Windows Analysis Report
opp.scr.exe

Overview

General Information

Sample name: opp.scr.exe
Analysis ID: 1435367
MD5: f7c26f0b2088e0324b019c534686b257
SHA1: 98d314090e6c74cd6afc5d2fde7e4dd77d1fe240
SHA256: 8ec69eaf10a3043817f153a9ac99d113884d1fe657709b759512b688c5014b8f
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
.NET source code references suspicious native API functions
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: opp.scr.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.terelprime.com/ufuh/?p80t2Pu=YGhnx96XAVFPN8tv1lUEEiUVdSmZ/iyWteKDUnkDVIOF49Ku923zDENpH5OUCIyJQHomPTwvfF1wQ0t1Y4t+Kv0hk37pk2XOQoNeMFqeOrHvpWJ1tST0YGmxjRv23ozT3g==&B6bX=zjl0 Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: opp.scr.exe ReversingLabs: Detection: 34%
Source: opp.scr.exe Virustotal: Detection: 45% Perma Link
Yara detected FormBook
Source: Yara match File source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: opp.scr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: opp.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49725 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: opp.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: opp.scr.exe, 00000000.00000002.1993405256.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, opp.scr.exe, 00000000.00000002.1992294507.00000000030D1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dfrgui.pdb source: opp.scr.exe, 00000001.00000002.2393570245.0000000001207000.00000004.00000020.00020000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857446926.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dfrgui.pdbGCTL source: opp.scr.exe, 00000001.00000002.2393570245.0000000001207000.00000004.00000020.00020000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857446926.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oOOsxwAhjIw.exe, 00000008.00000002.3856743895.000000000022E000.00000002.00000001.01000000.00000009.sdmp, oOOsxwAhjIw.exe, 0000000A.00000000.2462623860.000000000022E000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: wntdll.pdbUGP source: opp.scr.exe, 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2399221068.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.000000000453E000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2391671200.0000000004031000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.00000000043A0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: opp.scr.exe, opp.scr.exe, 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, dfrgui.exe, 00000009.00000003.2399221068.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.000000000453E000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2391671200.0000000004031000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.00000000043A0000.00000040.00001000.00020000.00000000.sdmp

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49728 -> 66.96.161.166:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 66.96.161.166 66.96.161.166
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BIZLAND-SDUS BIZLAND-SDUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49725 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGIS3zrEGIjAy2SY_wKQfS3Qr9DIp4alnyJkCTUiOIWFLBr4l8U2O7-X7PjrHl9WYNHcJAlxWu-0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-13; NID=513=kagEDjFykvKoAP0yl0sL1kceCdSlsxq38rbJXvvayh012PxpNNXfpbKkzAh7U8g-UcB5j8kSKnHvFbFlm_drDhRUplG0u-yRqpVq4Bp0PrYa_i3zve2NFSHgx-VHdiOxzy44Flbipwim5igaZ1Atm6f83h90MBFNiD0xnZ1XgEU
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGIS3zrEGIjC0v607c_qYvTi5H8NDS3aYuCJmplAqD5Rl0JeJ4_KibV6kPGTEw6xAv1H63aOy6jsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-13; NID=513=kUszvrnp6L6qkzmjnXT8tKxx3ftCnD_6dpqXT5ipG2-oWiOp0NvDcpVBh2C9JkKo8BLayWIpOpc7ZV6jBbijWa6Kaf9YhwSa0O26wBZFBNJ72vCB0pwahmofUaZfvgUD1reQRrLBhzwF9OIRNktjvtbSUw_lRTOAA6eV1N7C-ys
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=vPOR2YTmsL7R8cO&MD=bTcn1Cz5 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=vPOR2YTmsL7R8cO&MD=bTcn1Cz5 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /ufuh/?p80t2Pu=YGhnx96XAVFPN8tv1lUEEiUVdSmZ/iyWteKDUnkDVIOF49Ku923zDENpH5OUCIyJQHomPTwvfF1wQ0t1Y4t+Kv0hk37pk2XOQoNeMFqeOrHvpWJ1tST0YGmxjRv23ozT3g==&B6bX=zjl0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.terelprime.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: www.besthomeincome24.com
Source: global traffic DNS traffic detected: DNS query: www.terelprime.com
Source: unknown HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714658161007&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 May 2024 13:57:10 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: dfrgui.exe, 00000009.00000002.2690174936.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3858719384.0000000002FD6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.3856627290.00000000388B6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.searchvity.com/
Source: dfrgui.exe, 00000009.00000002.2690174936.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3858719384.0000000002FD6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.3856627290.00000000388B6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.searchvity.com/?dn=
Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&comm
Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: dfrgui.exe, 00000009.00000002.2688193511.000000000048A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: dfrgui.exe, 00000009.00000002.2688193511.000000000048A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: dfrgui.exe, 00000009.00000002.2688193511.000000000048A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: dfrgui.exe, 00000009.00000002.2688193511.000000000046A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033V
Source: dfrgui.exe, 00000009.00000002.2688193511.000000000048A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: dfrgui.exe, 00000009.00000002.2688193511.000000000048A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: dfrgui.exe, 00000009.00000003.2621383147.00000000076F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: dfrgui.exe, 00000009.00000002.2688193511.0000000000514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49729 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.opp.scr.exe.4146390.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.opp.scr.exe.57d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.opp.scr.exe.57d0000.3.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.opp.scr.exe.4146390.2.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.opp.scr.exe.30e1c3c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.opp.scr.exe.30df3fc.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.1993109021.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040B0C3 NtCreateSection, 1_2_0040B0C3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040A883 NtGetContextThread, 1_2_0040A883
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040B2E3 NtMapViewOfSection, 1_2_0040B2E3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040AA93 NtSetContextThread, 1_2_0040AA93
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040BBB3 NtDelayExecution, 1_2_0040BBB3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040ACA3 NtResumeThread, 1_2_0040ACA3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040B513 NtCreateFile, 1_2_0040B513
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040A673 NtSuspendThread, 1_2_0040A673
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0042BF43 NtClose, 1_2_0042BF43
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040B743 NtReadFile, 1_2_0040B743
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040BFD3 NtAllocateVirtualMemory, 1_2_0040BFD3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2B60 NtClose,LdrInitializeThunk, 1_2_016D2B60
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2DF0 NtQuerySystemInformation,LdrInitializeThunk, 1_2_016D2DF0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2C70 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_016D2C70
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D35C0 NtCreateMutant,LdrInitializeThunk, 1_2_016D35C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D4340 NtSetContextThread, 1_2_016D4340
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D4650 NtSuspendThread, 1_2_016D4650
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2BE0 NtQueryValueKey, 1_2_016D2BE0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2BF0 NtAllocateVirtualMemory, 1_2_016D2BF0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2BA0 NtEnumerateValueKey, 1_2_016D2BA0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2B80 NtQueryInformationFile, 1_2_016D2B80
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2AF0 NtWriteFile, 1_2_016D2AF0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2AD0 NtReadFile, 1_2_016D2AD0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2AB0 NtWaitForSingleObject, 1_2_016D2AB0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2D30 NtUnmapViewOfSection, 1_2_016D2D30
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2D00 NtSetInformationFile, 1_2_016D2D00
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2D10 NtMapViewOfSection, 1_2_016D2D10
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2DD0 NtDelayExecution, 1_2_016D2DD0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2DB0 NtEnumerateKey, 1_2_016D2DB0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2C60 NtCreateKey, 1_2_016D2C60
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2C00 NtQueryInformationProcess, 1_2_016D2C00
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2CF0 NtOpenProcess, 1_2_016D2CF0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2CC0 NtQueryVirtualMemory, 1_2_016D2CC0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2CA0 NtQueryInformationToken, 1_2_016D2CA0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2F60 NtCreateProcessEx, 1_2_016D2F60
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2F30 NtCreateSection, 1_2_016D2F30
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2FE0 NtCreateFile, 1_2_016D2FE0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2FA0 NtQuerySection, 1_2_016D2FA0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2FB0 NtResumeThread, 1_2_016D2FB0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2F90 NtProtectVirtualMemory, 1_2_016D2F90
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2E30 NtWriteVirtualMemory, 1_2_016D2E30
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2EE0 NtQueueApcThread, 1_2_016D2EE0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2EA0 NtAdjustPrivilegesToken, 1_2_016D2EA0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2E80 NtReadVirtualMemory, 1_2_016D2E80
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D3010 NtOpenDirectoryObject, 1_2_016D3010
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D3090 NtSetValueKey, 1_2_016D3090
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D39B0 NtGetContextThread, 1_2_016D39B0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D3D70 NtOpenThread, 1_2_016D3D70
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D3D10 NtOpenProcessToken, 1_2_016D3D10
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04414650 NtSuspendThread,LdrInitializeThunk, 9_2_04414650
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04414340 NtSetContextThread,LdrInitializeThunk, 9_2_04414340
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412C60 NtCreateKey,LdrInitializeThunk, 9_2_04412C60
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412C70 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_04412C70
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412CA0 NtQueryInformationToken,LdrInitializeThunk, 9_2_04412CA0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412D10 NtMapViewOfSection,LdrInitializeThunk, 9_2_04412D10
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412D30 NtUnmapViewOfSection,LdrInitializeThunk, 9_2_04412D30
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412DD0 NtDelayExecution,LdrInitializeThunk, 9_2_04412DD0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412DF0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_04412DF0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412EE0 NtQueueApcThread,LdrInitializeThunk, 9_2_04412EE0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412E80 NtReadVirtualMemory,LdrInitializeThunk, 9_2_04412E80
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412F30 NtCreateSection,LdrInitializeThunk, 9_2_04412F30
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412FE0 NtCreateFile,LdrInitializeThunk, 9_2_04412FE0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412FB0 NtResumeThread,LdrInitializeThunk, 9_2_04412FB0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412AD0 NtReadFile,LdrInitializeThunk, 9_2_04412AD0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412AF0 NtWriteFile,LdrInitializeThunk, 9_2_04412AF0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412B60 NtClose,LdrInitializeThunk, 9_2_04412B60
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412BE0 NtQueryValueKey,LdrInitializeThunk, 9_2_04412BE0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_04412BF0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412BA0 NtEnumerateValueKey,LdrInitializeThunk, 9_2_04412BA0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044135C0 NtCreateMutant,LdrInitializeThunk, 9_2_044135C0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044139B0 NtGetContextThread,LdrInitializeThunk, 9_2_044139B0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412C00 NtQueryInformationProcess, 9_2_04412C00
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412CC0 NtQueryVirtualMemory, 9_2_04412CC0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412CF0 NtOpenProcess, 9_2_04412CF0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412D00 NtSetInformationFile, 9_2_04412D00
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412DB0 NtEnumerateKey, 9_2_04412DB0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412E30 NtWriteVirtualMemory, 9_2_04412E30
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412EA0 NtAdjustPrivilegesToken, 9_2_04412EA0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412F60 NtCreateProcessEx, 9_2_04412F60
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412F90 NtProtectVirtualMemory, 9_2_04412F90
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412FA0 NtQuerySection, 9_2_04412FA0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412AB0 NtWaitForSingleObject, 9_2_04412AB0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04412B80 NtQueryInformationFile, 9_2_04412B80
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04413010 NtOpenDirectoryObject, 9_2_04413010
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04413090 NtSetValueKey, 9_2_04413090
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04413D70 NtOpenThread, 9_2_04413D70
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04413D10 NtOpenProcessToken, 9_2_04413D10
Detected potential crypto function
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00402884 1_2_00402884
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00402890 1_2_00402890
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0042E2F3 1_2_0042E2F3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_004012B0 1_2_004012B0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_004033D0 1_2_004033D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00417BEE 1_2_00417BEE
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00417BF3 1_2_00417BF3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00411443 1_2_00411443
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0041143A 1_2_0041143A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_004025C0 1_2_004025C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_004025F9 1_2_004025F9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00401580 1_2_00401580
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_004025B3 1_2_004025B3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00411663 1_2_00411663
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00402ED0 1_2_00402ED0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040F6E3 1_2_0040F6E3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00402709 1_2_00402709
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01728158 1_2_01728158
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01690100 1_2_01690100
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173A118 1_2_0173A118
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017581CC 1_2_017581CC
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017541A2 1_2_017541A2
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017601AA 1_2_017601AA
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01732000 1_2_01732000
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175A352 1_2_0175A352
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017603E6 1_2_017603E6
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AE3F0 1_2_016AE3F0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017202C0 1_2_017202C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0535 1_2_016A0535
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01760591 1_2_01760591
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01752446 1_2_01752446
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01744420 1_2_01744420
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0174E4F6 1_2_0174E4F6
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C4750 1_2_016C4750
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169C7C0 1_2_0169C7C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BC6E0 1_2_016BC6E0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B6962 1_2_016B6962
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0176A9A6 1_2_0176A9A6
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A2840 1_2_016A2840
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AA840 1_2_016AA840
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE8F0 1_2_016CE8F0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016868B8 1_2_016868B8
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175AB40 1_2_0175AB40
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01756BD7 1_2_01756BD7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169EA80 1_2_0169EA80
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AAD00 1_2_016AAD00
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173CD1F 1_2_0173CD1F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169ADE0 1_2_0169ADE0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B8DBF 1_2_016B8DBF
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0C00 1_2_016A0C00
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01690CF2 1_2_01690CF2
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740CB5 1_2_01740CB5
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01714F40 1_2_01714F40
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01742F30 1_2_01742F30
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016E2F28 1_2_016E2F28
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C0F30 1_2_016C0F30
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016ACFE0 1_2_016ACFE0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01692FC8 1_2_01692FC8
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171EFA0 1_2_0171EFA0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0E59 1_2_016A0E59
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175EE26 1_2_0175EE26
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175EEDB 1_2_0175EEDB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175CE93 1_2_0175CE93
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B2E90 1_2_016B2E90
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D516C 1_2_016D516C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168F172 1_2_0168F172
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0176B16B 1_2_0176B16B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AB1B0 1_2_016AB1B0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175F0E0 1_2_0175F0E0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017570E9 1_2_017570E9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A70C0 1_2_016A70C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0174F0CC 1_2_0174F0CC
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168D34C 1_2_0168D34C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175132D 1_2_0175132D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016E739A 1_2_016E739A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017412ED 1_2_017412ED
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BB2C0 1_2_016BB2C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A52A0 1_2_016A52A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01757571 1_2_01757571
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017695C3 1_2_017695C3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173D5B0 1_2_0173D5B0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01691460 1_2_01691460
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175F43F 1_2_0175F43F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175F7B0 1_2_0175F7B0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016E5630 1_2_016E5630
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017516CC 1_2_017516CC
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A9950 1_2_016A9950
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BB950 1_2_016BB950
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01735910 1_2_01735910
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170D800 1_2_0170D800
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A38E0 1_2_016A38E0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175FB76 1_2_0175FB76
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01715BF0 1_2_01715BF0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016DDBF9 1_2_016DDBF9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BFB80 1_2_016BFB80
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01713A6C 1_2_01713A6C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01757A46 1_2_01757A46
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175FA49 1_2_0175FA49
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0174DAC6 1_2_0174DAC6
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016E5AA0 1_2_016E5AA0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01741AA3 1_2_01741AA3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173DAAC 1_2_0173DAAC
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01757D73 1_2_01757D73
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A3D40 1_2_016A3D40
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01751D5A 1_2_01751D5A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BFDC0 1_2_016BFDC0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01719C32 1_2_01719C32
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175FCF2 1_2_0175FCF2
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175FF09 1_2_0175FF09
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175FFB1 1_2_0175FFB1
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A1F92 1_2_016A1F92
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A9EB0 1_2_016A9EB0
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_0512152F 8_2_0512152F
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_051234AF 8_2_051234AF
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_0514013F 8_2_0514013F
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_05129A3A 8_2_05129A3A
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_05129A3F 8_2_05129A3F
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_05123286 8_2_05123286
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_0512328F 8_2_0512328F
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04492446 9_2_04492446
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04484420 9_2_04484420
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0448E4F6 9_2_0448E4F6
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E0535 9_2_043E0535
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044A0591 9_2_044A0591
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043FC6E0 9_2_043FC6E0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04404750 9_2_04404750
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E0770 9_2_043E0770
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043DC7C0 9_2_043DC7C0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04472000 9_2_04472000
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04468158 9_2_04468158
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043D0100 9_2_043D0100
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0447A118 9_2_0447A118
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044981CC 9_2_044981CC
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044A01AA 9_2_044A01AA
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044941A2 9_2_044941A2
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04480274 9_2_04480274
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044602C0 9_2_044602C0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449A352 9_2_0449A352
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044A03E6 9_2_044A03E6
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043EE3F0 9_2_043EE3F0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E0C00 9_2_043E0C00
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043D0CF2 9_2_043D0CF2
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04480CB5 9_2_04480CB5
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043EAD00 9_2_043EAD00
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0447CD1F 9_2_0447CD1F
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043F8DBF 9_2_043F8DBF
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043DADE0 9_2_043DADE0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E0E59 9_2_043E0E59
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449EE26 9_2_0449EE26
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449EEDB 9_2_0449EEDB
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043F2E90 9_2_043F2E90
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449CE93 9_2_0449CE93
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04454F40 9_2_04454F40
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04422F28 9_2_04422F28
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04400F30 9_2_04400F30
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04482F30 9_2_04482F30
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043ECFE0 9_2_043ECFE0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0445EFA0 9_2_0445EFA0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043D2FC8 9_2_043D2FC8
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043EA840 9_2_043EA840
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E2840 9_2_043E2840
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043C68B8 9_2_043C68B8
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0440E8F0 9_2_0440E8F0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043F6962 9_2_043F6962
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E29A0 9_2_043E29A0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044AA9A6 9_2_044AA9A6
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043DEA80 9_2_043DEA80
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449AB40 9_2_0449AB40
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04496BD7 9_2_04496BD7
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043D1460 9_2_043D1460
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449F43F 9_2_0449F43F
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04497571 9_2_04497571
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044A95C3 9_2_044A95C3
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0447D5B0 9_2_0447D5B0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04425630 9_2_04425630
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044916CC 9_2_044916CC
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449F7B0 9_2_0449F7B0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0448F0CC 9_2_0448F0CC
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044970E9 9_2_044970E9
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449F0E0 9_2_0449F0E0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E70C0 9_2_043E70C0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044AB16B 9_2_044AB16B
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0441516C 9_2_0441516C
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043CF172 9_2_043CF172
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043EB1B0 9_2_043EB1B0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E52A0 9_2_043E52A0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_044812ED 9_2_044812ED
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043FB2C0 9_2_043FB2C0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449132D 9_2_0449132D
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043CD34C 9_2_043CD34C
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0442739A 9_2_0442739A
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04459C32 9_2_04459C32
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449FCF2 9_2_0449FCF2
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04491D5A 9_2_04491D5A
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04497D73 9_2_04497D73
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E3D40 9_2_043E3D40
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043FFDC0 9_2_043FFDC0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E9EB0 9_2_043E9EB0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449FF09 9_2_0449FF09
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E1F92 9_2_043E1F92
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043A3FD2 9_2_043A3FD2
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043A3FD5 9_2_043A3FD5
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449FFB1 9_2_0449FFB1
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0444D800 9_2_0444D800
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E38E0 9_2_043E38E0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04475910 9_2_04475910
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043E9950 9_2_043E9950
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043FB950 9_2_043FB950
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449FA49 9_2_0449FA49
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04497A46 9_2_04497A46
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04453A6C 9_2_04453A6C
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0448DAC6 9_2_0448DAC6
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04425AA0 9_2_04425AA0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0447DAAC 9_2_0447DAAC
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04481AA3 9_2_04481AA3
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0449FB76 9_2_0449FB76
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_04455BF0 9_2_04455BF0
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_0441DBF9 9_2_0441DBF9
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043FFB80 9_2_043FFB80
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\opp.scr.exe Code function: String function: 0171F290 appears 105 times
Source: C:\Users\user\Desktop\opp.scr.exe Code function: String function: 0170EA12 appears 86 times
Source: C:\Users\user\Desktop\opp.scr.exe Code function: String function: 016E7E54 appears 111 times
Source: C:\Users\user\Desktop\opp.scr.exe Code function: String function: 016D5130 appears 58 times
Source: C:\Users\user\Desktop\opp.scr.exe Code function: String function: 0168B970 appears 280 times
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: String function: 0445F290 appears 105 times
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: String function: 043CB970 appears 280 times
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: String function: 04427E54 appears 111 times
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: String function: 0444EA12 appears 86 times
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: String function: 04415130 appears 58 times
Sample file is different than original file name gathered from version info
Source: opp.scr.exe, 00000000.00000002.1993109021.00000000057D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameExample.dll0 vs opp.scr.exe
Source: opp.scr.exe, 00000000.00000000.1987033740.0000000000DEC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHOSTNAME.exel% vs opp.scr.exe
Source: opp.scr.exe, 00000000.00000002.1993405256.00000000058C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs opp.scr.exe
Source: opp.scr.exe, 00000000.00000002.1992294507.00000000030D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs opp.scr.exe
Source: opp.scr.exe, 00000000.00000002.1992388904.00000000040D5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameExample.dll0 vs opp.scr.exe
Source: opp.scr.exe, 00000001.00000002.2394022437.000000000178D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs opp.scr.exe
Source: opp.scr.exe, 00000001.00000002.2393570245.0000000001207000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelhdfrgui.exej% vs opp.scr.exe
Source: opp.scr.exe Binary or memory string: OriginalFilenameHOSTNAME.exel% vs opp.scr.exe
Uses 32bit PE files
Source: opp.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.opp.scr.exe.4146390.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.opp.scr.exe.57d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.opp.scr.exe.57d0000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.opp.scr.exe.4146390.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.opp.scr.exe.30e1c3c.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.opp.scr.exe.30df3fc.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.1993109021.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: opp.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.opp.scr.exe.57d0000.3.raw.unpack, DarkListView.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.opp.scr.exe.4146390.2.raw.unpack, DarkListView.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.opp.scr.exe.57d0000.3.raw.unpack, DarkComboBox.cs Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.opp.scr.exe.4146390.2.raw.unpack, DarkComboBox.cs Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: opp.scr.exe Binary or memory string: MSB2013: The project-to-project reference with GUID {0} could not be converted because a valid .SLN file containing all projects could not be found.
Source: opp.scr.exe Binary or memory string: .vbproj
Source: opp.scr.exe Binary or memory string: .csproj
Source: opp.scr.exe Binary or memory string: .csprojM{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}
Source: opp.scr.exe Binary or memory string: .vbprojM{F184B08F-C81C-45F6-A57F-5ABD9991F28F}
Source: opp.scr.exe Binary or memory string: *.sln.sln
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@22/10@4/5
Source: C:\Users\user\Desktop\opp.scr.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\opp.scr.exe.log Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\dfrgui.exe File created: C:\Users\user\AppData\Local\Temp\13d6pS3 Jump to behavior
Source: opp.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: opp.scr.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\opp.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dfrgui.exe, 00000009.00000002.2688193511.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2621939035.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2621803630.00000000004A7000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2688193511.00000000004D2000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2688193511.00000000004F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: opp.scr.exe ReversingLabs: Detection: 34%
Source: opp.scr.exe Virustotal: Detection: 45%
Source: unknown Process created: C:\Users\user\Desktop\opp.scr.exe "C:\Users\user\Desktop\opp.scr.exe"
Source: C:\Users\user\Desktop\opp.scr.exe Process created: C:\Users\user\Desktop\opp.scr.exe "C:\Users\user\Desktop\opp.scr.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1940,i,10687501719211606552,13801376808827217908,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Process created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe"
Source: C:\Windows\SysWOW64\dfrgui.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\opp.scr.exe Process created: C:\Users\user\Desktop\opp.scr.exe "C:\Users\user\Desktop\opp.scr.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1940,i,10687501719211606552,13801376808827217908,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Process created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: sxshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Google Drive.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Users\user\Desktop\opp.scr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: opp.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: opp.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: opp.scr.exe, 00000000.00000002.1993405256.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, opp.scr.exe, 00000000.00000002.1992294507.00000000030D1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dfrgui.pdb source: opp.scr.exe, 00000001.00000002.2393570245.0000000001207000.00000004.00000020.00020000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857446926.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dfrgui.pdbGCTL source: opp.scr.exe, 00000001.00000002.2393570245.0000000001207000.00000004.00000020.00020000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857446926.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oOOsxwAhjIw.exe, 00000008.00000002.3856743895.000000000022E000.00000002.00000001.01000000.00000009.sdmp, oOOsxwAhjIw.exe, 0000000A.00000000.2462623860.000000000022E000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: wntdll.pdbUGP source: opp.scr.exe, 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2399221068.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.000000000453E000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2391671200.0000000004031000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.00000000043A0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: opp.scr.exe, opp.scr.exe, 00000001.00000002.2394022437.0000000001660000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, dfrgui.exe, 00000009.00000003.2399221068.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.000000000453E000.00000040.00001000.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000003.2391671200.0000000004031000.00000004.00000020.00020000.00000000.sdmp, dfrgui.exe, 00000009.00000002.2689855122.00000000043A0000.00000040.00001000.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: opp.scr.exe Static PE information: 0xEDF99A74 [Sun Jul 8 03:56:36 2096 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0041B855 pushad ; iretd 1_2_0041B884
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00407936 push eax; iretd 1_2_00407937
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_004191E7 push ecx; ret 1_2_004191E8
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00415A7A push esi; retf 1_2_00415AB4
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_004202B7 push esi; retf 1_2_004202B8
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0040EB41 push 7B0B5DBBh; iretd 1_2_0040EB4A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0042F3B2 push eax; ret 1_2_0042F3B4
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00419C00 pushad ; retf 1_2_00419C2D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00415C3E push esp; retf 1_2_00415C8E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00403640 push eax; ret 1_2_00403642
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0041F75D push eax; iretd 1_2_0041F75E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016909AD push ecx; mov dword ptr [esp], ecx 1_2_016909B6
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_051315A9 push eax; iretd 8_2_051315AA
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_05119782 push eax; iretd 8_2_05119783
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_0512D6A1 pushad ; iretd 8_2_0512D6D0
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_05132103 push esi; retf 8_2_05132104
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_0512098D push 7B0B5DBBh; iretd 8_2_05120996
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_051411FE push eax; ret 8_2_05141200
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_0512B033 push ecx; ret 8_2_0512B034
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_0513220B push eax; ret 8_2_05132233
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Code function: 8_2_0512BA4C pushad ; retf 8_2_0512BA79
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043A27FA pushad ; ret 9_2_043A27F9
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043A225F pushad ; ret 9_2_043A27F9
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043A283D push eax; iretd 9_2_043A2858
Source: C:\Windows\SysWOW64\dfrgui.exe Code function: 9_2_043D09AD push ecx; mov dword ptr [esp], ecx 9_2_043D09B6
Source: opp.scr.exe Static PE information: section name: .text entropy: 7.698137982224532
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\opp.scr.exe Memory allocated: 1710000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Memory allocated: 30D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Memory allocated: 50D0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D096E rdtsc 1_2_016D096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\opp.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\opp.scr.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\dfrgui.exe API coverage: 1.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\opp.scr.exe TID: 1964 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe TID: 7932 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\dfrgui.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\opp.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20
Source: 13d6pS3.9.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,1169642
Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: agement pageVMware20,11696428655
Source: 13d6pS3.9.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 13d6pS3.9.dr Binary or memory string: discord.comVMware20,11696428655f
Source: 13d6pS3.9.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 13d6pS3.9.dr Binary or memory string: global block list test formVMware20,11696428655
Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: omVMware20,11696428655|UE
Source: 13d6pS3.9.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: oOOsxwAhjIw.exe, 0000000A.00000002.3857549327.000000000097F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: 13d6pS3.9.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 13d6pS3.9.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 13d6pS3.9.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: n.utiitsl.comVMware20,11696428655h
Source: 13d6pS3.9.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 13d6pS3.9.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 13d6pS3.9.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 13d6pS3.9.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 13d6pS3.9.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 13d6pS3.9.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: dfrgui.exe, 00000009.00000002.2688193511.000000000045A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 13d6pS3.9.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sswords blocklistVMware20,11696428655
Source: 13d6pS3.9.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 13d6pS3.9.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 13d6pS3.9.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 13d6pS3.9.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: 13d6pS3.9.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 13d6pS3.9.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 13d6pS3.9.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 13d6pS3.9.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 13d6pS3.9.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 13d6pS3.9.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 13d6pS3.9.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 13d6pS3.9.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 13d6pS3.9.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 13d6pS3.9.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: dfrgui.exe, 00000009.00000002.2694306221.0000000007746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,W
Source: 13d6pS3.9.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\opp.scr.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\opp.scr.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D096E rdtsc 1_2_016D096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_00418BA3 LdrLoadDll, 1_2_00418BA3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01764164 mov eax, dword ptr fs:[00000030h] 1_2_01764164
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01764164 mov eax, dword ptr fs:[00000030h] 1_2_01764164
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01728158 mov eax, dword ptr fs:[00000030h] 1_2_01728158
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01724144 mov eax, dword ptr fs:[00000030h] 1_2_01724144
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01724144 mov eax, dword ptr fs:[00000030h] 1_2_01724144
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01724144 mov ecx, dword ptr fs:[00000030h] 1_2_01724144
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01724144 mov eax, dword ptr fs:[00000030h] 1_2_01724144
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01724144 mov eax, dword ptr fs:[00000030h] 1_2_01724144
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01696154 mov eax, dword ptr fs:[00000030h] 1_2_01696154
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01696154 mov eax, dword ptr fs:[00000030h] 1_2_01696154
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168C156 mov eax, dword ptr fs:[00000030h] 1_2_0168C156
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C0124 mov eax, dword ptr fs:[00000030h] 1_2_016C0124
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01750115 mov eax, dword ptr fs:[00000030h] 1_2_01750115
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173A118 mov ecx, dword ptr fs:[00000030h] 1_2_0173A118
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173A118 mov eax, dword ptr fs:[00000030h] 1_2_0173A118
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173A118 mov eax, dword ptr fs:[00000030h] 1_2_0173A118
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173A118 mov eax, dword ptr fs:[00000030h] 1_2_0173A118
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h] 1_2_0173E10E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E10E mov ecx, dword ptr fs:[00000030h] 1_2_0173E10E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h] 1_2_0173E10E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h] 1_2_0173E10E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E10E mov ecx, dword ptr fs:[00000030h] 1_2_0173E10E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h] 1_2_0173E10E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h] 1_2_0173E10E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E10E mov ecx, dword ptr fs:[00000030h] 1_2_0173E10E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E10E mov eax, dword ptr fs:[00000030h] 1_2_0173E10E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E10E mov ecx, dword ptr fs:[00000030h] 1_2_0173E10E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017661E5 mov eax, dword ptr fs:[00000030h] 1_2_017661E5
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C01F8 mov eax, dword ptr fs:[00000030h] 1_2_016C01F8
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E1D0 mov eax, dword ptr fs:[00000030h] 1_2_0170E1D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E1D0 mov eax, dword ptr fs:[00000030h] 1_2_0170E1D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E1D0 mov ecx, dword ptr fs:[00000030h] 1_2_0170E1D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E1D0 mov eax, dword ptr fs:[00000030h] 1_2_0170E1D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E1D0 mov eax, dword ptr fs:[00000030h] 1_2_0170E1D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017561C3 mov eax, dword ptr fs:[00000030h] 1_2_017561C3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017561C3 mov eax, dword ptr fs:[00000030h] 1_2_017561C3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D0185 mov eax, dword ptr fs:[00000030h] 1_2_016D0185
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171019F mov eax, dword ptr fs:[00000030h] 1_2_0171019F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171019F mov eax, dword ptr fs:[00000030h] 1_2_0171019F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171019F mov eax, dword ptr fs:[00000030h] 1_2_0171019F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171019F mov eax, dword ptr fs:[00000030h] 1_2_0171019F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01734180 mov eax, dword ptr fs:[00000030h] 1_2_01734180
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01734180 mov eax, dword ptr fs:[00000030h] 1_2_01734180
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0174C188 mov eax, dword ptr fs:[00000030h] 1_2_0174C188
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0174C188 mov eax, dword ptr fs:[00000030h] 1_2_0174C188
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168A197 mov eax, dword ptr fs:[00000030h] 1_2_0168A197
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168A197 mov eax, dword ptr fs:[00000030h] 1_2_0168A197
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168A197 mov eax, dword ptr fs:[00000030h] 1_2_0168A197
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BC073 mov eax, dword ptr fs:[00000030h] 1_2_016BC073
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01716050 mov eax, dword ptr fs:[00000030h] 1_2_01716050
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01692050 mov eax, dword ptr fs:[00000030h] 1_2_01692050
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01726030 mov eax, dword ptr fs:[00000030h] 1_2_01726030
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168A020 mov eax, dword ptr fs:[00000030h] 1_2_0168A020
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168C020 mov eax, dword ptr fs:[00000030h] 1_2_0168C020
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01714000 mov ecx, dword ptr fs:[00000030h] 1_2_01714000
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01732000 mov eax, dword ptr fs:[00000030h] 1_2_01732000
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01732000 mov eax, dword ptr fs:[00000030h] 1_2_01732000
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01732000 mov eax, dword ptr fs:[00000030h] 1_2_01732000
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01732000 mov eax, dword ptr fs:[00000030h] 1_2_01732000
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01732000 mov eax, dword ptr fs:[00000030h] 1_2_01732000
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01732000 mov eax, dword ptr fs:[00000030h] 1_2_01732000
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01732000 mov eax, dword ptr fs:[00000030h] 1_2_01732000
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01732000 mov eax, dword ptr fs:[00000030h] 1_2_01732000
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AE016 mov eax, dword ptr fs:[00000030h] 1_2_016AE016
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AE016 mov eax, dword ptr fs:[00000030h] 1_2_016AE016
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AE016 mov eax, dword ptr fs:[00000030h] 1_2_016AE016
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AE016 mov eax, dword ptr fs:[00000030h] 1_2_016AE016
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016980E9 mov eax, dword ptr fs:[00000030h] 1_2_016980E9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168A0E3 mov ecx, dword ptr fs:[00000030h] 1_2_0168A0E3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017160E0 mov eax, dword ptr fs:[00000030h] 1_2_017160E0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168C0F0 mov eax, dword ptr fs:[00000030h] 1_2_0168C0F0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D20F0 mov ecx, dword ptr fs:[00000030h] 1_2_016D20F0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017120DE mov eax, dword ptr fs:[00000030h] 1_2_017120DE
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016880A0 mov eax, dword ptr fs:[00000030h] 1_2_016880A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017560B8 mov eax, dword ptr fs:[00000030h] 1_2_017560B8
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017560B8 mov ecx, dword ptr fs:[00000030h] 1_2_017560B8
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017280A8 mov eax, dword ptr fs:[00000030h] 1_2_017280A8
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169208A mov eax, dword ptr fs:[00000030h] 1_2_0169208A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173437C mov eax, dword ptr fs:[00000030h] 1_2_0173437C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01738350 mov ecx, dword ptr fs:[00000030h] 1_2_01738350
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175A352 mov eax, dword ptr fs:[00000030h] 1_2_0175A352
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171035C mov eax, dword ptr fs:[00000030h] 1_2_0171035C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171035C mov eax, dword ptr fs:[00000030h] 1_2_0171035C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171035C mov eax, dword ptr fs:[00000030h] 1_2_0171035C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171035C mov ecx, dword ptr fs:[00000030h] 1_2_0171035C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171035C mov eax, dword ptr fs:[00000030h] 1_2_0171035C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171035C mov eax, dword ptr fs:[00000030h] 1_2_0171035C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01712349 mov eax, dword ptr fs:[00000030h] 1_2_01712349
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0176634F mov eax, dword ptr fs:[00000030h] 1_2_0176634F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01768324 mov eax, dword ptr fs:[00000030h] 1_2_01768324
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01768324 mov ecx, dword ptr fs:[00000030h] 1_2_01768324
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01768324 mov eax, dword ptr fs:[00000030h] 1_2_01768324
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01768324 mov eax, dword ptr fs:[00000030h] 1_2_01768324
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CA30B mov eax, dword ptr fs:[00000030h] 1_2_016CA30B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CA30B mov eax, dword ptr fs:[00000030h] 1_2_016CA30B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CA30B mov eax, dword ptr fs:[00000030h] 1_2_016CA30B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168C310 mov ecx, dword ptr fs:[00000030h] 1_2_0168C310
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B0310 mov ecx, dword ptr fs:[00000030h] 1_2_016B0310
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h] 1_2_016A03E9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h] 1_2_016A03E9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h] 1_2_016A03E9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h] 1_2_016A03E9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h] 1_2_016A03E9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h] 1_2_016A03E9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h] 1_2_016A03E9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A03E9 mov eax, dword ptr fs:[00000030h] 1_2_016A03E9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C63FF mov eax, dword ptr fs:[00000030h] 1_2_016C63FF
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AE3F0 mov eax, dword ptr fs:[00000030h] 1_2_016AE3F0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AE3F0 mov eax, dword ptr fs:[00000030h] 1_2_016AE3F0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AE3F0 mov eax, dword ptr fs:[00000030h] 1_2_016AE3F0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017343D4 mov eax, dword ptr fs:[00000030h] 1_2_017343D4
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017343D4 mov eax, dword ptr fs:[00000030h] 1_2_017343D4
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E3DB mov eax, dword ptr fs:[00000030h] 1_2_0173E3DB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E3DB mov eax, dword ptr fs:[00000030h] 1_2_0173E3DB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E3DB mov ecx, dword ptr fs:[00000030h] 1_2_0173E3DB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173E3DB mov eax, dword ptr fs:[00000030h] 1_2_0173E3DB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0169A3C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0169A3C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0169A3C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0169A3C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0169A3C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A3C0 mov eax, dword ptr fs:[00000030h] 1_2_0169A3C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016983C0 mov eax, dword ptr fs:[00000030h] 1_2_016983C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016983C0 mov eax, dword ptr fs:[00000030h] 1_2_016983C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016983C0 mov eax, dword ptr fs:[00000030h] 1_2_016983C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016983C0 mov eax, dword ptr fs:[00000030h] 1_2_016983C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017163C0 mov eax, dword ptr fs:[00000030h] 1_2_017163C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0174C3CD mov eax, dword ptr fs:[00000030h] 1_2_0174C3CD
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168E388 mov eax, dword ptr fs:[00000030h] 1_2_0168E388
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168E388 mov eax, dword ptr fs:[00000030h] 1_2_0168E388
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168E388 mov eax, dword ptr fs:[00000030h] 1_2_0168E388
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B438F mov eax, dword ptr fs:[00000030h] 1_2_016B438F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B438F mov eax, dword ptr fs:[00000030h] 1_2_016B438F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01688397 mov eax, dword ptr fs:[00000030h] 1_2_01688397
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01688397 mov eax, dword ptr fs:[00000030h] 1_2_01688397
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01688397 mov eax, dword ptr fs:[00000030h] 1_2_01688397
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01740274 mov eax, dword ptr fs:[00000030h] 1_2_01740274
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168826B mov eax, dword ptr fs:[00000030h] 1_2_0168826B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01694260 mov eax, dword ptr fs:[00000030h] 1_2_01694260
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01694260 mov eax, dword ptr fs:[00000030h] 1_2_01694260
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01694260 mov eax, dword ptr fs:[00000030h] 1_2_01694260
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0174A250 mov eax, dword ptr fs:[00000030h] 1_2_0174A250
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0174A250 mov eax, dword ptr fs:[00000030h] 1_2_0174A250
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0176625D mov eax, dword ptr fs:[00000030h] 1_2_0176625D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01696259 mov eax, dword ptr fs:[00000030h] 1_2_01696259
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01718243 mov eax, dword ptr fs:[00000030h] 1_2_01718243
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01718243 mov ecx, dword ptr fs:[00000030h] 1_2_01718243
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168A250 mov eax, dword ptr fs:[00000030h] 1_2_0168A250
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168823B mov eax, dword ptr fs:[00000030h] 1_2_0168823B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A02E1 mov eax, dword ptr fs:[00000030h] 1_2_016A02E1
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A02E1 mov eax, dword ptr fs:[00000030h] 1_2_016A02E1
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A02E1 mov eax, dword ptr fs:[00000030h] 1_2_016A02E1
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017662D6 mov eax, dword ptr fs:[00000030h] 1_2_017662D6
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A2C3 mov eax, dword ptr fs:[00000030h] 1_2_0169A2C3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A2C3 mov eax, dword ptr fs:[00000030h] 1_2_0169A2C3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A2C3 mov eax, dword ptr fs:[00000030h] 1_2_0169A2C3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A2C3 mov eax, dword ptr fs:[00000030h] 1_2_0169A2C3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A2C3 mov eax, dword ptr fs:[00000030h] 1_2_0169A2C3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A02A0 mov eax, dword ptr fs:[00000030h] 1_2_016A02A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A02A0 mov eax, dword ptr fs:[00000030h] 1_2_016A02A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017262A0 mov eax, dword ptr fs:[00000030h] 1_2_017262A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017262A0 mov ecx, dword ptr fs:[00000030h] 1_2_017262A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017262A0 mov eax, dword ptr fs:[00000030h] 1_2_017262A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017262A0 mov eax, dword ptr fs:[00000030h] 1_2_017262A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017262A0 mov eax, dword ptr fs:[00000030h] 1_2_017262A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017262A0 mov eax, dword ptr fs:[00000030h] 1_2_017262A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE284 mov eax, dword ptr fs:[00000030h] 1_2_016CE284
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE284 mov eax, dword ptr fs:[00000030h] 1_2_016CE284
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01710283 mov eax, dword ptr fs:[00000030h] 1_2_01710283
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01710283 mov eax, dword ptr fs:[00000030h] 1_2_01710283
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01710283 mov eax, dword ptr fs:[00000030h] 1_2_01710283
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C656A mov eax, dword ptr fs:[00000030h] 1_2_016C656A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C656A mov eax, dword ptr fs:[00000030h] 1_2_016C656A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C656A mov eax, dword ptr fs:[00000030h] 1_2_016C656A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01698550 mov eax, dword ptr fs:[00000030h] 1_2_01698550
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01698550 mov eax, dword ptr fs:[00000030h] 1_2_01698550
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE53E mov eax, dword ptr fs:[00000030h] 1_2_016BE53E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE53E mov eax, dword ptr fs:[00000030h] 1_2_016BE53E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE53E mov eax, dword ptr fs:[00000030h] 1_2_016BE53E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE53E mov eax, dword ptr fs:[00000030h] 1_2_016BE53E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE53E mov eax, dword ptr fs:[00000030h] 1_2_016BE53E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h] 1_2_016A0535
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h] 1_2_016A0535
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h] 1_2_016A0535
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h] 1_2_016A0535
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h] 1_2_016A0535
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0535 mov eax, dword ptr fs:[00000030h] 1_2_016A0535
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01726500 mov eax, dword ptr fs:[00000030h] 1_2_01726500
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01764500 mov eax, dword ptr fs:[00000030h] 1_2_01764500
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01764500 mov eax, dword ptr fs:[00000030h] 1_2_01764500
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01764500 mov eax, dword ptr fs:[00000030h] 1_2_01764500
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01764500 mov eax, dword ptr fs:[00000030h] 1_2_01764500
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01764500 mov eax, dword ptr fs:[00000030h] 1_2_01764500
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01764500 mov eax, dword ptr fs:[00000030h] 1_2_01764500
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01764500 mov eax, dword ptr fs:[00000030h] 1_2_01764500
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CC5ED mov eax, dword ptr fs:[00000030h] 1_2_016CC5ED
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CC5ED mov eax, dword ptr fs:[00000030h] 1_2_016CC5ED
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016925E0 mov eax, dword ptr fs:[00000030h] 1_2_016925E0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h] 1_2_016BE5E7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h] 1_2_016BE5E7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h] 1_2_016BE5E7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h] 1_2_016BE5E7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h] 1_2_016BE5E7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h] 1_2_016BE5E7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h] 1_2_016BE5E7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE5E7 mov eax, dword ptr fs:[00000030h] 1_2_016BE5E7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE5CF mov eax, dword ptr fs:[00000030h] 1_2_016CE5CF
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE5CF mov eax, dword ptr fs:[00000030h] 1_2_016CE5CF
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016965D0 mov eax, dword ptr fs:[00000030h] 1_2_016965D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CA5D0 mov eax, dword ptr fs:[00000030h] 1_2_016CA5D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CA5D0 mov eax, dword ptr fs:[00000030h] 1_2_016CA5D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017105A7 mov eax, dword ptr fs:[00000030h] 1_2_017105A7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017105A7 mov eax, dword ptr fs:[00000030h] 1_2_017105A7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017105A7 mov eax, dword ptr fs:[00000030h] 1_2_017105A7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B45B1 mov eax, dword ptr fs:[00000030h] 1_2_016B45B1
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B45B1 mov eax, dword ptr fs:[00000030h] 1_2_016B45B1
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C4588 mov eax, dword ptr fs:[00000030h] 1_2_016C4588
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01692582 mov eax, dword ptr fs:[00000030h] 1_2_01692582
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01692582 mov ecx, dword ptr fs:[00000030h] 1_2_01692582
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE59C mov eax, dword ptr fs:[00000030h] 1_2_016CE59C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171C460 mov ecx, dword ptr fs:[00000030h] 1_2_0171C460
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BA470 mov eax, dword ptr fs:[00000030h] 1_2_016BA470
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BA470 mov eax, dword ptr fs:[00000030h] 1_2_016BA470
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BA470 mov eax, dword ptr fs:[00000030h] 1_2_016BA470
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0174A456 mov eax, dword ptr fs:[00000030h] 1_2_0174A456
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h] 1_2_016CE443
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h] 1_2_016CE443
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h] 1_2_016CE443
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h] 1_2_016CE443
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h] 1_2_016CE443
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h] 1_2_016CE443
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h] 1_2_016CE443
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CE443 mov eax, dword ptr fs:[00000030h] 1_2_016CE443
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B245A mov eax, dword ptr fs:[00000030h] 1_2_016B245A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168645D mov eax, dword ptr fs:[00000030h] 1_2_0168645D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168E420 mov eax, dword ptr fs:[00000030h] 1_2_0168E420
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168E420 mov eax, dword ptr fs:[00000030h] 1_2_0168E420
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168E420 mov eax, dword ptr fs:[00000030h] 1_2_0168E420
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168C427 mov eax, dword ptr fs:[00000030h] 1_2_0168C427
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01716420 mov eax, dword ptr fs:[00000030h] 1_2_01716420
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01716420 mov eax, dword ptr fs:[00000030h] 1_2_01716420
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01716420 mov eax, dword ptr fs:[00000030h] 1_2_01716420
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01716420 mov eax, dword ptr fs:[00000030h] 1_2_01716420
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01716420 mov eax, dword ptr fs:[00000030h] 1_2_01716420
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01716420 mov eax, dword ptr fs:[00000030h] 1_2_01716420
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01716420 mov eax, dword ptr fs:[00000030h] 1_2_01716420
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CA430 mov eax, dword ptr fs:[00000030h] 1_2_016CA430
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C8402 mov eax, dword ptr fs:[00000030h] 1_2_016C8402
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C8402 mov eax, dword ptr fs:[00000030h] 1_2_016C8402
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C8402 mov eax, dword ptr fs:[00000030h] 1_2_016C8402
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016904E5 mov ecx, dword ptr fs:[00000030h] 1_2_016904E5
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171A4B0 mov eax, dword ptr fs:[00000030h] 1_2_0171A4B0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016964AB mov eax, dword ptr fs:[00000030h] 1_2_016964AB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C44B0 mov ecx, dword ptr fs:[00000030h] 1_2_016C44B0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0174A49A mov eax, dword ptr fs:[00000030h] 1_2_0174A49A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01698770 mov eax, dword ptr fs:[00000030h] 1_2_01698770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0770 mov eax, dword ptr fs:[00000030h] 1_2_016A0770
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C674D mov esi, dword ptr fs:[00000030h] 1_2_016C674D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C674D mov eax, dword ptr fs:[00000030h] 1_2_016C674D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C674D mov eax, dword ptr fs:[00000030h] 1_2_016C674D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01714755 mov eax, dword ptr fs:[00000030h] 1_2_01714755
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171E75D mov eax, dword ptr fs:[00000030h] 1_2_0171E75D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01690750 mov eax, dword ptr fs:[00000030h] 1_2_01690750
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2750 mov eax, dword ptr fs:[00000030h] 1_2_016D2750
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2750 mov eax, dword ptr fs:[00000030h] 1_2_016D2750
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170C730 mov eax, dword ptr fs:[00000030h] 1_2_0170C730
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CC720 mov eax, dword ptr fs:[00000030h] 1_2_016CC720
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CC720 mov eax, dword ptr fs:[00000030h] 1_2_016CC720
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C273C mov eax, dword ptr fs:[00000030h] 1_2_016C273C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C273C mov ecx, dword ptr fs:[00000030h] 1_2_016C273C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C273C mov eax, dword ptr fs:[00000030h] 1_2_016C273C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CC700 mov eax, dword ptr fs:[00000030h] 1_2_016CC700
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01690710 mov eax, dword ptr fs:[00000030h] 1_2_01690710
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C0710 mov eax, dword ptr fs:[00000030h] 1_2_016C0710
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B27ED mov eax, dword ptr fs:[00000030h] 1_2_016B27ED
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B27ED mov eax, dword ptr fs:[00000030h] 1_2_016B27ED
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B27ED mov eax, dword ptr fs:[00000030h] 1_2_016B27ED
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171E7E1 mov eax, dword ptr fs:[00000030h] 1_2_0171E7E1
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016947FB mov eax, dword ptr fs:[00000030h] 1_2_016947FB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016947FB mov eax, dword ptr fs:[00000030h] 1_2_016947FB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169C7C0 mov eax, dword ptr fs:[00000030h] 1_2_0169C7C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017107C3 mov eax, dword ptr fs:[00000030h] 1_2_017107C3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016907AF mov eax, dword ptr fs:[00000030h] 1_2_016907AF
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017447A0 mov eax, dword ptr fs:[00000030h] 1_2_017447A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173678E mov eax, dword ptr fs:[00000030h] 1_2_0173678E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CA660 mov eax, dword ptr fs:[00000030h] 1_2_016CA660
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CA660 mov eax, dword ptr fs:[00000030h] 1_2_016CA660
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C2674 mov eax, dword ptr fs:[00000030h] 1_2_016C2674
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175866E mov eax, dword ptr fs:[00000030h] 1_2_0175866E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175866E mov eax, dword ptr fs:[00000030h] 1_2_0175866E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AC640 mov eax, dword ptr fs:[00000030h] 1_2_016AC640
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169262C mov eax, dword ptr fs:[00000030h] 1_2_0169262C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C6620 mov eax, dword ptr fs:[00000030h] 1_2_016C6620
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C8620 mov eax, dword ptr fs:[00000030h] 1_2_016C8620
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016AE627 mov eax, dword ptr fs:[00000030h] 1_2_016AE627
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A260B mov eax, dword ptr fs:[00000030h] 1_2_016A260B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A260B mov eax, dword ptr fs:[00000030h] 1_2_016A260B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A260B mov eax, dword ptr fs:[00000030h] 1_2_016A260B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A260B mov eax, dword ptr fs:[00000030h] 1_2_016A260B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A260B mov eax, dword ptr fs:[00000030h] 1_2_016A260B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A260B mov eax, dword ptr fs:[00000030h] 1_2_016A260B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A260B mov eax, dword ptr fs:[00000030h] 1_2_016A260B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D2619 mov eax, dword ptr fs:[00000030h] 1_2_016D2619
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E609 mov eax, dword ptr fs:[00000030h] 1_2_0170E609
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017106F1 mov eax, dword ptr fs:[00000030h] 1_2_017106F1
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017106F1 mov eax, dword ptr fs:[00000030h] 1_2_017106F1
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E6F2 mov eax, dword ptr fs:[00000030h] 1_2_0170E6F2
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E6F2 mov eax, dword ptr fs:[00000030h] 1_2_0170E6F2
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E6F2 mov eax, dword ptr fs:[00000030h] 1_2_0170E6F2
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E6F2 mov eax, dword ptr fs:[00000030h] 1_2_0170E6F2
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CA6C7 mov ebx, dword ptr fs:[00000030h] 1_2_016CA6C7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CA6C7 mov eax, dword ptr fs:[00000030h] 1_2_016CA6C7
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CC6A6 mov eax, dword ptr fs:[00000030h] 1_2_016CC6A6
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C66B0 mov eax, dword ptr fs:[00000030h] 1_2_016C66B0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01694690 mov eax, dword ptr fs:[00000030h] 1_2_01694690
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01694690 mov eax, dword ptr fs:[00000030h] 1_2_01694690
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D096E mov eax, dword ptr fs:[00000030h] 1_2_016D096E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D096E mov edx, dword ptr fs:[00000030h] 1_2_016D096E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016D096E mov eax, dword ptr fs:[00000030h] 1_2_016D096E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B6962 mov eax, dword ptr fs:[00000030h] 1_2_016B6962
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B6962 mov eax, dword ptr fs:[00000030h] 1_2_016B6962
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B6962 mov eax, dword ptr fs:[00000030h] 1_2_016B6962
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01734978 mov eax, dword ptr fs:[00000030h] 1_2_01734978
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01734978 mov eax, dword ptr fs:[00000030h] 1_2_01734978
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171C97C mov eax, dword ptr fs:[00000030h] 1_2_0171C97C
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01764940 mov eax, dword ptr fs:[00000030h] 1_2_01764940
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01710946 mov eax, dword ptr fs:[00000030h] 1_2_01710946
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0172892B mov eax, dword ptr fs:[00000030h] 1_2_0172892B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171892A mov eax, dword ptr fs:[00000030h] 1_2_0171892A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171C912 mov eax, dword ptr fs:[00000030h] 1_2_0171C912
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01688918 mov eax, dword ptr fs:[00000030h] 1_2_01688918
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01688918 mov eax, dword ptr fs:[00000030h] 1_2_01688918
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E908 mov eax, dword ptr fs:[00000030h] 1_2_0170E908
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170E908 mov eax, dword ptr fs:[00000030h] 1_2_0170E908
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171E9E0 mov eax, dword ptr fs:[00000030h] 1_2_0171E9E0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C29F9 mov eax, dword ptr fs:[00000030h] 1_2_016C29F9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C29F9 mov eax, dword ptr fs:[00000030h] 1_2_016C29F9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175A9D3 mov eax, dword ptr fs:[00000030h] 1_2_0175A9D3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017269C0 mov eax, dword ptr fs:[00000030h] 1_2_017269C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0169A9D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0169A9D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0169A9D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0169A9D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0169A9D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0169A9D0 mov eax, dword ptr fs:[00000030h] 1_2_0169A9D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C49D0 mov eax, dword ptr fs:[00000030h] 1_2_016C49D0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017189B3 mov esi, dword ptr fs:[00000030h] 1_2_017189B3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017189B3 mov eax, dword ptr fs:[00000030h] 1_2_017189B3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017189B3 mov eax, dword ptr fs:[00000030h] 1_2_017189B3
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016909AD mov eax, dword ptr fs:[00000030h] 1_2_016909AD
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016909AD mov eax, dword ptr fs:[00000030h] 1_2_016909AD
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A29A0 mov eax, dword ptr fs:[00000030h] 1_2_016A29A0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01726870 mov eax, dword ptr fs:[00000030h] 1_2_01726870
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01726870 mov eax, dword ptr fs:[00000030h] 1_2_01726870
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171E872 mov eax, dword ptr fs:[00000030h] 1_2_0171E872
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171E872 mov eax, dword ptr fs:[00000030h] 1_2_0171E872
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A2840 mov ecx, dword ptr fs:[00000030h] 1_2_016A2840
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01694859 mov eax, dword ptr fs:[00000030h] 1_2_01694859
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01694859 mov eax, dword ptr fs:[00000030h] 1_2_01694859
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C0854 mov eax, dword ptr fs:[00000030h] 1_2_016C0854
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173483A mov eax, dword ptr fs:[00000030h] 1_2_0173483A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173483A mov eax, dword ptr fs:[00000030h] 1_2_0173483A
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CA830 mov eax, dword ptr fs:[00000030h] 1_2_016CA830
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B2835 mov eax, dword ptr fs:[00000030h] 1_2_016B2835
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B2835 mov eax, dword ptr fs:[00000030h] 1_2_016B2835
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B2835 mov eax, dword ptr fs:[00000030h] 1_2_016B2835
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B2835 mov ecx, dword ptr fs:[00000030h] 1_2_016B2835
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B2835 mov eax, dword ptr fs:[00000030h] 1_2_016B2835
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B2835 mov eax, dword ptr fs:[00000030h] 1_2_016B2835
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171C810 mov eax, dword ptr fs:[00000030h] 1_2_0171C810
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175A8E4 mov eax, dword ptr fs:[00000030h] 1_2_0175A8E4
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CC8F9 mov eax, dword ptr fs:[00000030h] 1_2_016CC8F9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CC8F9 mov eax, dword ptr fs:[00000030h] 1_2_016CC8F9
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BE8C0 mov eax, dword ptr fs:[00000030h] 1_2_016BE8C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_017608C0 mov eax, dword ptr fs:[00000030h] 1_2_017608C0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171C89D mov eax, dword ptr fs:[00000030h] 1_2_0171C89D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01690887 mov eax, dword ptr fs:[00000030h] 1_2_01690887
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0168CB7E mov eax, dword ptr fs:[00000030h] 1_2_0168CB7E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01762B57 mov eax, dword ptr fs:[00000030h] 1_2_01762B57
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01762B57 mov eax, dword ptr fs:[00000030h] 1_2_01762B57
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01762B57 mov eax, dword ptr fs:[00000030h] 1_2_01762B57
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01762B57 mov eax, dword ptr fs:[00000030h] 1_2_01762B57
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173EB50 mov eax, dword ptr fs:[00000030h] 1_2_0173EB50
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01738B42 mov eax, dword ptr fs:[00000030h] 1_2_01738B42
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01726B40 mov eax, dword ptr fs:[00000030h] 1_2_01726B40
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01726B40 mov eax, dword ptr fs:[00000030h] 1_2_01726B40
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0175AB40 mov eax, dword ptr fs:[00000030h] 1_2_0175AB40
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01688B50 mov eax, dword ptr fs:[00000030h] 1_2_01688B50
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01744B4B mov eax, dword ptr fs:[00000030h] 1_2_01744B4B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01744B4B mov eax, dword ptr fs:[00000030h] 1_2_01744B4B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BEB20 mov eax, dword ptr fs:[00000030h] 1_2_016BEB20
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BEB20 mov eax, dword ptr fs:[00000030h] 1_2_016BEB20
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01758B28 mov eax, dword ptr fs:[00000030h] 1_2_01758B28
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01758B28 mov eax, dword ptr fs:[00000030h] 1_2_01758B28
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h] 1_2_0170EB1D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h] 1_2_0170EB1D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h] 1_2_0170EB1D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h] 1_2_0170EB1D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h] 1_2_0170EB1D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h] 1_2_0170EB1D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h] 1_2_0170EB1D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h] 1_2_0170EB1D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170EB1D mov eax, dword ptr fs:[00000030h] 1_2_0170EB1D
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01764B00 mov eax, dword ptr fs:[00000030h] 1_2_01764B00
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171CBF0 mov eax, dword ptr fs:[00000030h] 1_2_0171CBF0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BEBFC mov eax, dword ptr fs:[00000030h] 1_2_016BEBFC
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01698BF0 mov eax, dword ptr fs:[00000030h] 1_2_01698BF0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01698BF0 mov eax, dword ptr fs:[00000030h] 1_2_01698BF0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01698BF0 mov eax, dword ptr fs:[00000030h] 1_2_01698BF0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B0BCB mov eax, dword ptr fs:[00000030h] 1_2_016B0BCB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B0BCB mov eax, dword ptr fs:[00000030h] 1_2_016B0BCB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B0BCB mov eax, dword ptr fs:[00000030h] 1_2_016B0BCB
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173EBD0 mov eax, dword ptr fs:[00000030h] 1_2_0173EBD0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01690BCD mov eax, dword ptr fs:[00000030h] 1_2_01690BCD
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01690BCD mov eax, dword ptr fs:[00000030h] 1_2_01690BCD
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01690BCD mov eax, dword ptr fs:[00000030h] 1_2_01690BCD
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01744BB0 mov eax, dword ptr fs:[00000030h] 1_2_01744BB0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01744BB0 mov eax, dword ptr fs:[00000030h] 1_2_01744BB0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0BBE mov eax, dword ptr fs:[00000030h] 1_2_016A0BBE
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0BBE mov eax, dword ptr fs:[00000030h] 1_2_016A0BBE
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170CA72 mov eax, dword ptr fs:[00000030h] 1_2_0170CA72
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0170CA72 mov eax, dword ptr fs:[00000030h] 1_2_0170CA72
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CCA6F mov eax, dword ptr fs:[00000030h] 1_2_016CCA6F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CCA6F mov eax, dword ptr fs:[00000030h] 1_2_016CCA6F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CCA6F mov eax, dword ptr fs:[00000030h] 1_2_016CCA6F
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0173EA60 mov eax, dword ptr fs:[00000030h] 1_2_0173EA60
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0A5B mov eax, dword ptr fs:[00000030h] 1_2_016A0A5B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016A0A5B mov eax, dword ptr fs:[00000030h] 1_2_016A0A5B
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h] 1_2_01696A50
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h] 1_2_01696A50
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h] 1_2_01696A50
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h] 1_2_01696A50
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h] 1_2_01696A50
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h] 1_2_01696A50
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01696A50 mov eax, dword ptr fs:[00000030h] 1_2_01696A50
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016BEA2E mov eax, dword ptr fs:[00000030h] 1_2_016BEA2E
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CCA24 mov eax, dword ptr fs:[00000030h] 1_2_016CCA24
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CCA38 mov eax, dword ptr fs:[00000030h] 1_2_016CCA38
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B4A35 mov eax, dword ptr fs:[00000030h] 1_2_016B4A35
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016B4A35 mov eax, dword ptr fs:[00000030h] 1_2_016B4A35
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_0171CA11 mov eax, dword ptr fs:[00000030h] 1_2_0171CA11
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CAAEE mov eax, dword ptr fs:[00000030h] 1_2_016CAAEE
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016CAAEE mov eax, dword ptr fs:[00000030h] 1_2_016CAAEE
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016E6ACC mov eax, dword ptr fs:[00000030h] 1_2_016E6ACC
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016E6ACC mov eax, dword ptr fs:[00000030h] 1_2_016E6ACC
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016E6ACC mov eax, dword ptr fs:[00000030h] 1_2_016E6ACC
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01690AD0 mov eax, dword ptr fs:[00000030h] 1_2_01690AD0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C4AD0 mov eax, dword ptr fs:[00000030h] 1_2_016C4AD0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016C4AD0 mov eax, dword ptr fs:[00000030h] 1_2_016C4AD0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01698AA0 mov eax, dword ptr fs:[00000030h] 1_2_01698AA0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_01698AA0 mov eax, dword ptr fs:[00000030h] 1_2_01698AA0
Source: C:\Users\user\Desktop\opp.scr.exe Code function: 1_2_016E6AA4 mov eax, dword ptr fs:[00000030h] 1_2_016E6AA4
Source: C:\Users\user\Desktop\opp.scr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.opp.scr.exe.58c0000.4.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.opp.scr.exe.58c0000.4.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.opp.scr.exe.58c0000.4.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtAllocateVirtualMemory: Direct from: 0x76EF48EC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtQueryAttributesFile: Direct from: 0x76EF2E6C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtQuerySystemInformation: Direct from: 0x76EF48CC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtOpenSection: Direct from: 0x76EF2E0C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtDeviceIoControlFile: Direct from: 0x76EF2AEC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BEC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtQueryInformationToken: Direct from: 0x76EF2CAC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtCreateFile: Direct from: 0x76EF2FEC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtOpenFile: Direct from: 0x76EF2DCC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtTerminateThread: Direct from: 0x76EF2FCC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtOpenKeyEx: Direct from: 0x76EF2B9C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtSetInformationProcess: Direct from: 0x76EF2C5C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtProtectVirtualMemory: Direct from: 0x76EF2F9C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtWriteVirtualMemory: Direct from: 0x76EF2E3C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtNotifyChangeKey: Direct from: 0x76EF3C2C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtCreateMutant: Direct from: 0x76EF35CC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtResumeThread: Direct from: 0x76EF36AC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtMapViewOfSection: Direct from: 0x76EF2D1C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtProtectVirtualMemory: Direct from: 0x76EE7B2E Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BFC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtQuerySystemInformation: Direct from: 0x76EF2DFC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtReadFile: Direct from: 0x76EF2ADC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtDelayExecution: Direct from: 0x76EF2DDC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtQueryInformationProcess: Direct from: 0x76EF2C26 Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtResumeThread: Direct from: 0x76EF2FBC Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtCreateUserProcess: Direct from: 0x76EF371C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtAllocateVirtualMemory: Direct from: 0x76EF3C9C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtWriteVirtualMemory: Direct from: 0x76EF490C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtSetInformationThread: Direct from: 0x76EE63F9 Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtSetInformationThread: Direct from: 0x76EF2B4C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtReadVirtualMemory: Direct from: 0x76EF2E8C Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe NtCreateKey: Direct from: 0x76EF2C6C Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\opp.scr.exe Memory written: C:\Users\user\Desktop\opp.scr.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: NULL target: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Section loaded: NULL target: C:\Windows\SysWOW64\dfrgui.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: NULL target: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: NULL target: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\dfrgui.exe Thread APC queued: target process: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\opp.scr.exe Process created: C:\Users\user\Desktop\opp.scr.exe "C:\Users\user\Desktop\opp.scr.exe" Jump to behavior
Source: C:\Program Files (x86)\IbZIyGTNRRgnjGfKKCjfPwQYwyfKGixnBYPXdPAqeWGGHEs\oOOsxwAhjIw.exe Process created: C:\Windows\SysWOW64\dfrgui.exe "C:\Windows\SysWOW64\dfrgui.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: oOOsxwAhjIw.exe, 00000008.00000000.2279134113.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857635474.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3857952120.0000000000FD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: oOOsxwAhjIw.exe, 00000008.00000000.2279134113.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857635474.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3857952120.0000000000FD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: oOOsxwAhjIw.exe, 00000008.00000000.2279134113.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857635474.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3857952120.0000000000FD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: oOOsxwAhjIw.exe, 00000008.00000000.2279134113.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 00000008.00000002.3857635474.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, oOOsxwAhjIw.exe, 0000000A.00000002.3857952120.0000000000FD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\opp.scr.exe Queries volume information: C:\Users\user\Desktop\opp.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\opp.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\dfrgui.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\dfrgui.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\dfrgui.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.opp.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.opp.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2391790810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3859938760.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2689683266.0000000004130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2689714641.0000000004170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2393254649.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3858270697.0000000004E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2399808380.00000000041B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435367 Sample: opp.scr.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 34 www.terelprime.com 2->34 36 www.besthomeincome24.com 2->36 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 5 other signatures 2->56 10 opp.scr.exe 3 2->10         started        13 chrome.exe 9 2->13         started        signatures3 process4 dnsIp5 68 Injects a PE file into a foreign processes 10->68 16 opp.scr.exe 10->16         started        42 192.168.2.5, 443, 49703, 49705 unknown unknown 13->42 44 192.168.2.23 unknown unknown 13->44 46 239.255.255.250 unknown Reserved 13->46 19 chrome.exe 13->19         started        signatures6 process7 dnsIp8 48 Maps a DLL or memory area into another process 16->48 22 oOOsxwAhjIw.exe 16->22 injected 38 www.google.com 142.251.40.100, 443, 49705, 49706 GOOGLEUS United States 19->38 signatures9 process10 signatures11 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 25 dfrgui.exe 13 22->25         started        process12 signatures13 60 Tries to steal Mail credentials (via file / registry access) 25->60 62 Tries to harvest and steal browser information (history, passwords, etc) 25->62 64 Maps a DLL or memory area into another process 25->64 66 Queues an APC in another process (thread injection) 25->66 28 oOOsxwAhjIw.exe 25->28 injected 32 firefox.exe 25->32         started        process14 dnsIp15 40 www.terelprime.com 66.96.161.166, 49728, 80 BIZLAND-SDUS United States 28->40 70 Found direct / indirect Syscall (likely to bypass EDR) 28->70 signatures16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.251.40.100
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
66.96.161.166
 www.terelprime.com United States
29873 BIZLAND-SDUS true

Private

IP
192.168.2.23
192.168.2.5

Contacted Domains

Name IP Active
www.google.com 142.251.40.100 true
www.terelprime.com 66.96.161.166 true
www.besthomeincome24.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/async/ddljson?async=ntp:2 false
    		high
    https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
      		high
      http://www.terelprime.com/ufuh/?p80t2Pu=YGhnx96XAVFPN8tv1lUEEiUVdSmZ/iyWteKDUnkDVIOF49Ku923zDENpH5OUCIyJQHomPTwvfF1wQ0t1Y4t+Kv0hk37pk2XOQoNeMFqeOrHvpWJ1tST0YGmxjRv23ozT3g==&B6bX=zjl0 true
      • Avira URL Cloud: malware
      		 unknown
      https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGIS3zrEGIjC0v607c_qYvTi5H8NDS3aYuCJmplAqD5Rl0JeJ4_KibV6kPGTEw6xAv1H63aOy6jsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
        		high
        https://www.google.com/async/newtab_promos false
          		high
          https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
            		high
            https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGIS3zrEGIjAy2SY_wKQfS3Qr9DIp4alnyJkCTUiOIWFLBr4l8U2O7-X7PjrHl9WYNHcJAlxWu-0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
              		high