49
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 0098764345678.exe ReversingLabs: Detection: 29%
Yara detected FormBook
Source: Yara match File source: 4.0.0098764345678.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.529641329.0000000000800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.364459819.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302568532.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.389433481.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.531711624.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.284514841.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.532244734.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: 0098764345678.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.secure-id6793-chase.com/zzun/?3fZ4-PZ=hS6fQYKqHv+OsAYXbPa1KllQZ4uj6G6pTbgTcLclchxJ2x6fi0s26xbgzAwHm+sFKe+r&oDH=0v5Tjp Avira URL Cloud: Label: phishing
Source: http://www.whipbull.com/zzun/?oDH=0v5Tjp&3fZ4-PZ=Kiv179iAIMPDqB30KPMwtVjQGuO+8qaWaLcZydmce/CQLYP70aekBaXIYi060oxX9tqE Avira URL Cloud: Label: malware
Source: www.secure-id6793-chase.com/zzun/ Avira URL Cloud: Label: phishing
Machine Learning detection for sample
Source: 0098764345678.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.0.0098764345678.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000012.00000002.529641329.0000000000800000.00000040.00000001.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.secure-id6793-chase.com/zzun/"], "decoy": ["JnNtRHyNupy0GqRzAcasu7hb4rc=", "Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=", "ePArIFWvjkkMgVEVhw4M4Jk=", "26rqUwJ7dD0AiDI=", "pBAxMHeK741QFw==", "kHD7TPt5846pUMTX", "56UnjFjHL1i0j659h3LymRnHpQj+SshC", "4vKlKHflPqmWXRbrRwfPtrhb4rc=", "6LBd4qButFAi", "phMzGll8Ue7Fu+inq5cdnPaSugG3", "NKswiQGCvZoG5FgsdHEI", "rtTHnuUY8M1qVcXV", "SOmECrlAt2oGAA==", "L1ep9adutFAi", "/UE+/AyvE6uEl28weFI=", "IP+xMPQxJR4NE6TK", "xvW5GN9/rqA5YUoOVt185Sf7Uw==", "fRFNW9DhxL6VF7LA", "KFYTfkaY741QFw==", "W4JGvMBmt2oGAA==", "lnoad0Hkgrwl9uXlghvqdz33UA==", "1msShiu+9wisELGDjYAK", "FBXFOinAK8ylnMZzi35Okw==", "V8Y7/cBnt2oGAA==", "VfuI0k5pSmi6+aNjIlAT2mspCZBZLGA=", "de74yg89D61bSiU=", "V2UPjYUvwh21qdxUr4Mf", "DcFXvTxFMlyfL5JJIU0=", "GldbH/CCt2oGAA==", "sxdEIBwn+o+pUMTX", "UmViK+1/Knr8814sdHEI", "jrfKoZ6paLyeEBETgw4M4Jk=", "SR27MizpGwCa19Kb1A==", "2DGo9XUNxBOe19Kb1A==", "7tBn2cG8jasWHE7w559Aig==", "8qtAoVHxl/KGerbsfA4M4Jk=", "fC3AH6Utt2oGAA==", "HltlPHZ7FpSpUMTX", "xd0B+Pr30gBfQGYXafOW1dOSflv+SshC", "DKXWyiOecY7319Kb1A==", "Pvx505EaswiHYF3z559Aig==", "aJ6kaz7CWKsP9g9Ur4Mf", "qcvfxb9TwUoDCrfXw/uTdSkTCJBZLGA=", "I++iH8xJxFp73nyUjJOg3/PS/3W7", "K1N1guwbLz0AiDI=", "vp2SfavTmBXNzLeXmIoUhsB7", "UlAVhgIfLT0AiDI=", "6BKH5GjHt2YIo/qhA69S+5E=", "6U29K+qVw5hT4gQ83A==", "G9NTmhwpAwY6r4I69kT4dz33UA==", "0qstoaNBmBrMlfwTKhrAtLhb4rc=", "ZvMhGW52cyAAXkVV3Jc96Lhb4rc=", "N9Z3/PmEt2oGAA==", "ohlOhcaP741QFw==", "9WF3PohVjEolhCY=", "am0ek4wtmkEI9GMVhw4M4Jk=", "ROotH4+jhp7vnzVdww==", "uvkuFhGmJlyjpFFpi35Okw==", "ICHQQTIjaxTryG8weFI=", "AhIZ8uh974+pUMTX", "pEBtSFHr/5s0GQ==", "qAcuLnqLNeOpUMTX", "bcHv6WdbHoWEylgsdHEI", "Nz/rbWh3s4WFDL9uPlAhXKNz"]}
Uses 32bit PE files
Source: 0098764345678.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 0098764345678.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: 0098764345678.exe, 00000004.00000003.296024100.0000000001129000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000004.00000002.405035739.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.540716207.000000000481F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.404501022.0000000000F9F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.406891503.0000000004567000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.537834669.0000000004700000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 0098764345678.exe, 0098764345678.exe, 00000004.00000003.296024100.0000000001129000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000004.00000002.405035739.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.540716207.000000000481F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.404501022.0000000000F9F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.406891503.0000000004567000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.537834669.0000000004700000.00000040.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_046D2538
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_046D2528

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 103.224.212.221 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.whipbull.com
Source: C:\Windows\explorer.exe Network Connect: 194.195.211.26 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.secure-id6793-chase.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.secure-id6793-chase.com/zzun/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NEXINTO-DE NEXINTO-DE
Source: Joe Sandbox View ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /zzun/?oDH=0v5Tjp&3fZ4-PZ=Kiv179iAIMPDqB30KPMwtVjQGuO+8qaWaLcZydmce/CQLYP70aekBaXIYi060oxX9tqE HTTP/1.1Host: www.whipbull.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /zzun/?3fZ4-PZ=hS6fQYKqHv+OsAYXbPa1KllQZ4uj6G6pTbgTcLclchxJ2x6fi0s26xbgzAwHm+sFKe+r&oDH=0v5Tjp HTTP/1.1Host: www.secure-id6793-chase.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /zzun/?3fZ4-PZ=hS6fQYKqHv+OsAYXbPa1KllQZ4uj6G6pTbgTcLclchxJ2x6fi0s26xbgzAwHm+sFKe+r&oDH=0v5Tjp HTTP/1.1Host: www.secure-id6793-chase.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 194.195.211.26 194.195.211.26
Source: Joe Sandbox View IP Address: 194.195.211.26 194.195.211.26
Source: Joe Sandbox View IP Address: 103.224.212.221 103.224.212.221
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: msiexec.exe, 00000012.00000002.544412109.0000000004DB2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://ww25.whipbull.com/zzun/?oDH=0v5Tjp&3fZ4-PZ=Kiv179iAIMPDqB30KPMwtVjQGuO
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 0098764345678.exe, 00000000.00000003.288166992.0000000005630000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000002.308556522.0000000005641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comFXD
Source: 0098764345678.exe, 00000000.00000003.288166992.0000000005630000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000002.308556522.0000000005641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comgritakD
Source: 0098764345678.exe, 00000000.00000003.263438887.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263144005.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.262991538.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263340582.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263111987.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263505726.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263403072.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.262961210.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263652450.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263454212.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263175663.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263090313.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263265218.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263287108.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263576385.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263025198.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.262968838.000000000564B000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263526587.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263471443.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263596357.0000000005665000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: 0098764345678.exe, 00000000.00000003.263438887.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263144005.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263340582.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263111987.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263505726.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263403072.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263652450.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263454212.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263175663.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263090313.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263265218.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263287108.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263576385.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263025198.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263526587.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263471443.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263596357.0000000005665000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comB
Source: 0098764345678.exe, 00000000.00000003.263070688.000000000564B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comLQ
Source: 0098764345678.exe, 00000000.00000003.262961210.0000000005665000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comX
Source: 0098764345678.exe, 00000000.00000003.263438887.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263144005.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.262991538.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263340582.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263111987.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263505726.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263403072.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263652450.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263454212.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263175663.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263090313.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263265218.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263287108.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263576385.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263025198.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263526587.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263471443.0000000005665000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.263596357.0000000005665000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comc
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.288166992.0000000005630000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.268355050.0000000005649000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000003.268444960.0000000005649000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: 0098764345678.exe, 00000000.00000003.263275143.000000000564B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comcom
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 0098764345678.exe, 00000000.00000002.308772768.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: www.whipbull.com
Source: global traffic HTTP traffic detected: GET /zzun/?oDH=0v5Tjp&3fZ4-PZ=Kiv179iAIMPDqB30KPMwtVjQGuO+8qaWaLcZydmce/CQLYP70aekBaXIYi060oxX9tqE HTTP/1.1Host: www.whipbull.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /zzun/?3fZ4-PZ=hS6fQYKqHv+OsAYXbPa1KllQZ4uj6G6pTbgTcLclchxJ2x6fi0s26xbgzAwHm+sFKe+r&oDH=0v5Tjp HTTP/1.1Host: www.secure-id6793-chase.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /zzun/?3fZ4-PZ=hS6fQYKqHv+OsAYXbPa1KllQZ4uj6G6pTbgTcLclchxJ2x6fi0s26xbgzAwHm+sFKe+r&oDH=0v5Tjp HTTP/1.1Host: www.secure-id6793-chase.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 4.0.0098764345678.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.529641329.0000000000800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.364459819.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302568532.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.389433481.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.531711624.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.284514841.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.532244734.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.0.0098764345678.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.0.0098764345678.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.0098764345678.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.0098764345678.exe.26c6388.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000012.00000002.529641329.0000000000800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.529641329.0000000000800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.529641329.0000000000800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.364459819.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.364459819.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.364459819.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.302568532.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.302568532.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.302568532.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.389433481.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.389433481.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.389433481.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.531711624.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.531711624.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.531711624.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.284514841.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.284514841.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.284514841.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.532244734.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.532244734.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.532244734.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 0098764345678.exe PID: 1260, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msiexec.exe PID: 5440, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
.NET source code contains very large strings
Source: 0098764345678.exe, AddCompanyForm.cs Long String: Length: 20037
Source: 0.0.0098764345678.exe.2e0000.0.unpack, AddCompanyForm.cs Long String: Length: 20037
Uses 32bit PE files
Source: 0098764345678.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.0.0098764345678.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.0.0098764345678.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.0098764345678.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.0098764345678.exe.26c6388.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000012.00000002.529641329.0000000000800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.529641329.0000000000800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.529641329.0000000000800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.364459819.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.364459819.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.364459819.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.302568532.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.302568532.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.302568532.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.389433481.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.389433481.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.389433481.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.531711624.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.531711624.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.531711624.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.284514841.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.284514841.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.284514841.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.532244734.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.532244734.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.532244734.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 0098764345678.exe PID: 5832, type: MEMORYSTR Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: 0098764345678.exe PID: 1260, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msiexec.exe PID: 5440, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_046D00D7 0_2_046D00D7
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_046D0229 0_2_046D0229
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_04B64548 0_2_04B64548
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_04B6E820 0_2_04B6E820
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_04B6E810 0_2_04B6E810
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_04B6BF54 0_2_04B6BF54
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07209678 0_2_07209678
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_0720CE50 0_2_0720CE50
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07203EF8 0_2_07203EF8
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07202D00 0_2_07202D00
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_072055B0 0_2_072055B0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07206460 0_2_07206460
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07204BB8 0_2_07204BB8
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_0720C020 0_2_0720C020
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07209669 0_2_07209669
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_072086E8 0_2_072086E8
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07203EEA 0_2_07203EEA
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_072086D8 0_2_072086D8
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_072055A0 0_2_072055A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_072084A0 0_2_072084A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_072084B0 0_2_072084B0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_0720D348 0_2_0720D348
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07203348 0_2_07203348
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07203358 0_2_07203358
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07204BA8 0_2_07204BA8
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_072063C5 0_2_072063C5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07208AC8 0_2_07208AC8
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07208AD8 0_2_07208AD8
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07208138 0_2_07208138
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07208900 0_2_07208900
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07208910 0_2_07208910
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07208148 0_2_07208148
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07205068 0_2_07205068
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_07205058 0_2_07205058
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01304120 4_2_01304120
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EF900 4_2_012EF900
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A830 4_2_0130A830
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013BE824 4_2_013BE824
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1002 4_2_013A1002
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013120A0 4_2_013120A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B20A8 4_2_013B20A8
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FB090 4_2_012FB090
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B28EC 4_2_013B28EC
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B2B28 4_2_013B2B28
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130AB40 4_2_0130AB40
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0138CB4F 4_2_0138CB4F
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131EBB0 4_2_0131EBB0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131138B 4_2_0131138B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013923E3 4_2_013923E3
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A03DA 4_2_013A03DA
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013ADBD2 4_2_013ADBD2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131ABD8 4_2_0131ABD8
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B236 4_2_0130B236
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0139FA2B 4_2_0139FA2B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B22AE 4_2_013B22AE
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E0D20 4_2_012E0D20
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B2D07 4_2_013B2D07
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B1D55 4_2_013B1D55
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01312581 4_2_01312581
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A2D82 4_2_013A2D82
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FD5E0 4_2_012FD5E0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B25DD 4_2_013B25DD
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F841F 4_2_012F841F
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AD466 4_2_013AD466
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B1FF1 4_2_013B1FF1
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013BDFCE 4_2_013BDFCE
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01306E30 4_2_01306E30
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AD616 4_2_013AD616
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B2EF7 4_2_013B2EF7
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\0098764345678.exe Code function: String function: 012EB150 appears 136 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_01329910
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013299A0 NtCreateSection,LdrInitializeThunk, 4_2_013299A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_01329860
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329840 NtDelayExecution,LdrInitializeThunk, 4_2_01329840
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013298F0 NtReadVirtualMemory,LdrInitializeThunk, 4_2_013298F0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329A20 NtResumeThread,LdrInitializeThunk, 4_2_01329A20
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329A00 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_01329A00
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329A50 NtCreateFile,LdrInitializeThunk, 4_2_01329A50
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329540 NtReadFile,LdrInitializeThunk, 4_2_01329540
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013295D0 NtClose,LdrInitializeThunk, 4_2_013295D0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329710 NtQueryInformationToken,LdrInitializeThunk, 4_2_01329710
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013297A0 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_013297A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329780 NtMapViewOfSection,LdrInitializeThunk, 4_2_01329780
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329FE0 NtCreateMutant,LdrInitializeThunk, 4_2_01329FE0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_01329660
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013296E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_013296E0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329950 NtQueueApcThread, 4_2_01329950
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013299D0 NtCreateProcessEx, 4_2_013299D0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329820 NtEnumerateKey, 4_2_01329820
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0132B040 NtSuspendThread, 4_2_0132B040
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013298A0 NtWriteVirtualMemory, 4_2_013298A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329B00 NtSetValueKey, 4_2_01329B00
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0132A3B0 NtGetContextThread, 4_2_0132A3B0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329A10 NtQuerySection, 4_2_01329A10
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329A80 NtOpenDirectoryObject, 4_2_01329A80
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0132AD30 NtSetContextThread, 4_2_0132AD30
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329520 NtWaitForSingleObject, 4_2_01329520
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329560 NtWriteFile, 4_2_01329560
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013295F0 NtQueryInformationFile, 4_2_013295F0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329730 NtQueryVirtualMemory, 4_2_01329730
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0132A710 NtOpenProcessToken, 4_2_0132A710
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0132A770 NtOpenThread, 4_2_0132A770
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329770 NtSetInformationFile, 4_2_01329770
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329760 NtOpenProcess, 4_2_01329760
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329610 NtEnumerateValueKey, 4_2_01329610
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329670 NtQueryInformationProcess, 4_2_01329670
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329650 NtQueryValueKey, 4_2_01329650
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013296D0 NtCreateKey, 4_2_013296D0
Sample file is different than original file name gathered from version info
Source: 0098764345678.exe, 00000000.00000003.278591003.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs 0098764345678.exe
Source: 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs 0098764345678.exe
Source: 0098764345678.exe, 00000000.00000002.304635957.0000000003838000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs 0098764345678.exe
Source: 0098764345678.exe, 00000000.00000002.311137513.00000000070F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs 0098764345678.exe
Source: 0098764345678.exe, 00000000.00000000.259391236.00000000003A9000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameeSjJ.exe6 vs 0098764345678.exe
Source: 0098764345678.exe, 00000004.00000003.296880830.0000000001248000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 0098764345678.exe
Source: 0098764345678.exe, 00000004.00000003.288906894.000000000109B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 0098764345678.exe
Source: 0098764345678.exe, 00000004.00000002.406996064.00000000013DF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 0098764345678.exe
Source: 0098764345678.exe Binary or memory string: OriginalFilenameeSjJ.exe6 vs 0098764345678.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: 0098764345678.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0098764345678.exe ReversingLabs: Detection: 29%
Source: 0098764345678.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\0098764345678.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\0098764345678.exe "C:\Users\user\Desktop\0098764345678.exe"
Source: C:\Users\user\Desktop\0098764345678.exe Process created: C:\Users\user\Desktop\0098764345678.exe {path}
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\0098764345678.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0098764345678.exe Process created: C:\Users\user\Desktop\0098764345678.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\0098764345678.exe" Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0098764345678.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@4/3
Source: 0098764345678.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\0098764345678.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_01
Source: C:\Users\user\Desktop\0098764345678.exe Mutant created: \Sessions\1\BaseNamedObjects\qwxyLctBReTaJUexo
Source: 0098764345678.exe String found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
Source: 0098764345678.exe String found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 0098764345678.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 0098764345678.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: 0098764345678.exe, 00000004.00000003.296024100.0000000001129000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000004.00000002.405035739.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.540716207.000000000481F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.404501022.0000000000F9F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.406891503.0000000004567000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.537834669.0000000004700000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 0098764345678.exe, 0098764345678.exe, 00000004.00000003.296024100.0000000001129000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000004.00000002.405035739.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.540716207.000000000481F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.404501022.0000000000F9F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.406891503.0000000004567000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.537834669.0000000004700000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0098764345678.exe, AddCompanyForm.cs .Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Source: 0.0.0098764345678.exe.2e0000.0.unpack, AddCompanyForm.cs .Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_046D30C5 push FFFFFF8Bh; iretd 0_2_046D30C7
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_04C00428 pushad ; ret 0_2_04C00429
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 0_2_04C0B303 push A000005Eh; iretd 0_2_04C0B309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0133D0D1 push ecx; ret 4_2_0133D0E4
Source: initial sample Static PE information: section name: .text entropy: 7.755433575033054
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 0098764345678.exe PID: 5832, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 0098764345678.exe, 00000000.00000002.301264295.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 0098764345678.exe, 00000000.00000002.301264295.0000000002BBB000.00000004.00000800.00020000.00000000.sdmp, 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\0098764345678.exe RDTSC instruction interceptor: First address: 0000000000408C34 second address: 0000000000408C3A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0098764345678.exe RDTSC instruction interceptor: First address: 0000000000408FCE second address: 0000000000408FD4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\0098764345678.exe TID: 5256 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\msiexec.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B5BA5 rdtsc 4_2_013B5BA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\0098764345678.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\0098764345678.exe API coverage: 3.8 %
Source: C:\Users\user\Desktop\0098764345678.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000007.00000000.385371809.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000007.00000000.361138480.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000007.00000000.372820502.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: explorer.exe, 00000007.00000000.372900510.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.361138480.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.361138480.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.315937112.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.361138480.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000007.00000000.446684667.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000007.00000000.385647400.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: 0098764345678.exe, 00000000.00000002.296657611.0000000002681000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000007.00000000.385371809.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000007.00000000.361138480.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B5BA5 rdtsc 4_2_013B5BA5
Enables debug privileges
Source: C:\Users\user\Desktop\0098764345678.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131513A mov eax, dword ptr fs:[00000030h] 4_2_0131513A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131513A mov eax, dword ptr fs:[00000030h] 4_2_0131513A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01304120 mov eax, dword ptr fs:[00000030h] 4_2_01304120
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01304120 mov eax, dword ptr fs:[00000030h] 4_2_01304120
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01304120 mov eax, dword ptr fs:[00000030h] 4_2_01304120
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01304120 mov eax, dword ptr fs:[00000030h] 4_2_01304120
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01304120 mov ecx, dword ptr fs:[00000030h] 4_2_01304120
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E9100 mov eax, dword ptr fs:[00000030h] 4_2_012E9100
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E9100 mov eax, dword ptr fs:[00000030h] 4_2_012E9100
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E9100 mov eax, dword ptr fs:[00000030h] 4_2_012E9100
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EC962 mov eax, dword ptr fs:[00000030h] 4_2_012EC962
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EB171 mov eax, dword ptr fs:[00000030h] 4_2_012EB171
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EB171 mov eax, dword ptr fs:[00000030h] 4_2_012EB171
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B944 mov eax, dword ptr fs:[00000030h] 4_2_0130B944
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B944 mov eax, dword ptr fs:[00000030h] 4_2_0130B944
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013651BE mov eax, dword ptr fs:[00000030h] 4_2_013651BE
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013651BE mov eax, dword ptr fs:[00000030h] 4_2_013651BE
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013651BE mov eax, dword ptr fs:[00000030h] 4_2_013651BE
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013651BE mov eax, dword ptr fs:[00000030h] 4_2_013651BE
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov ecx, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov ecx, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov eax, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov ecx, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov ecx, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov eax, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov ecx, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov ecx, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov eax, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov ecx, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov ecx, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013099BF mov eax, dword ptr fs:[00000030h] 4_2_013099BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013669A6 mov eax, dword ptr fs:[00000030h] 4_2_013669A6
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013161A0 mov eax, dword ptr fs:[00000030h] 4_2_013161A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013161A0 mov eax, dword ptr fs:[00000030h] 4_2_013161A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A49A4 mov eax, dword ptr fs:[00000030h] 4_2_013A49A4
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A49A4 mov eax, dword ptr fs:[00000030h] 4_2_013A49A4
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A49A4 mov eax, dword ptr fs:[00000030h] 4_2_013A49A4
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A49A4 mov eax, dword ptr fs:[00000030h] 4_2_013A49A4
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01312990 mov eax, dword ptr fs:[00000030h] 4_2_01312990
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130C182 mov eax, dword ptr fs:[00000030h] 4_2_0130C182
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131A185 mov eax, dword ptr fs:[00000030h] 4_2_0131A185
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EB1E1 mov eax, dword ptr fs:[00000030h] 4_2_012EB1E1
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EB1E1 mov eax, dword ptr fs:[00000030h] 4_2_012EB1E1
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EB1E1 mov eax, dword ptr fs:[00000030h] 4_2_012EB1E1
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013741E8 mov eax, dword ptr fs:[00000030h] 4_2_013741E8
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A830 mov eax, dword ptr fs:[00000030h] 4_2_0130A830
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A830 mov eax, dword ptr fs:[00000030h] 4_2_0130A830
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A830 mov eax, dword ptr fs:[00000030h] 4_2_0130A830
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A830 mov eax, dword ptr fs:[00000030h] 4_2_0130A830
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FB02A mov eax, dword ptr fs:[00000030h] 4_2_012FB02A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FB02A mov eax, dword ptr fs:[00000030h] 4_2_012FB02A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FB02A mov eax, dword ptr fs:[00000030h] 4_2_012FB02A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FB02A mov eax, dword ptr fs:[00000030h] 4_2_012FB02A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131002D mov eax, dword ptr fs:[00000030h] 4_2_0131002D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131002D mov eax, dword ptr fs:[00000030h] 4_2_0131002D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131002D mov eax, dword ptr fs:[00000030h] 4_2_0131002D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131002D mov eax, dword ptr fs:[00000030h] 4_2_0131002D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131002D mov eax, dword ptr fs:[00000030h] 4_2_0131002D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01367016 mov eax, dword ptr fs:[00000030h] 4_2_01367016
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01367016 mov eax, dword ptr fs:[00000030h] 4_2_01367016
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01367016 mov eax, dword ptr fs:[00000030h] 4_2_01367016
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B4015 mov eax, dword ptr fs:[00000030h] 4_2_013B4015
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B4015 mov eax, dword ptr fs:[00000030h] 4_2_013B4015
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A2073 mov eax, dword ptr fs:[00000030h] 4_2_013A2073
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B1074 mov eax, dword ptr fs:[00000030h] 4_2_013B1074
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01300050 mov eax, dword ptr fs:[00000030h] 4_2_01300050
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01300050 mov eax, dword ptr fs:[00000030h] 4_2_01300050
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131F0BF mov ecx, dword ptr fs:[00000030h] 4_2_0131F0BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131F0BF mov eax, dword ptr fs:[00000030h] 4_2_0131F0BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131F0BF mov eax, dword ptr fs:[00000030h] 4_2_0131F0BF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013120A0 mov eax, dword ptr fs:[00000030h] 4_2_013120A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013120A0 mov eax, dword ptr fs:[00000030h] 4_2_013120A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013120A0 mov eax, dword ptr fs:[00000030h] 4_2_013120A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013120A0 mov eax, dword ptr fs:[00000030h] 4_2_013120A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013120A0 mov eax, dword ptr fs:[00000030h] 4_2_013120A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013120A0 mov eax, dword ptr fs:[00000030h] 4_2_013120A0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013290AF mov eax, dword ptr fs:[00000030h] 4_2_013290AF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E9080 mov eax, dword ptr fs:[00000030h] 4_2_012E9080
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01363884 mov eax, dword ptr fs:[00000030h] 4_2_01363884
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01363884 mov eax, dword ptr fs:[00000030h] 4_2_01363884
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E58EC mov eax, dword ptr fs:[00000030h] 4_2_012E58EC
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E40E1 mov eax, dword ptr fs:[00000030h] 4_2_012E40E1
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E40E1 mov eax, dword ptr fs:[00000030h] 4_2_012E40E1
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E40E1 mov eax, dword ptr fs:[00000030h] 4_2_012E40E1
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B8E4 mov eax, dword ptr fs:[00000030h] 4_2_0130B8E4
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B8E4 mov eax, dword ptr fs:[00000030h] 4_2_0130B8E4
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0137B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0137B8D0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0137B8D0 mov ecx, dword ptr fs:[00000030h] 4_2_0137B8D0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0137B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0137B8D0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0137B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0137B8D0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0137B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0137B8D0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0137B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0137B8D0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A131B mov eax, dword ptr fs:[00000030h] 4_2_013A131B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A309 mov eax, dword ptr fs:[00000030h] 4_2_0130A309
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01313B7A mov eax, dword ptr fs:[00000030h] 4_2_01313B7A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01313B7A mov eax, dword ptr fs:[00000030h] 4_2_01313B7A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EDB60 mov ecx, dword ptr fs:[00000030h] 4_2_012EDB60
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B8B58 mov eax, dword ptr fs:[00000030h] 4_2_013B8B58
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EDB40 mov eax, dword ptr fs:[00000030h] 4_2_012EDB40
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EF358 mov eax, dword ptr fs:[00000030h] 4_2_012EF358
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01314BAD mov eax, dword ptr fs:[00000030h] 4_2_01314BAD
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01314BAD mov eax, dword ptr fs:[00000030h] 4_2_01314BAD
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01314BAD mov eax, dword ptr fs:[00000030h] 4_2_01314BAD
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B5BA5 mov eax, dword ptr fs:[00000030h] 4_2_013B5BA5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F1B8F mov eax, dword ptr fs:[00000030h] 4_2_012F1B8F
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F1B8F mov eax, dword ptr fs:[00000030h] 4_2_012F1B8F
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131B390 mov eax, dword ptr fs:[00000030h] 4_2_0131B390
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01312397 mov eax, dword ptr fs:[00000030h] 4_2_01312397
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A138A mov eax, dword ptr fs:[00000030h] 4_2_013A138A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0139D380 mov ecx, dword ptr fs:[00000030h] 4_2_0139D380
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131138B mov eax, dword ptr fs:[00000030h] 4_2_0131138B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131138B mov eax, dword ptr fs:[00000030h] 4_2_0131138B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131138B mov eax, dword ptr fs:[00000030h] 4_2_0131138B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013103E2 mov eax, dword ptr fs:[00000030h] 4_2_013103E2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013103E2 mov eax, dword ptr fs:[00000030h] 4_2_013103E2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013103E2 mov eax, dword ptr fs:[00000030h] 4_2_013103E2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013103E2 mov eax, dword ptr fs:[00000030h] 4_2_013103E2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013103E2 mov eax, dword ptr fs:[00000030h] 4_2_013103E2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013103E2 mov eax, dword ptr fs:[00000030h] 4_2_013103E2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130DBE9 mov eax, dword ptr fs:[00000030h] 4_2_0130DBE9
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013923E3 mov ecx, dword ptr fs:[00000030h] 4_2_013923E3
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013923E3 mov ecx, dword ptr fs:[00000030h] 4_2_013923E3
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013923E3 mov eax, dword ptr fs:[00000030h] 4_2_013923E3
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013653CA mov eax, dword ptr fs:[00000030h] 4_2_013653CA
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013653CA mov eax, dword ptr fs:[00000030h] 4_2_013653CA
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B236 mov eax, dword ptr fs:[00000030h] 4_2_0130B236
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B236 mov eax, dword ptr fs:[00000030h] 4_2_0130B236
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B236 mov eax, dword ptr fs:[00000030h] 4_2_0130B236
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B236 mov eax, dword ptr fs:[00000030h] 4_2_0130B236
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B236 mov eax, dword ptr fs:[00000030h] 4_2_0130B236
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B236 mov eax, dword ptr fs:[00000030h] 4_2_0130B236
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A229 mov eax, dword ptr fs:[00000030h] 4_2_0130A229
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A229 mov eax, dword ptr fs:[00000030h] 4_2_0130A229
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A229 mov eax, dword ptr fs:[00000030h] 4_2_0130A229
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A229 mov eax, dword ptr fs:[00000030h] 4_2_0130A229
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A229 mov eax, dword ptr fs:[00000030h] 4_2_0130A229
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A229 mov eax, dword ptr fs:[00000030h] 4_2_0130A229
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A229 mov eax, dword ptr fs:[00000030h] 4_2_0130A229
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A229 mov eax, dword ptr fs:[00000030h] 4_2_0130A229
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130A229 mov eax, dword ptr fs:[00000030h] 4_2_0130A229
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01324A2C mov eax, dword ptr fs:[00000030h] 4_2_01324A2C
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01324A2C mov eax, dword ptr fs:[00000030h] 4_2_01324A2C
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F8A0A mov eax, dword ptr fs:[00000030h] 4_2_012F8A0A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01303A1C mov eax, dword ptr fs:[00000030h] 4_2_01303A1C
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AAA16 mov eax, dword ptr fs:[00000030h] 4_2_013AAA16
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AAA16 mov eax, dword ptr fs:[00000030h] 4_2_013AAA16
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EAA16 mov eax, dword ptr fs:[00000030h] 4_2_012EAA16
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EAA16 mov eax, dword ptr fs:[00000030h] 4_2_012EAA16
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E5210 mov eax, dword ptr fs:[00000030h] 4_2_012E5210
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E5210 mov ecx, dword ptr fs:[00000030h] 4_2_012E5210
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E5210 mov eax, dword ptr fs:[00000030h] 4_2_012E5210
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E5210 mov eax, dword ptr fs:[00000030h] 4_2_012E5210
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0132927A mov eax, dword ptr fs:[00000030h] 4_2_0132927A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0139B260 mov eax, dword ptr fs:[00000030h] 4_2_0139B260
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0139B260 mov eax, dword ptr fs:[00000030h] 4_2_0139B260
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B8A62 mov eax, dword ptr fs:[00000030h] 4_2_013B8A62
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01374257 mov eax, dword ptr fs:[00000030h] 4_2_01374257
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E9240 mov eax, dword ptr fs:[00000030h] 4_2_012E9240
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E9240 mov eax, dword ptr fs:[00000030h] 4_2_012E9240
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E9240 mov eax, dword ptr fs:[00000030h] 4_2_012E9240
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E9240 mov eax, dword ptr fs:[00000030h] 4_2_012E9240
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AEA55 mov eax, dword ptr fs:[00000030h] 4_2_013AEA55
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131FAB0 mov eax, dword ptr fs:[00000030h] 4_2_0131FAB0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E52A5 mov eax, dword ptr fs:[00000030h] 4_2_012E52A5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E52A5 mov eax, dword ptr fs:[00000030h] 4_2_012E52A5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E52A5 mov eax, dword ptr fs:[00000030h] 4_2_012E52A5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E52A5 mov eax, dword ptr fs:[00000030h] 4_2_012E52A5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E52A5 mov eax, dword ptr fs:[00000030h] 4_2_012E52A5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FAAB0 mov eax, dword ptr fs:[00000030h] 4_2_012FAAB0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FAAB0 mov eax, dword ptr fs:[00000030h] 4_2_012FAAB0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131D294 mov eax, dword ptr fs:[00000030h] 4_2_0131D294
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131D294 mov eax, dword ptr fs:[00000030h] 4_2_0131D294
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01312AE4 mov eax, dword ptr fs:[00000030h] 4_2_01312AE4
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4AEF mov eax, dword ptr fs:[00000030h] 4_2_013A4AEF
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01312ACB mov eax, dword ptr fs:[00000030h] 4_2_01312ACB
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0136A537 mov eax, dword ptr fs:[00000030h] 4_2_0136A537
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AE539 mov eax, dword ptr fs:[00000030h] 4_2_013AE539
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01314D3B mov eax, dword ptr fs:[00000030h] 4_2_01314D3B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01314D3B mov eax, dword ptr fs:[00000030h] 4_2_01314D3B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01314D3B mov eax, dword ptr fs:[00000030h] 4_2_01314D3B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B8D34 mov eax, dword ptr fs:[00000030h] 4_2_013B8D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F3D34 mov eax, dword ptr fs:[00000030h] 4_2_012F3D34
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EAD30 mov eax, dword ptr fs:[00000030h] 4_2_012EAD30
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130C577 mov eax, dword ptr fs:[00000030h] 4_2_0130C577
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130C577 mov eax, dword ptr fs:[00000030h] 4_2_0130C577
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01307D50 mov eax, dword ptr fs:[00000030h] 4_2_01307D50
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01323D43 mov eax, dword ptr fs:[00000030h] 4_2_01323D43
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01363540 mov eax, dword ptr fs:[00000030h] 4_2_01363540
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01393D40 mov eax, dword ptr fs:[00000030h] 4_2_01393D40
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01311DB5 mov eax, dword ptr fs:[00000030h] 4_2_01311DB5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01311DB5 mov eax, dword ptr fs:[00000030h] 4_2_01311DB5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01311DB5 mov eax, dword ptr fs:[00000030h] 4_2_01311DB5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013135A1 mov eax, dword ptr fs:[00000030h] 4_2_013135A1
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B05AC mov eax, dword ptr fs:[00000030h] 4_2_013B05AC
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B05AC mov eax, dword ptr fs:[00000030h] 4_2_013B05AC
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E2D8A mov eax, dword ptr fs:[00000030h] 4_2_012E2D8A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E2D8A mov eax, dword ptr fs:[00000030h] 4_2_012E2D8A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E2D8A mov eax, dword ptr fs:[00000030h] 4_2_012E2D8A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E2D8A mov eax, dword ptr fs:[00000030h] 4_2_012E2D8A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E2D8A mov eax, dword ptr fs:[00000030h] 4_2_012E2D8A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131FD9B mov eax, dword ptr fs:[00000030h] 4_2_0131FD9B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131FD9B mov eax, dword ptr fs:[00000030h] 4_2_0131FD9B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01312581 mov eax, dword ptr fs:[00000030h] 4_2_01312581
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01312581 mov eax, dword ptr fs:[00000030h] 4_2_01312581
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01312581 mov eax, dword ptr fs:[00000030h] 4_2_01312581
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01312581 mov eax, dword ptr fs:[00000030h] 4_2_01312581
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A2D82 mov eax, dword ptr fs:[00000030h] 4_2_013A2D82
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A2D82 mov eax, dword ptr fs:[00000030h] 4_2_013A2D82
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A2D82 mov eax, dword ptr fs:[00000030h] 4_2_013A2D82
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A2D82 mov eax, dword ptr fs:[00000030h] 4_2_013A2D82
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A2D82 mov eax, dword ptr fs:[00000030h] 4_2_013A2D82
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A2D82 mov eax, dword ptr fs:[00000030h] 4_2_013A2D82
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A2D82 mov eax, dword ptr fs:[00000030h] 4_2_013A2D82
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01398DF1 mov eax, dword ptr fs:[00000030h] 4_2_01398DF1
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FD5E0 mov eax, dword ptr fs:[00000030h] 4_2_012FD5E0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FD5E0 mov eax, dword ptr fs:[00000030h] 4_2_012FD5E0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AFDE2 mov eax, dword ptr fs:[00000030h] 4_2_013AFDE2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AFDE2 mov eax, dword ptr fs:[00000030h] 4_2_013AFDE2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AFDE2 mov eax, dword ptr fs:[00000030h] 4_2_013AFDE2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AFDE2 mov eax, dword ptr fs:[00000030h] 4_2_013AFDE2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366DC9 mov eax, dword ptr fs:[00000030h] 4_2_01366DC9
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366DC9 mov eax, dword ptr fs:[00000030h] 4_2_01366DC9
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366DC9 mov eax, dword ptr fs:[00000030h] 4_2_01366DC9
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366DC9 mov ecx, dword ptr fs:[00000030h] 4_2_01366DC9
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366DC9 mov eax, dword ptr fs:[00000030h] 4_2_01366DC9
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366DC9 mov eax, dword ptr fs:[00000030h] 4_2_01366DC9
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131BC2C mov eax, dword ptr fs:[00000030h] 4_2_0131BC2C
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B740D mov eax, dword ptr fs:[00000030h] 4_2_013B740D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B740D mov eax, dword ptr fs:[00000030h] 4_2_013B740D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B740D mov eax, dword ptr fs:[00000030h] 4_2_013B740D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1C06 mov eax, dword ptr fs:[00000030h] 4_2_013A1C06
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366C0A mov eax, dword ptr fs:[00000030h] 4_2_01366C0A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366C0A mov eax, dword ptr fs:[00000030h] 4_2_01366C0A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366C0A mov eax, dword ptr fs:[00000030h] 4_2_01366C0A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366C0A mov eax, dword ptr fs:[00000030h] 4_2_01366C0A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B477 mov eax, dword ptr fs:[00000030h] 4_2_0130B477
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131AC7B mov eax, dword ptr fs:[00000030h] 4_2_0131AC7B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131AC7B mov eax, dword ptr fs:[00000030h] 4_2_0131AC7B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131AC7B mov eax, dword ptr fs:[00000030h] 4_2_0131AC7B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131AC7B mov eax, dword ptr fs:[00000030h] 4_2_0131AC7B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131AC7B mov eax, dword ptr fs:[00000030h] 4_2_0131AC7B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131AC7B mov eax, dword ptr fs:[00000030h] 4_2_0131AC7B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131AC7B mov eax, dword ptr fs:[00000030h] 4_2_0131AC7B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131AC7B mov eax, dword ptr fs:[00000030h] 4_2_0131AC7B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131AC7B mov eax, dword ptr fs:[00000030h] 4_2_0131AC7B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131AC7B mov eax, dword ptr fs:[00000030h] 4_2_0131AC7B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131AC7B mov eax, dword ptr fs:[00000030h] 4_2_0131AC7B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130746D mov eax, dword ptr fs:[00000030h] 4_2_0130746D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0137C450 mov eax, dword ptr fs:[00000030h] 4_2_0137C450
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0137C450 mov eax, dword ptr fs:[00000030h] 4_2_0137C450
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131A44B mov eax, dword ptr fs:[00000030h] 4_2_0131A44B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A4496 mov eax, dword ptr fs:[00000030h] 4_2_013A4496
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F849B mov eax, dword ptr fs:[00000030h] 4_2_012F849B
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A14FB mov eax, dword ptr fs:[00000030h] 4_2_013A14FB
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366CF0 mov eax, dword ptr fs:[00000030h] 4_2_01366CF0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366CF0 mov eax, dword ptr fs:[00000030h] 4_2_01366CF0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01366CF0 mov eax, dword ptr fs:[00000030h] 4_2_01366CF0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B8CD6 mov eax, dword ptr fs:[00000030h] 4_2_013B8CD6
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E4F2E mov eax, dword ptr fs:[00000030h] 4_2_012E4F2E
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012E4F2E mov eax, dword ptr fs:[00000030h] 4_2_012E4F2E
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131E730 mov eax, dword ptr fs:[00000030h] 4_2_0131E730
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B73D mov eax, dword ptr fs:[00000030h] 4_2_0130B73D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130B73D mov eax, dword ptr fs:[00000030h] 4_2_0130B73D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130F716 mov eax, dword ptr fs:[00000030h] 4_2_0130F716
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0137FF10 mov eax, dword ptr fs:[00000030h] 4_2_0137FF10
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0137FF10 mov eax, dword ptr fs:[00000030h] 4_2_0137FF10
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B070D mov eax, dword ptr fs:[00000030h] 4_2_013B070D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B070D mov eax, dword ptr fs:[00000030h] 4_2_013B070D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131A70E mov eax, dword ptr fs:[00000030h] 4_2_0131A70E
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131A70E mov eax, dword ptr fs:[00000030h] 4_2_0131A70E
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FFF60 mov eax, dword ptr fs:[00000030h] 4_2_012FFF60
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B8F6A mov eax, dword ptr fs:[00000030h] 4_2_013B8F6A
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012FEF40 mov eax, dword ptr fs:[00000030h] 4_2_012FEF40
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01367794 mov eax, dword ptr fs:[00000030h] 4_2_01367794
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01367794 mov eax, dword ptr fs:[00000030h] 4_2_01367794
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01367794 mov eax, dword ptr fs:[00000030h] 4_2_01367794
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F8794 mov eax, dword ptr fs:[00000030h] 4_2_012F8794
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013237F5 mov eax, dword ptr fs:[00000030h] 4_2_013237F5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0139FE3F mov eax, dword ptr fs:[00000030h] 4_2_0139FE3F
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EE620 mov eax, dword ptr fs:[00000030h] 4_2_012EE620
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131A61C mov eax, dword ptr fs:[00000030h] 4_2_0131A61C
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0131A61C mov eax, dword ptr fs:[00000030h] 4_2_0131A61C
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EC600 mov eax, dword ptr fs:[00000030h] 4_2_012EC600
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EC600 mov eax, dword ptr fs:[00000030h] 4_2_012EC600
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012EC600 mov eax, dword ptr fs:[00000030h] 4_2_012EC600
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01318E00 mov eax, dword ptr fs:[00000030h] 4_2_01318E00
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013A1608 mov eax, dword ptr fs:[00000030h] 4_2_013A1608
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F766D mov eax, dword ptr fs:[00000030h] 4_2_012F766D
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130AE73 mov eax, dword ptr fs:[00000030h] 4_2_0130AE73
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130AE73 mov eax, dword ptr fs:[00000030h] 4_2_0130AE73
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130AE73 mov eax, dword ptr fs:[00000030h] 4_2_0130AE73
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130AE73 mov eax, dword ptr fs:[00000030h] 4_2_0130AE73
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0130AE73 mov eax, dword ptr fs:[00000030h] 4_2_0130AE73
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F7E41 mov eax, dword ptr fs:[00000030h] 4_2_012F7E41
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F7E41 mov eax, dword ptr fs:[00000030h] 4_2_012F7E41
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F7E41 mov eax, dword ptr fs:[00000030h] 4_2_012F7E41
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F7E41 mov eax, dword ptr fs:[00000030h] 4_2_012F7E41
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F7E41 mov eax, dword ptr fs:[00000030h] 4_2_012F7E41
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F7E41 mov eax, dword ptr fs:[00000030h] 4_2_012F7E41
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AAE44 mov eax, dword ptr fs:[00000030h] 4_2_013AAE44
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013AAE44 mov eax, dword ptr fs:[00000030h] 4_2_013AAE44
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013646A7 mov eax, dword ptr fs:[00000030h] 4_2_013646A7
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B0EA5 mov eax, dword ptr fs:[00000030h] 4_2_013B0EA5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B0EA5 mov eax, dword ptr fs:[00000030h] 4_2_013B0EA5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B0EA5 mov eax, dword ptr fs:[00000030h] 4_2_013B0EA5
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0137FE87 mov eax, dword ptr fs:[00000030h] 4_2_0137FE87
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_012F76E2 mov eax, dword ptr fs:[00000030h] 4_2_012F76E2
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013116E0 mov ecx, dword ptr fs:[00000030h] 4_2_013116E0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013B8ED6 mov eax, dword ptr fs:[00000030h] 4_2_013B8ED6
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01328EC7 mov eax, dword ptr fs:[00000030h] 4_2_01328EC7
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_0139FEC0 mov eax, dword ptr fs:[00000030h] 4_2_0139FEC0
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_013136CC mov eax, dword ptr fs:[00000030h] 4_2_013136CC
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\0098764345678.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\0098764345678.exe Code function: 4_2_01329910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_01329910
Source: C:\Users\user\Desktop\0098764345678.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 103.224.212.221 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.whipbull.com
Source: C:\Windows\explorer.exe Network Connect: 194.195.211.26 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.secure-id6793-chase.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\0098764345678.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 1130000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\0098764345678.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\0098764345678.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\0098764345678.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread register set: target process: 3968 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\0098764345678.exe Process created: C:\Users\user\Desktop\0098764345678.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\0098764345678.exe" Jump to behavior
Source: explorer.exe, 00000007.00000000.349310159.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.443159976.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.372845038.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000007.00000000.350405980.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.300805300.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.374372996.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.350405980.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.300805300.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.374372996.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.350405980.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.300805300.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.374372996.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.443197553.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.349657878.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.299659250.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000007.00000000.350405980.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.300805300.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.374372996.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Users\user\Desktop\0098764345678.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0098764345678.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 4.0.0098764345678.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.529641329.0000000000800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.364459819.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302568532.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.389433481.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.531711624.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.284514841.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.532244734.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 4.0.0098764345678.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.529641329.0000000000800000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.364459819.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302568532.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.389433481.000000000D20D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.531711624.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.284514841.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.532244734.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680503 Sample: 0098764345678.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 31 www.zytfjgyl.com 2->31 33 www.7ball123a.website 2->33 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 8 other signatures 2->47 11 0098764345678.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\0098764345678.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 15 0098764345678.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.whipbull.com 103.224.212.221, 49790, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 18->35 37 www.secure-id6793-chase.com 194.195.211.26, 49806, 80 NEXINTO-DE Germany 18->37 39 192.168.2.1 unknown unknown 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.195.211.26
 www.secure-id6793-chase.com Germany
6659 NEXINTO-DE true
103.224.212.221
 www.whipbull.com Australia
133618 TRELLIAN-AS-APTrellianPtyLimitedAU true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
www.secure-id6793-chase.com 194.195.211.26 true
www.whipbull.com 103.224.212.221 true
www.7ball123a.website unknown unknown
www.zytfjgyl.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.secure-id6793-chase.com/zzun/?3fZ4-PZ=hS6fQYKqHv+OsAYXbPa1KllQZ4uj6G6pTbgTcLclchxJ2x6fi0s26xbgzAwHm+sFKe+r&oDH=0v5Tjp true
  • Avira URL Cloud: phishing
 unknown
http://www.whipbull.com/zzun/?oDH=0v5Tjp&3fZ4-PZ=Kiv179iAIMPDqB30KPMwtVjQGuO+8qaWaLcZydmce/CQLYP70aekBaXIYi060oxX9tqE true
  • Avira URL Cloud: malware
 unknown
www.secure-id6793-chase.com/zzun/ true
  • Avira URL Cloud: phishing
 low