Windows Analysis Report
Confirm!!.exe

Overview

General Information

Sample name: Confirm!!.exe
Analysis ID: 1436229
MD5: 1cd8ac8c84b05076f4a7516064714de3
SHA1: 4629098cb47c73324a9cf966e2499bb4214d29a1
SHA256: 7d0c488d900c633cfac5914cc35d1a31d3549710db2c9ce1612ae94ecf106dcc
Tags: exe
Infos:

Detection

FormBook, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Confirm!!.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.dp77.shop/he2a/ Avira URL Cloud: Label: malware
Source: http://www.24eu-ru-startup.xyz/he2a/ Avira URL Cloud: Label: phishing
Source: http://www.qfs-capital.com/he2a/ Avira URL Cloud: Label: malware
Source: http://www.dp77.shop/he2a/www.emsculptcenterofne.com Avira URL Cloud: Label: malware
Source: http://www.24eu-ru-startup.xyz/he2a/www.notbokin.online Avira URL Cloud: Label: phishing
Source: http://www.dcmdot.com/he2a/www.24eu-ru-startup.xyz Avira URL Cloud: Label: malware
Source: http://www.emsculptcenterofne.com/he2a/www.dcmdot.com Avira URL Cloud: Label: malware
Source: http://www.myjbtest.net/he2a/www.dp77.shop Avira URL Cloud: Label: malware
Source: http://www.theaustralianbrisketboard.com Avira URL Cloud: Label: malware
Source: http://www.epeople.store/he2a/ Avira URL Cloud: Label: malware
Source: http://www.qfs-capital.com/he2a/?JzrDMTwh=DlTSXcqNMc/eIm04yg00yQhMr4k/78J4L3shN4/4/VEr7otGcEkt4QUsswClQbB7ROijRjUf3A==&uDHX=NtTTaB Avira URL Cloud: Label: malware
Source: http://www.giuila.online/he2a/www.taylorranchtrail.com Avira URL Cloud: Label: malware
Source: http://www.qfs-capital.com/he2a/www.theaustralianbrisketboard.com Avira URL Cloud: Label: malware
Source: http://www.cyg8wm3zfb.xyz/he2a/www.epeople.store Avira URL Cloud: Label: phishing
Source: http://www.b-store.shop Avira URL Cloud: Label: malware
Source: http://www.oktravelhi.com/he2a/www.qfs-capital.com Avira URL Cloud: Label: malware
Source: http://www.emsculptcenterofne.com/he2a/ Avira URL Cloud: Label: malware
Source: http://www.desire-dating.com/he2a/ Avira URL Cloud: Label: malware
Source: http://www.dp77.shop Avira URL Cloud: Label: malware
Source: http://www.oktravelhi.com/he2a/ Avira URL Cloud: Label: malware
Source: http://www.taylorranchtrail.com Avira URL Cloud: Label: malware
Source: http://www.24eu-ru-startup.xyz Avira URL Cloud: Label: malware
Source: http://www.dcmdot.com Avira URL Cloud: Label: malware
Source: http://www.b-store.shop/he2a/www.desire-dating.com Avira URL Cloud: Label: malware
Source: http://www.meet-friends.online Avira URL Cloud: Label: malware
Source: http://www.notbokin.online Avira URL Cloud: Label: malware
Source: http://www.theaustralianbrisketboard.com/he2a/ Avira URL Cloud: Label: malware
Source: http://www.desire-dating.com Avira URL Cloud: Label: malware
Source: http://www.giuila.online/he2a/ Avira URL Cloud: Label: malware
Source: http://www.qfs-capital.com Avira URL Cloud: Label: malware
Source: http://www.b-store.shop/he2a/ Avira URL Cloud: Label: malware
Source: http://www.giuila.online Avira URL Cloud: Label: malware
Source: http://www.theaustralianbrisketboard.com/he2a/www.giuila.online Avira URL Cloud: Label: malware
Source: http://www.dcmdot.com/he2a/ Avira URL Cloud: Label: malware
Source: http://www.emsculptcenterofne.com Avira URL Cloud: Label: malware
Source: http://www.oktravelhi.com Avira URL Cloud: Label: malware
Source: http://www.theaustralianbrisketboard.com/he2a/?uDHX=NtTTaB&JzrDMTwh=OUTCM60j1GyCH9lbRdMZH2fDR4+aODlMrRGupFh1zUOB6Dok3GIrGaEH03LGWK74faeOXvHbbw== Avira URL Cloud: Label: malware
Source: http://www.notbokin.online/he2a/ Avira URL Cloud: Label: malware
Source: http://www.cyg8wm3zfb.xyz/he2a/ Avira URL Cloud: Label: phishing
Source: www.qfs-capital.com/he2a/ Avira URL Cloud: Label: malware
Source: http://www.notbokin.online/he2a/www.b-store.shop Avira URL Cloud: Label: malware
Source: http://www.taylorranchtrail.com/he2a/ Avira URL Cloud: Label: malware
Source: http://www.meet-friends.online/he2a/www.myjbtest.net Avira URL Cloud: Label: malware
Source: http://www.taylorranchtrail.com/he2a/www.cyg8wm3zfb.xyz Avira URL Cloud: Label: malware
Source: http://www.myjbtest.net/he2a/ Avira URL Cloud: Label: malware
Source: http://www.cyg8wm3zfb.xyz Avira URL Cloud: Label: malware
Source: http://www.desire-dating.com/he2a/. Avira URL Cloud: Label: malware
Source: http://www.myjbtest.net Avira URL Cloud: Label: malware
Source: http://www.epeople.store/he2a/www.meet-friends.online Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000006.00000002.3328088031.0000000000980000.00000040.80000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.qfs-capital.com/he2a/"], "decoy": ["connectioncompass.store", "zekicharge.com", "dp77.shop", "guninfo.guru", "mamaeconomics.net", "narcisme.coach", "redtopassociates.com", "ezezn.com", "theoregondog.com", "pagosmultired.online", "emsculptcenterofne.com", "meet-friends.online", "pf326.com", "wealthjigsaw.xyz", "arsajib.com", "kickassholdings.online", "avaturre.biz", "dtslogs.com", "lb92.tech", "pittalam.com", "cyberlegion.group", "24eu-ru-startup.xyz", "theaustralianbrisketboard.com", "bavrnimn.site", "xn--groupe-gorg-lbb.com", "hg08139.com", "myjbtest.net", "cyg8wm3zfb.xyz", "mimi2023.monster", "ruixiangg.com", "smokintires.net", "out-boundlabs.net", "matrix-promotions.com", "botfolk.com", "6o20r.beauty", "cpohlelaw.com", "zamupoi.fun", "eletrobrasilvendas.com", "desire-dating.com", "678ap.com", "bioprost.club", "hfaer4.xyz", "yuwangjing.com", "359brigham.com", "misstamar.mobi", "lucasbrownviolinstudio.com", "mybet668.com", "giuila.online", "mathews.buzz", "dcmdot.com", "epeople.store", "totneshotdesk.com", "jaehub.com", "notbokin.online", "trongiv.xyz", "adept-expert-comptable.net", "4tvaccounting.com", "saledotfate.live", "canadiantrafficmanagement.net", "oktravelhi.com", "taylorranchtrail.com", "tempahwebsites.com", "b-store.shop", "paintellensburg.com"]}
Multi AV Scanner detection for domain / URL
Source: www.theaustralianbrisketboard.com Virustotal: Detection: 10% Perma Link
Source: qfs-capital.com Virustotal: Detection: 16% Perma Link
Source: www.qfs-capital.com Virustotal: Detection: 10% Perma Link
Source: www.oktravelhi.com Virustotal: Detection: 8% Perma Link
Source: www.giuila.online Virustotal: Detection: 8% Perma Link
Source: http://www.24eu-ru-startup.xyz/he2a/ Virustotal: Detection: 10% Perma Link
Source: http://www.dp77.shop/he2a/ Virustotal: Detection: 10% Perma Link
Source: http://www.qfs-capital.com/he2a/ Virustotal: Detection: 11% Perma Link
Source: http://www.emsculptcenterofne.com/he2a/www.dcmdot.com Virustotal: Detection: 8% Perma Link
Source: http://www.epeople.store/he2a/ Virustotal: Detection: 8% Perma Link
Source: http://www.theaustralianbrisketboard.com Virustotal: Detection: 10% Perma Link
Source: http://www.b-store.shop Virustotal: Detection: 9% Perma Link
Source: http://www.oktravelhi.com/he2a/ Virustotal: Detection: 7% Perma Link
Source: http://www.24eu-ru-startup.xyz Virustotal: Detection: 8% Perma Link
Source: http://www.emsculptcenterofne.com/he2a/ Virustotal: Detection: 10% Perma Link
Source: http://www.taylorranchtrail.com Virustotal: Detection: 8% Perma Link
Source: http://www.desire-dating.com/he2a/ Virustotal: Detection: 8% Perma Link
Source: http://www.dcmdot.com Virustotal: Detection: 10% Perma Link
Source: http://www.meet-friends.online Virustotal: Detection: 10% Perma Link
Source: http://www.theaustralianbrisketboard.com/he2a/ Virustotal: Detection: 10% Perma Link
Source: http://www.notbokin.online Virustotal: Detection: 11% Perma Link
Source: http://www.dp77.shop Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for submitted file
Source: Confirm!!.exe Virustotal: Detection: 59% Perma Link
Source: Confirm!!.exe ReversingLabs: Detection: 70%
Yara detected FormBook
Source: Yara match File source: 3.2.Confirm!!.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Confirm!!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3328088031.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3328245937.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2124860833.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3328311975.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053686766.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: Confirm!!.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Confirm!!.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Confirm!!.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: systray.pdb source: Confirm!!.exe, 00000003.00000002.2126120618.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, Confirm!!.exe, 00000003.00000002.2132012317.0000000001720000.00000040.10000000.00040000.00000000.sdmp, systray.exe, systray.exe, 00000006.00000002.3328163187.0000000000A30000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: systray.pdbGCTL source: Confirm!!.exe, 00000003.00000002.2126120618.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, Confirm!!.exe, 00000003.00000002.2132012317.0000000001720000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000006.00000002.3328163187.0000000000A30000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Confirm!!.exe, 00000003.00000002.2127459342.0000000001370000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000006.00000003.2124654096.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000006.00000002.3329081674.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000006.00000002.3329081674.0000000004D9E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000006.00000003.2127295023.0000000004A58000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Confirm!!.exe, Confirm!!.exe, 00000003.00000002.2127459342.0000000001370000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000006.00000003.2124654096.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000006.00000002.3329081674.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000006.00000002.3329081674.0000000004D9E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000006.00000003.2127295023.0000000004A58000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 4x nop then pop edi 3_2_0040E467
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 6_2_0098E467

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49707 -> 192.227.130.26:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49708 -> 202.124.241.178:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 202.124.241.178 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.227.130.26 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.qfs-capital.com/he2a/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /he2a/?JzrDMTwh=DlTSXcqNMc/eIm04yg00yQhMr4k/78J4L3shN4/4/VEr7otGcEkt4QUsswClQbB7ROijRjUf3A==&uDHX=NtTTaB HTTP/1.1Host: www.qfs-capital.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /he2a/?uDHX=NtTTaB&JzrDMTwh=OUTCM60j1GyCH9lbRdMZH2fDR4+aODlMrRGupFh1zUOB6Dok3GIrGaEH03LGWK74faeOXvHbbw== HTTP/1.1Host: www.theaustralianbrisketboard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 202.124.241.178 202.124.241.178
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NETREGISTRY-AS-APNetRegistryPtyLtdAU NETREGISTRY-AS-APNetRegistryPtyLtdAU
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B6F82 getaddrinfo,setsockopt,recv, 4_2_0E2B6F82
Source: global traffic HTTP traffic detected: GET /he2a/?JzrDMTwh=DlTSXcqNMc/eIm04yg00yQhMr4k/78J4L3shN4/4/VEr7otGcEkt4QUsswClQbB7ROijRjUf3A==&uDHX=NtTTaB HTTP/1.1Host: www.qfs-capital.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /he2a/?uDHX=NtTTaB&JzrDMTwh=OUTCM60j1GyCH9lbRdMZH2fDR4+aODlMrRGupFh1zUOB6Dok3GIrGaEH03LGWK74faeOXvHbbw== HTTP/1.1Host: www.theaustralianbrisketboard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: www.oktravelhi.com
Source: global traffic DNS traffic detected: DNS query: www.qfs-capital.com
Source: global traffic DNS traffic detected: DNS query: www.theaustralianbrisketboard.com
Source: global traffic DNS traffic detected: DNS query: www.giuila.online
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 04 May 2024 00:54:58 GMTserver: LiteSpeedx-content-type-options: nosniffx-xss-protection: 1; mode=blockData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74
Source: explorer.exe, 00000004.00000000.2077678036.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2077678036.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000004.00000000.2077678036.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2077678036.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000004.00000000.2077678036.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2077678036.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000000.2077678036.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2077678036.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000002.3332424273.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2077678036.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000004.00000002.3331251305.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3328938709.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3331271735.0000000007B60000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.24eu-ru-startup.xyz
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.24eu-ru-startup.xyz/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.24eu-ru-startup.xyz/he2a/www.notbokin.online
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.24eu-ru-startup.xyzReferer:
Source: explorer.exe, 00000004.00000003.2980792995.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2080127133.000000000C354000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-store.shop
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-store.shop/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-store.shop/he2a/www.desire-dating.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-store.shopReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cyg8wm3zfb.xyz
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cyg8wm3zfb.xyz/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cyg8wm3zfb.xyz/he2a/www.epeople.store
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cyg8wm3zfb.xyzReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dcmdot.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dcmdot.com/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dcmdot.com/he2a/www.24eu-ru-startup.xyz
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dcmdot.comReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.desire-dating.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.desire-dating.com/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.desire-dating.com/he2a/.
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.desire-dating.comReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dp77.shop
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dp77.shop/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dp77.shop/he2a/www.emsculptcenterofne.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dp77.shopReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emsculptcenterofne.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emsculptcenterofne.com/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emsculptcenterofne.com/he2a/www.dcmdot.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emsculptcenterofne.comReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epeople.store
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epeople.store/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epeople.store/he2a/www.meet-friends.online
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epeople.storeReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giuila.online
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giuila.online/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giuila.online/he2a/www.taylorranchtrail.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giuila.onlineReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.meet-friends.online
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.meet-friends.online/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.meet-friends.online/he2a/www.myjbtest.net
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.meet-friends.onlineReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.myjbtest.net
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.myjbtest.net/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.myjbtest.net/he2a/www.dp77.shop
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.myjbtest.netReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.notbokin.online
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.notbokin.online/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.notbokin.online/he2a/www.b-store.shop
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.notbokin.onlineReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oktravelhi.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oktravelhi.com/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oktravelhi.com/he2a/www.qfs-capital.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oktravelhi.comReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qfs-capital.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qfs-capital.com/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qfs-capital.com/he2a/www.theaustralianbrisketboard.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qfs-capital.comReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.taylorranchtrail.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.taylorranchtrail.com/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.taylorranchtrail.com/he2a/www.cyg8wm3zfb.xyz
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.taylorranchtrail.comReferer:
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.theaustralianbrisketboard.com
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.theaustralianbrisketboard.com/he2a/
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.theaustralianbrisketboard.com/he2a/www.giuila.online
Source: explorer.exe, 00000004.00000003.2980453313.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075158487.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3338438586.000000000C39F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.theaustralianbrisketboard.comReferer:
Source: explorer.exe, 00000004.00000002.3333056902.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2078111722.00000000099AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000004.00000002.3335544886.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2080127133.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000002.3332424273.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2077678036.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000002.3332424273.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2077678036.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000004.00000000.2077678036.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000002.3332424273.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2077678036.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000004.00000000.2077678036.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000000.2077678036.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000004.00000003.2981187932.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3102828873.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2080127133.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3335677097.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000004.00000003.2981187932.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3102828873.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2080127133.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3335677097.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000004.00000000.2080127133.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3335544886.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000002.3333056902.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2078111722.00000000099AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000004.00000003.2981187932.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3102828873.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2080127133.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3335677097.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000004.00000000.2076019635.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.Confirm!!.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Confirm!!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3328088031.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3328245937.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2124860833.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3328311975.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053686766.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.Confirm!!.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.Confirm!!.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Confirm!!.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Confirm!!.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.Confirm!!.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Confirm!!.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3328088031.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3328088031.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.3328088031.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3328245937.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3328245937.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.3328245937.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2124860833.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2124860833.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.2124860833.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3328311975.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3328311975.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.3328311975.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2053686766.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2053686766.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2053686766.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Confirm!!.exe PID: 3604, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Confirm!!.exe PID: 4548, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: systray.exe PID: 6960, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041A330 NtCreateFile, 3_2_0041A330
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041A3E0 NtReadFile, 3_2_0041A3E0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041A460 NtClose, 3_2_0041A460
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041A510 NtAllocateVirtualMemory, 3_2_0041A510
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041A45A NtClose, 3_2_0041A45A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041A50D NtAllocateVirtualMemory, 3_2_0041A50D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2B60 NtClose,LdrInitializeThunk, 3_2_013E2B60
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_013E2BF0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2AD0 NtReadFile,LdrInitializeThunk, 3_2_013E2AD0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2D30 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_013E2D30
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2D10 NtMapViewOfSection,LdrInitializeThunk, 3_2_013E2D10
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2DF0 NtQuerySystemInformation,LdrInitializeThunk, 3_2_013E2DF0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2DD0 NtDelayExecution,LdrInitializeThunk, 3_2_013E2DD0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2C70 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_013E2C70
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2CA0 NtQueryInformationToken,LdrInitializeThunk, 3_2_013E2CA0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2F30 NtCreateSection,LdrInitializeThunk, 3_2_013E2F30
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2FB0 NtResumeThread,LdrInitializeThunk, 3_2_013E2FB0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2F90 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_013E2F90
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2FE0 NtCreateFile,LdrInitializeThunk, 3_2_013E2FE0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_013E2EA0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2E80 NtReadVirtualMemory,LdrInitializeThunk, 3_2_013E2E80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E4340 NtSetContextThread, 3_2_013E4340
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E4650 NtSuspendThread, 3_2_013E4650
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2BA0 NtEnumerateValueKey, 3_2_013E2BA0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2B80 NtQueryInformationFile, 3_2_013E2B80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2BE0 NtQueryValueKey, 3_2_013E2BE0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2AB0 NtWaitForSingleObject, 3_2_013E2AB0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2AF0 NtWriteFile, 3_2_013E2AF0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2D00 NtSetInformationFile, 3_2_013E2D00
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2DB0 NtEnumerateKey, 3_2_013E2DB0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2C00 NtQueryInformationProcess, 3_2_013E2C00
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2C60 NtCreateKey, 3_2_013E2C60
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2CF0 NtOpenProcess, 3_2_013E2CF0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2CC0 NtQueryVirtualMemory, 3_2_013E2CC0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2F60 NtCreateProcessEx, 3_2_013E2F60
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2FA0 NtQuerySection, 3_2_013E2FA0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2E30 NtWriteVirtualMemory, 3_2_013E2E30
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2EE0 NtQueueApcThread, 3_2_013E2EE0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E3010 NtOpenDirectoryObject, 3_2_013E3010
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E3090 NtSetValueKey, 3_2_013E3090
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E35C0 NtCreateMutant, 3_2_013E35C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E39B0 NtGetContextThread, 3_2_013E39B0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E3D10 NtOpenProcessToken, 3_2_013E3D10
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E3D70 NtOpenThread, 3_2_013E3D70
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B6232 NtCreateFile, 4_2_0E2B6232
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B7E12 NtProtectVirtualMemory, 4_2_0E2B7E12
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B7E0A NtProtectVirtualMemory, 4_2_0E2B7E0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72CA0 NtQueryInformationToken,LdrInitializeThunk, 6_2_04C72CA0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72C60 NtCreateKey,LdrInitializeThunk, 6_2_04C72C60
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72C70 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_04C72C70
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72DD0 NtDelayExecution,LdrInitializeThunk, 6_2_04C72DD0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72DF0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_04C72DF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72D10 NtMapViewOfSection,LdrInitializeThunk, 6_2_04C72D10
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_04C72EA0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72FE0 NtCreateFile,LdrInitializeThunk, 6_2_04C72FE0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72F30 NtCreateSection,LdrInitializeThunk, 6_2_04C72F30
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72AD0 NtReadFile,LdrInitializeThunk, 6_2_04C72AD0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72BE0 NtQueryValueKey,LdrInitializeThunk, 6_2_04C72BE0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_04C72BF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72B60 NtClose,LdrInitializeThunk, 6_2_04C72B60
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C735C0 NtCreateMutant,LdrInitializeThunk, 6_2_04C735C0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C74650 NtSuspendThread, 6_2_04C74650
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C74340 NtSetContextThread, 6_2_04C74340
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72CC0 NtQueryVirtualMemory, 6_2_04C72CC0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72CF0 NtOpenProcess, 6_2_04C72CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72C00 NtQueryInformationProcess, 6_2_04C72C00
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72DB0 NtEnumerateKey, 6_2_04C72DB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72D00 NtSetInformationFile, 6_2_04C72D00
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72D30 NtUnmapViewOfSection, 6_2_04C72D30
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72EE0 NtQueueApcThread, 6_2_04C72EE0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72E80 NtReadVirtualMemory, 6_2_04C72E80
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72E30 NtWriteVirtualMemory, 6_2_04C72E30
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72F90 NtProtectVirtualMemory, 6_2_04C72F90
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72FA0 NtQuerySection, 6_2_04C72FA0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72FB0 NtResumeThread, 6_2_04C72FB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72F60 NtCreateProcessEx, 6_2_04C72F60
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72AF0 NtWriteFile, 6_2_04C72AF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72AB0 NtWaitForSingleObject, 6_2_04C72AB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72B80 NtQueryInformationFile, 6_2_04C72B80
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C72BA0 NtEnumerateValueKey, 6_2_04C72BA0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C73090 NtSetValueKey, 6_2_04C73090
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C73010 NtOpenDirectoryObject, 6_2_04C73010
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C73D70 NtOpenThread, 6_2_04C73D70
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C73D10 NtOpenProcessToken, 6_2_04C73D10
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C739B0 NtGetContextThread, 6_2_04C739B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_0099A3E0 NtReadFile, 6_2_0099A3E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_0099A330 NtCreateFile, 6_2_0099A330
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_0099A460 NtClose, 6_2_0099A460
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_0099A510 NtAllocateVirtualMemory, 6_2_0099A510
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_0099A45A NtClose, 6_2_0099A45A
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_0099A50D NtAllocateVirtualMemory, 6_2_0099A50D
Detected potential crypto function
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 0_2_04DDEFC4 0_2_04DDEFC4
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0040102D 3_2_0040102D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041D97B 3_2_0041D97B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041D573 3_2_0041D573
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041E526 3_2_0041E526
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_00402D87 3_2_00402D87
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_00409E5C 3_2_00409E5C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_00409E60 3_2_00409E60
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041DE7C 3_2_0041DE7C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041DE04 3_2_0041DE04
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041DECF 3_2_0041DECF
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01438158 3_2_01438158
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A0100 3_2_013A0100
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144A118 3_2_0144A118
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014681CC 3_2_014681CC
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014641A2 3_2_014641A2
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014701AA 3_2_014701AA
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01442000 3_2_01442000
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146A352 3_2_0146A352
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014703E6 3_2_014703E6
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BE3F0 3_2_013BE3F0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014302C0 3_2_014302C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0535 3_2_013B0535
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01470591 3_2_01470591
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01462446 3_2_01462446
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01454420 3_2_01454420
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0145E4F6 3_2_0145E4F6
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D4750 3_2_013D4750
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AC7C0 3_2_013AC7C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CC6E0 3_2_013CC6E0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C6962 3_2_013C6962
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0147A9A6 3_2_0147A9A6
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B2840 3_2_013B2840
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BA840 3_2_013BA840
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013968B8 3_2_013968B8
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE8F0 3_2_013DE8F0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146AB40 3_2_0146AB40
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01466BD7 3_2_01466BD7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AEA80 3_2_013AEA80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BAD00 3_2_013BAD00
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144CD1F 3_2_0144CD1F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C8DBF 3_2_013C8DBF
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AADE0 3_2_013AADE0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0C00 3_2_013B0C00
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A0CF2 3_2_013A0CF2
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450CB5 3_2_01450CB5
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01424F40 3_2_01424F40
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D0F30 3_2_013D0F30
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013F2F28 3_2_013F2F28
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01452F30 3_2_01452F30
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BCFE0 3_2_013BCFE0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142EFA0 3_2_0142EFA0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A2FC8 3_2_013A2FC8
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146EE26 3_2_0146EE26
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0E59 3_2_013B0E59
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146EEDB 3_2_0146EEDB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C2E90 3_2_013C2E90
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146CE93 3_2_0146CE93
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0147B16B 3_2_0147B16B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139F172 3_2_0139F172
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E516C 3_2_013E516C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BB1B0 3_2_013BB1B0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0145F0CC 3_2_0145F0CC
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146F0E0 3_2_0146F0E0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014670E9 3_2_014670E9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B70C0 3_2_013B70C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146132D 3_2_0146132D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139D34C 3_2_0139D34C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013F739A 3_2_013F739A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B52A0 3_2_013B52A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014512ED 3_2_014512ED
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CB2C0 3_2_013CB2C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01467571 3_2_01467571
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014795C3 3_2_014795C3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144D5B0 3_2_0144D5B0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A1460 3_2_013A1460
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146F43F 3_2_0146F43F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146F7B0 3_2_0146F7B0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013F5630 3_2_013F5630
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014616CC 3_2_014616CC
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01445910 3_2_01445910
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B9950 3_2_013B9950
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CB950 3_2_013CB950
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141D800 3_2_0141D800
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B38E0 3_2_013B38E0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146FB76 3_2_0146FB76
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01425BF0 3_2_01425BF0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CFB80 3_2_013CFB80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013EDBF9 3_2_013EDBF9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01467A46 3_2_01467A46
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146FA49 3_2_0146FA49
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01423A6C 3_2_01423A6C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0145DAC6 3_2_0145DAC6
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013F5AA0 3_2_013F5AA0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01451AA3 3_2_01451AA3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144DAAC 3_2_0144DAAC
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01461D5A 3_2_01461D5A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01467D73 3_2_01467D73
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B3D40 3_2_013B3D40
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CFDC0 3_2_013CFDC0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01429C32 3_2_01429C32
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146FCF2 3_2_0146FCF2
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146FF09 3_2_0146FF09
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B1F92 3_2_013B1F92
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01373FD5 3_2_01373FD5
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01373FD2 3_2_01373FD2
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146FFB1 3_2_0146FFB1
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B9EB0 3_2_013B9EB0
Source: C:\Windows\explorer.exe Code function: 4_2_0E1AA232 4_2_0E1AA232
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A4B32 4_2_0E1A4B32
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A4B30 4_2_0E1A4B30
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A9036 4_2_0E1A9036
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A0082 4_2_0E1A0082
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A7912 4_2_0E1A7912
Source: C:\Windows\explorer.exe Code function: 4_2_0E1A1D02 4_2_0E1A1D02
Source: C:\Windows\explorer.exe Code function: 4_2_0E1AD5CD 4_2_0E1AD5CD
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B6232 4_2_0E2B6232
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B5036 4_2_0E2B5036
Source: C:\Windows\explorer.exe Code function: 4_2_0E2AC082 4_2_0E2AC082
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B0B32 4_2_0E2B0B32
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B0B30 4_2_0E2B0B30
Source: C:\Windows\explorer.exe Code function: 4_2_0E2ADD02 4_2_0E2ADD02
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B3912 4_2_0E2B3912
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B95CD 4_2_0E2B95CD
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CEE4F6 6_2_04CEE4F6
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CF2446 6_2_04CF2446
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CE4420 6_2_04CE4420
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04D00591 6_2_04D00591
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C40535 6_2_04C40535
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C5C6E0 6_2_04C5C6E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C3C7C0 6_2_04C3C7C0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C64750 6_2_04C64750
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C40770 6_2_04C40770
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CD2000 6_2_04CD2000
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CF81CC 6_2_04CF81CC
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CF41A2 6_2_04CF41A2
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04D001AA 6_2_04D001AA
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CC8158 6_2_04CC8158
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C30100 6_2_04C30100
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CDA118 6_2_04CDA118
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CC02C0 6_2_04CC02C0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CE0274 6_2_04CE0274
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C4E3F0 6_2_04C4E3F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04D003E6 6_2_04D003E6
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFA352 6_2_04CFA352
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C30CF2 6_2_04C30CF2
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CE0CB5 6_2_04CE0CB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C40C00 6_2_04C40C00
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C3ADE0 6_2_04C3ADE0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C58DBF 6_2_04C58DBF
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C4AD00 6_2_04C4AD00
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CDCD1F 6_2_04CDCD1F
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFEEDB 6_2_04CFEEDB
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C52E90 6_2_04C52E90
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFCE93 6_2_04CFCE93
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C40E59 6_2_04C40E59
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFEE26 6_2_04CFEE26
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C32FC8 6_2_04C32FC8
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C4CFE0 6_2_04C4CFE0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CBEFA0 6_2_04CBEFA0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CB4F40 6_2_04CB4F40
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C82F28 6_2_04C82F28
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C60F30 6_2_04C60F30
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CE2F30 6_2_04CE2F30
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C6E8F0 6_2_04C6E8F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C268B8 6_2_04C268B8
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C4A840 6_2_04C4A840
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C42840 6_2_04C42840
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C429A0 6_2_04C429A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04D0A9A6 6_2_04D0A9A6
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C56962 6_2_04C56962
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C3EA80 6_2_04C3EA80
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CF6BD7 6_2_04CF6BD7
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFAB40 6_2_04CFAB40
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C31460 6_2_04C31460
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFF43F 6_2_04CFF43F
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04D095C3 6_2_04D095C3
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CDD5B0 6_2_04CDD5B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CF7571 6_2_04CF7571
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CF16CC 6_2_04CF16CC
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C85630 6_2_04C85630
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFF7B0 6_2_04CFF7B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CEF0CC 6_2_04CEF0CC
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C470C0 6_2_04C470C0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CF70E9 6_2_04CF70E9
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFF0E0 6_2_04CFF0E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C4B1B0 6_2_04C4B1B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C7516C 6_2_04C7516C
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C2F172 6_2_04C2F172
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04D0B16B 6_2_04D0B16B
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C5B2C0 6_2_04C5B2C0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CE12ED 6_2_04CE12ED
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C452A0 6_2_04C452A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C8739A 6_2_04C8739A
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C2D34C 6_2_04C2D34C
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CF132D 6_2_04CF132D
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFFCF2 6_2_04CFFCF2
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CB9C32 6_2_04CB9C32
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C5FDC0 6_2_04C5FDC0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C43D40 6_2_04C43D40
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CF1D5A 6_2_04CF1D5A
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CF7D73 6_2_04CF7D73
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C49EB0 6_2_04C49EB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C41F92 6_2_04C41F92
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFFFB1 6_2_04CFFFB1
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFFF09 6_2_04CFFF09
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C438E0 6_2_04C438E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CAD800 6_2_04CAD800
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C49950 6_2_04C49950
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C5B950 6_2_04C5B950
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CD5910 6_2_04CD5910
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CEDAC6 6_2_04CEDAC6
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CDDAAC 6_2_04CDDAAC
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C85AA0 6_2_04C85AA0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CE1AA3 6_2_04CE1AA3
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFFA49 6_2_04CFFA49
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CF7A46 6_2_04CF7A46
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CB3A6C 6_2_04CB3A6C
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CB5BF0 6_2_04CB5BF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C7DBF9 6_2_04C7DBF9
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C5FB80 6_2_04C5FB80
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04CFFB76 6_2_04CFFB76
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_0099E526 6_2_0099E526
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_00982D90 6_2_00982D90
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_00982D87 6_2_00982D87
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_00989E5C 6_2_00989E5C
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_00989E60 6_2_00989E60
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_00982FB0 6_2_00982FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 04C2B970 appears 280 times
Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 04CAEA12 appears 86 times
Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 04C75130 appears 58 times
Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 04C87E54 appears 111 times
Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 04CBF290 appears 105 times
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: String function: 013F7E54 appears 111 times
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: String function: 0141EA12 appears 86 times
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: String function: 0142F290 appears 105 times
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: String function: 0139B970 appears 280 times
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: String function: 013E5130 appears 58 times
Sample file is different than original file name gathered from version info
Source: Confirm!!.exe, 00000000.00000002.2056661025.0000000005280000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs Confirm!!.exe
Source: Confirm!!.exe, 00000000.00000002.2053213623.0000000002991000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs Confirm!!.exe
Source: Confirm!!.exe, 00000000.00000002.2052685081.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Confirm!!.exe
Source: Confirm!!.exe, 00000000.00000002.2053686766.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Confirm!!.exe
Source: Confirm!!.exe, 00000000.00000002.2057766427.0000000005FE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Confirm!!.exe
Source: Confirm!!.exe, 00000003.00000002.2127459342.000000000149D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Confirm!!.exe
Source: Confirm!!.exe, 00000003.00000002.2132012317.0000000001723000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamesystray.exej% vs Confirm!!.exe
Source: Confirm!!.exe, 00000003.00000002.2126120618.0000000000F18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesystray.exej% vs Confirm!!.exe
Source: Confirm!!.exe Binary or memory string: OriginalFilenamejUFE.exe8 vs Confirm!!.exe
Uses 32bit PE files
Source: Confirm!!.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.2.Confirm!!.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.Confirm!!.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Confirm!!.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Confirm!!.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.Confirm!!.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Confirm!!.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3328088031.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3328088031.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.3328088031.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3328245937.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3328245937.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.3328245937.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2124860833.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2124860833.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.2124860833.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3328311975.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3328311975.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.3328311975.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2053686766.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2053686766.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2053686766.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Confirm!!.exe PID: 3604, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Confirm!!.exe PID: 4548, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: systray.exe PID: 6960, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Confirm!!.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Confirm!!.exe.29f743c.3.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Confirm!!.exe.29f743c.3.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Confirm!!.exe.52c0000.8.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Confirm!!.exe.52c0000.8.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Confirm!!.exe.29e67c4.4.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Confirm!!.exe.29e67c4.4.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, hWxYHkSsuBZxageplD.cs Security API names: _0020.SetAccessControl
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, hWxYHkSsuBZxageplD.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, hWxYHkSsuBZxageplD.cs Security API names: _0020.AddAccessRule
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, hkUebLiWfTROFSjq9B.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, hkUebLiWfTROFSjq9B.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, hWxYHkSsuBZxageplD.cs Security API names: _0020.SetAccessControl
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, hWxYHkSsuBZxageplD.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, hWxYHkSsuBZxageplD.cs Security API names: _0020.AddAccessRule
Source: 0.2.Confirm!!.exe.52c0000.8.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Confirm!!.exe.29e67c4.4.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Confirm!!.exe.29f743c.3.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.evad.winEXE@306/1@4/2
Source: C:\Users\user\Desktop\Confirm!!.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirm!!.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\SysWOW64\systray.exe Command line argument: SystemTray_Main 6_2_00A313B0
Source: Confirm!!.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Confirm!!.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Confirm!!.exe Virustotal: Detection: 59%
Source: Confirm!!.exe ReversingLabs: Detection: 70%
Source: unknown Process created: C:\Users\user\Desktop\Confirm!!.exe "C:\Users\user\Desktop\Confirm!!.exe"
Source: C:\Users\user\Desktop\Confirm!!.exe Process created: C:\Users\user\Desktop\Confirm!!.exe "C:\Users\user\Desktop\Confirm!!.exe"
Source: C:\Users\user\Desktop\Confirm!!.exe Process created: C:\Users\user\Desktop\Confirm!!.exe "C:\Users\user\Desktop\Confirm!!.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Confirm!!.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Confirm!!.exe Process created: C:\Users\user\Desktop\Confirm!!.exe "C:\Users\user\Desktop\Confirm!!.exe" Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process created: C:\Users\user\Desktop\Confirm!!.exe "C:\Users\user\Desktop\Confirm!!.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe" Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Confirm!!.exe" Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Confirm!!.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Confirm!!.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: systray.pdb source: Confirm!!.exe, 00000003.00000002.2126120618.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, Confirm!!.exe, 00000003.00000002.2132012317.0000000001720000.00000040.10000000.00040000.00000000.sdmp, systray.exe, systray.exe, 00000006.00000002.3328163187.0000000000A30000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: systray.pdbGCTL source: Confirm!!.exe, 00000003.00000002.2126120618.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, Confirm!!.exe, 00000003.00000002.2132012317.0000000001720000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000006.00000002.3328163187.0000000000A30000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Confirm!!.exe, 00000003.00000002.2127459342.0000000001370000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000006.00000003.2124654096.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000006.00000002.3329081674.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000006.00000002.3329081674.0000000004D9E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000006.00000003.2127295023.0000000004A58000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Confirm!!.exe, Confirm!!.exe, 00000003.00000002.2127459342.0000000001370000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000006.00000003.2124654096.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000006.00000002.3329081674.0000000004C00000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000006.00000002.3329081674.0000000004D9E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000006.00000003.2127295023.0000000004A58000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.Confirm!!.exe.29f743c.3.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.Confirm!!.exe.52c0000.8.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.Confirm!!.exe.29e67c4.4.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
.NET source code contains potential unpacker
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, hWxYHkSsuBZxageplD.cs .Net Code: B78sxvvNeR System.Reflection.Assembly.Load(byte[])
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, hWxYHkSsuBZxageplD.cs .Net Code: B78sxvvNeR System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041D4D2 push eax; ret 3_2_0041D4D8
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041D4DB push eax; ret 3_2_0041D542
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041D485 push eax; ret 3_2_0041D4D8
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0041D53C push eax; ret 3_2_0041D542
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0137225F pushad ; ret 3_2_013727F9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013727FA pushad ; ret 3_2_013727F9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A09AD push ecx; mov dword ptr [esp], ecx 3_2_013A09B6
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0137283D push eax; iretd 3_2_01372858
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01371344 push eax; iretd 3_2_01371369
Source: C:\Windows\explorer.exe Code function: 4_2_0E1ADB1E push esp; retn 0000h 4_2_0E1ADB1F
Source: C:\Windows\explorer.exe Code function: 4_2_0E1ADB02 push esp; retn 0000h 4_2_0E1ADB03
Source: C:\Windows\explorer.exe Code function: 4_2_0E1AD9B5 push esp; retn 0000h 4_2_0E1ADAE7
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B9B02 push esp; retn 0000h 4_2_0E2B9B03
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B9B1E push esp; retn 0000h 4_2_0E2B9B1F
Source: C:\Windows\explorer.exe Code function: 4_2_0E2B99B5 push esp; retn 0000h 4_2_0E2B9AE7
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_00A31B3D push ecx; ret 6_2_00A31B50
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C027FA pushad ; ret 6_2_04C027F9
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C0225F pushad ; ret 6_2_04C027F9
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C0283D push eax; iretd 6_2_04C02858
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C309AD push ecx; mov dword ptr [esp], ecx 6_2_04C309B6
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C0106B push edi; ret 6_2_04C0108A
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_04C018F3 push edx; iretd 6_2_04C01906
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_0099D485 push eax; ret 6_2_0099D4D8
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_0099D4DB push eax; ret 6_2_0099D542
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_0099D4D2 push eax; ret 6_2_0099D4D8
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_0099D53C push eax; ret 6_2_0099D542
Source: Confirm!!.exe Static PE information: section name: .text entropy: 7.97872256100169
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, N91fBcybJNtc6ijrmZ.cs High entropy of concatenated method names: 'WQ13YdMRnO', 'uDW3pbbKZX', 'D3J3e6XDlB', 'iV33c5V0p5', 'ShB3ZILa5D', 'wiJ3J7fskh', 'tPs3LlwkxZ', 'Oqx3Oj7PBr', 'vRl3VZODlJ', 'AG53Gj2Rfs'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, twp4YYIALgdEOP21bww.cs High entropy of concatenated method names: 'F5DtyJ3p2V', 'brKtRB9I92', 'M0wtx0R1xX', 'cEPtwMhGey', 'rqltKfhnRp', 'XIAtUydJfe', 'r97t078mxV', 'MVJtheoVap', 'hPttqvIAE8', 'Yc9t8a9oxg'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, bOiTjsEUZ6cy81xTLP.cs High entropy of concatenated method names: 'b2imJi43bi', 'jClmLy1FVO', 'VHhmVyXKce', 'qB0mGt3c63', 'uHDmi1N9LD', 'hQkmTiQWKe', 'GqtkxLJisIkAykcUMo', 'PLGKhEn795ZUDYpSyA', 'tQXmmxBhxv', 'D9mmEycft5'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, p8DyslpAG21txhnI3Y.cs High entropy of concatenated method names: 'EJ7JYBwqgD', 'GkoJei9F5W', 'm9XJZugnOy', 'eLLZ2MUS5O', 'rPDZzW243V', 'tZ0Jn1eCjh', 't83JmUGl57', 'scuJaMolqP', 'Ko8JEAiyj6', 'r0pJsS6aTa'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, hkUebLiWfTROFSjq9B.cs High entropy of concatenated method names: 'If3pvvmuFO', 'BOmp45SgeN', 'lG2pDuDDfE', 'yQ1pHtq3Iv', 'pZ8pCIqCxh', 'ObFpgdKG7P', 'lLppPVF896', 'KyfpuXd3uM', 'aoOpStseGH', 'ub2p2oHiUT'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, s5bdmLn5OMcQHPx2wH.cs High entropy of concatenated method names: 'ufArh2hO8F', 'fYRrqoXMRe', 'YZDr7aNtp0', 'o2prj40IpP', 'xkFr9IYPFa', 'OsFrosSmlA', 'cMUrfoqv19', 'x7lrF37Qh1', 'wBHrdjXabh', 'dZQrXtY4yL'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, hWxYHkSsuBZxageplD.cs High entropy of concatenated method names: 'q9BE1GrXP7', 'BmWEYZySJm', 'BDaEpa7cFt', 'JDLEe88uVu', 'KbwEclvPWD', 'Nt8EZtioot', 'hTJEJNy6QI', 'U3CELtR9pQ', 'o9lEOw8vG4', 'j43EVJWPEh'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, Q2xXCE29TMocJSX5Yg.cs High entropy of concatenated method names: 'ToString', 'ThmTXuhwIV', 'huTTjPwrBh', 'cyITN1OTmO', 'gHTT9KirJV', 'Qd9TobGw5E', 'XqTTBCptmW', 'nU1Tf1780A', 'BqATFXcV4v', 'WvkTljJ8xt'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, MaRryHzG8mqwYJEKrw.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qJRtr0R61a', 'gQytiJ53OX', 'yqktTofbdS', 'pdjtbfnR4J', 'bjht3bkPO0', 'IPBtt5AHEu', 'AKLtkOR5Mf'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, h99ng7oPdLWrlG7g9u.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'V3yaSbOXP0', 'xCOa2xUcEc', 'KW3az8Db9w', 'aJoEn0xwZY', 'Wa1EmJt77u', 'k63EaUY30C', 'nTWEEgqe9X', 'IpIAMOXL4OxN5jRwhTQ'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, r5CYMKtfdQJmXXlPqS.cs High entropy of concatenated method names: 'FKqJyfgKL7', 'EZDJRhNuAO', 'wtAJxeWTwq', 'nKWJwRriim', 'yfuJKiKwy5', 'EZVJUxGrIU', 'nlFJ0Arnpa', 'eB5Jhf2Yt5', 'hpWJqd6yOE', 'jYtJ8DC9CA'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, g0qRx08p8I76f2IHSj.cs High entropy of concatenated method names: 'om6buxnvnX', 'vtvb2srlVK', 'jCn3noS0hr', 'tJW3mGgJId', 'jIWbXHBQaR', 'riZbIrbc08', 'BO6bMkpulU', 'UL9bvA21hL', 'NSgb42CU30', 'sCubDDendr'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, OJkCf9TOsTb9cMayX5.cs High entropy of concatenated method names: 'BKYxLVtUH', 'yuqwMLYFO', 'CfFUMIHxW', 'RJe0yeNJV', 'rH1qbJhW5', 'FbR81MesL', 'wet3Y4hljCj63VufXT', 'wx098kab8pOKWKTC8H', 'C2h3DeakI', 'pTPkw3qxZ'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, tcZ2wtKdtCyQjEEoGD.cs High entropy of concatenated method names: 'tvDtmyoCkM', 'fUAtEGALQ8', 'NS5ts2EHKm', 'xRRtYJ32wb', 'wo5tp6gPYy', 'qBwtcIBc6Q', 'HlbtZc5uSi', 'RZ13PaFLyX', 'Pfq3udBVUk', 'Q123SZT25N'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, d72IrTk2IMEECSiBws.cs High entropy of concatenated method names: 'qknewfh6o5', 'n0ceUZkWyY', 'QkVehHFSmw', 'HYgeqPS8gn', 'A5DeiUUYeU', 'dpgeT5CmLp', 'NB6ebQ6QZC', 'wv9e36SQ34', 'WjIet9UqiY', 'WN9ekA5w1K'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, wnMQOqMBSRfBF7i70R.cs High entropy of concatenated method names: 'ReN37HTcnr', 'h9W3j7pSJ0', 'tMs3Nnskwg', 'EQm39AVvol', 'Emh3vt91mm', 'oJg3o6Hmsh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, uwXheyb6Pd6pRb4Irl.cs High entropy of concatenated method names: 'PDJcK9WCsU', 'cINc0PI6XP', 'lqCeNqTHBU', 'o9Xe9ej33Z', 'my5eoHTBZg', 'MWweB4jCmn', 'NjlefW9uVa', 'pH0eFYoqhr', 'BJgelLEFV0', 'u5ted1hJsO'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, fMwoXxC0IPZvWDP3Zf.cs High entropy of concatenated method names: 'Dispose', 'HpimSiTXZy', 'sL1ajW6aK0', 'updAApAqb2', 'AT3m2rOfO6', 'RvhmzGRiNk', 'ProcessDialogKey', 'XJaanAo0B0', 'hhPamo7byv', 'vSsaa534Ru'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, DfctdE1ypDbWH3lF9x.cs High entropy of concatenated method names: 'tYWZ1ItoZi', 'iRKZp18FKR', 'wmZZcRSZ7A', 'iUMZJVDTHe', 'LoJZLVh2rK', 'bARcCbYPSa', 'fe4cgQEMdo', 'clJcP9UcSN', 'Ww9cua8APH', 'Y87cSoDgh0'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, LPmuW7Ql8yeTtsI6Br.cs High entropy of concatenated method names: 'ntoid9oZmW', 'VOdiIUbZtx', 'maciv537bI', 'JKmi49nEUl', 'GEZij4vRMn', 'bwpiNllQB0', 'dWui9AJSye', 'I8Nio3gne3', 'ovOiBs0rwY', 'qupifZ6Llb'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, DLl3bQIlqWRZ9eHgCgO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O7QkvDFB02', 'fnwk4H5G1P', 'dslkDPCpl6', 'xALkHImYnJ', 'Je2kCqqqFK', 'onmkgDF7NJ', 'twkkPSKyso'
Source: 0.2.Confirm!!.exe.3d40c80.6.raw.unpack, EREmHmIILDeQfJJrwHU.cs High entropy of concatenated method names: 'ToString', 'zpmkE7ZPDg', 'Q77kslnEYr', 'dUKk1R5E5i', 'RZDkYyNMqh', 'WMpkpvnGLm', 'RMUkeHOXFu', 'B7Ekc46cjE', 'QrmBN6c0ajfhxWeDrqr', 'xp5F8sciJITEbDvGOAT'
Source: 0.2.Confirm!!.exe.29f743c.3.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, N91fBcybJNtc6ijrmZ.cs High entropy of concatenated method names: 'WQ13YdMRnO', 'uDW3pbbKZX', 'D3J3e6XDlB', 'iV33c5V0p5', 'ShB3ZILa5D', 'wiJ3J7fskh', 'tPs3LlwkxZ', 'Oqx3Oj7PBr', 'vRl3VZODlJ', 'AG53Gj2Rfs'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, twp4YYIALgdEOP21bww.cs High entropy of concatenated method names: 'F5DtyJ3p2V', 'brKtRB9I92', 'M0wtx0R1xX', 'cEPtwMhGey', 'rqltKfhnRp', 'XIAtUydJfe', 'r97t078mxV', 'MVJtheoVap', 'hPttqvIAE8', 'Yc9t8a9oxg'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, bOiTjsEUZ6cy81xTLP.cs High entropy of concatenated method names: 'b2imJi43bi', 'jClmLy1FVO', 'VHhmVyXKce', 'qB0mGt3c63', 'uHDmi1N9LD', 'hQkmTiQWKe', 'GqtkxLJisIkAykcUMo', 'PLGKhEn795ZUDYpSyA', 'tQXmmxBhxv', 'D9mmEycft5'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, p8DyslpAG21txhnI3Y.cs High entropy of concatenated method names: 'EJ7JYBwqgD', 'GkoJei9F5W', 'm9XJZugnOy', 'eLLZ2MUS5O', 'rPDZzW243V', 'tZ0Jn1eCjh', 't83JmUGl57', 'scuJaMolqP', 'Ko8JEAiyj6', 'r0pJsS6aTa'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, hkUebLiWfTROFSjq9B.cs High entropy of concatenated method names: 'If3pvvmuFO', 'BOmp45SgeN', 'lG2pDuDDfE', 'yQ1pHtq3Iv', 'pZ8pCIqCxh', 'ObFpgdKG7P', 'lLppPVF896', 'KyfpuXd3uM', 'aoOpStseGH', 'ub2p2oHiUT'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, s5bdmLn5OMcQHPx2wH.cs High entropy of concatenated method names: 'ufArh2hO8F', 'fYRrqoXMRe', 'YZDr7aNtp0', 'o2prj40IpP', 'xkFr9IYPFa', 'OsFrosSmlA', 'cMUrfoqv19', 'x7lrF37Qh1', 'wBHrdjXabh', 'dZQrXtY4yL'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, hWxYHkSsuBZxageplD.cs High entropy of concatenated method names: 'q9BE1GrXP7', 'BmWEYZySJm', 'BDaEpa7cFt', 'JDLEe88uVu', 'KbwEclvPWD', 'Nt8EZtioot', 'hTJEJNy6QI', 'U3CELtR9pQ', 'o9lEOw8vG4', 'j43EVJWPEh'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, Q2xXCE29TMocJSX5Yg.cs High entropy of concatenated method names: 'ToString', 'ThmTXuhwIV', 'huTTjPwrBh', 'cyITN1OTmO', 'gHTT9KirJV', 'Qd9TobGw5E', 'XqTTBCptmW', 'nU1Tf1780A', 'BqATFXcV4v', 'WvkTljJ8xt'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, MaRryHzG8mqwYJEKrw.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qJRtr0R61a', 'gQytiJ53OX', 'yqktTofbdS', 'pdjtbfnR4J', 'bjht3bkPO0', 'IPBtt5AHEu', 'AKLtkOR5Mf'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, h99ng7oPdLWrlG7g9u.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'V3yaSbOXP0', 'xCOa2xUcEc', 'KW3az8Db9w', 'aJoEn0xwZY', 'Wa1EmJt77u', 'k63EaUY30C', 'nTWEEgqe9X', 'IpIAMOXL4OxN5jRwhTQ'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, r5CYMKtfdQJmXXlPqS.cs High entropy of concatenated method names: 'FKqJyfgKL7', 'EZDJRhNuAO', 'wtAJxeWTwq', 'nKWJwRriim', 'yfuJKiKwy5', 'EZVJUxGrIU', 'nlFJ0Arnpa', 'eB5Jhf2Yt5', 'hpWJqd6yOE', 'jYtJ8DC9CA'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, g0qRx08p8I76f2IHSj.cs High entropy of concatenated method names: 'om6buxnvnX', 'vtvb2srlVK', 'jCn3noS0hr', 'tJW3mGgJId', 'jIWbXHBQaR', 'riZbIrbc08', 'BO6bMkpulU', 'UL9bvA21hL', 'NSgb42CU30', 'sCubDDendr'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, OJkCf9TOsTb9cMayX5.cs High entropy of concatenated method names: 'BKYxLVtUH', 'yuqwMLYFO', 'CfFUMIHxW', 'RJe0yeNJV', 'rH1qbJhW5', 'FbR81MesL', 'wet3Y4hljCj63VufXT', 'wx098kab8pOKWKTC8H', 'C2h3DeakI', 'pTPkw3qxZ'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, tcZ2wtKdtCyQjEEoGD.cs High entropy of concatenated method names: 'tvDtmyoCkM', 'fUAtEGALQ8', 'NS5ts2EHKm', 'xRRtYJ32wb', 'wo5tp6gPYy', 'qBwtcIBc6Q', 'HlbtZc5uSi', 'RZ13PaFLyX', 'Pfq3udBVUk', 'Q123SZT25N'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, d72IrTk2IMEECSiBws.cs High entropy of concatenated method names: 'qknewfh6o5', 'n0ceUZkWyY', 'QkVehHFSmw', 'HYgeqPS8gn', 'A5DeiUUYeU', 'dpgeT5CmLp', 'NB6ebQ6QZC', 'wv9e36SQ34', 'WjIet9UqiY', 'WN9ekA5w1K'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, wnMQOqMBSRfBF7i70R.cs High entropy of concatenated method names: 'ReN37HTcnr', 'h9W3j7pSJ0', 'tMs3Nnskwg', 'EQm39AVvol', 'Emh3vt91mm', 'oJg3o6Hmsh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, uwXheyb6Pd6pRb4Irl.cs High entropy of concatenated method names: 'PDJcK9WCsU', 'cINc0PI6XP', 'lqCeNqTHBU', 'o9Xe9ej33Z', 'my5eoHTBZg', 'MWweB4jCmn', 'NjlefW9uVa', 'pH0eFYoqhr', 'BJgelLEFV0', 'u5ted1hJsO'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, fMwoXxC0IPZvWDP3Zf.cs High entropy of concatenated method names: 'Dispose', 'HpimSiTXZy', 'sL1ajW6aK0', 'updAApAqb2', 'AT3m2rOfO6', 'RvhmzGRiNk', 'ProcessDialogKey', 'XJaanAo0B0', 'hhPamo7byv', 'vSsaa534Ru'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, DfctdE1ypDbWH3lF9x.cs High entropy of concatenated method names: 'tYWZ1ItoZi', 'iRKZp18FKR', 'wmZZcRSZ7A', 'iUMZJVDTHe', 'LoJZLVh2rK', 'bARcCbYPSa', 'fe4cgQEMdo', 'clJcP9UcSN', 'Ww9cua8APH', 'Y87cSoDgh0'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, LPmuW7Ql8yeTtsI6Br.cs High entropy of concatenated method names: 'ntoid9oZmW', 'VOdiIUbZtx', 'maciv537bI', 'JKmi49nEUl', 'GEZij4vRMn', 'bwpiNllQB0', 'dWui9AJSye', 'I8Nio3gne3', 'ovOiBs0rwY', 'qupifZ6Llb'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, DLl3bQIlqWRZ9eHgCgO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O7QkvDFB02', 'fnwk4H5G1P', 'dslkDPCpl6', 'xALkHImYnJ', 'Je2kCqqqFK', 'onmkgDF7NJ', 'twkkPSKyso'
Source: 0.2.Confirm!!.exe.5fe0000.9.raw.unpack, EREmHmIILDeQfJJrwHU.cs High entropy of concatenated method names: 'ToString', 'zpmkE7ZPDg', 'Q77kslnEYr', 'dUKk1R5E5i', 'RZDkYyNMqh', 'WMpkpvnGLm', 'RMUkeHOXFu', 'B7Ekc46cjE', 'QrmBN6c0ajfhxWeDrqr', 'xp5F8sciJITEbDvGOAT'
Source: 0.2.Confirm!!.exe.52c0000.8.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.Confirm!!.exe.29e67c4.4.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xEF
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Confirm!!.exe PID: 3604, type: MEMORYSTR
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Confirm!!.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Confirm!!.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 989904 second address: 98990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 989B7E second address: 989B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Confirm!!.exe Memory allocated: 2770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Memory allocated: 2990000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Memory allocated: 28A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Memory allocated: 6050000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Memory allocated: 7050000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Memory allocated: 7290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Memory allocated: 8290000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_00409AB0 rdtsc 3_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Confirm!!.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 9672 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 878 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Window / User API: threadDelayed 9685 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Confirm!!.exe API coverage: 1.6 %
Source: C:\Windows\SysWOW64\systray.exe API coverage: 1.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Confirm!!.exe TID: 5912 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2436 Thread sleep count: 9672 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2436 Thread sleep time: -19344000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2436 Thread sleep count: 247 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2436 Thread sleep time: -494000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6324 Thread sleep count: 282 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6324 Thread sleep time: -564000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6324 Thread sleep count: 9685 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6324 Thread sleep time: -19370000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Confirm!!.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000004.00000002.3332424273.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2077678036.000000000962B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000004.00000000.2078111722.00000000097F3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000000.2077678036.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000973C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000004.00000000.2078111722.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000004.00000002.3332424273.0000000009605000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: explorer.exe, 00000004.00000002.3328195467.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.2077678036.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3332424273.000000000978C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000002.3328195467.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000004.00000002.3330375970.00000000073E5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000004.00000000.2078111722.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000004.00000002.3328195467.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000004.00000000.2078111722.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000004.00000002.3328195467.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\Confirm!!.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Confirm!!.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_00409AB0 rdtsc 3_2_00409AB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0040ACF0 LdrLoadDll, 3_2_0040ACF0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01434144 mov eax, dword ptr fs:[00000030h] 3_2_01434144
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01434144 mov eax, dword ptr fs:[00000030h] 3_2_01434144
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01434144 mov ecx, dword ptr fs:[00000030h] 3_2_01434144
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01434144 mov eax, dword ptr fs:[00000030h] 3_2_01434144
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01434144 mov eax, dword ptr fs:[00000030h] 3_2_01434144
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D0124 mov eax, dword ptr fs:[00000030h] 3_2_013D0124
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01438158 mov eax, dword ptr fs:[00000030h] 3_2_01438158
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01474164 mov eax, dword ptr fs:[00000030h] 3_2_01474164
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01474164 mov eax, dword ptr fs:[00000030h] 3_2_01474164
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E10E mov eax, dword ptr fs:[00000030h] 3_2_0144E10E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E10E mov ecx, dword ptr fs:[00000030h] 3_2_0144E10E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E10E mov eax, dword ptr fs:[00000030h] 3_2_0144E10E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E10E mov eax, dword ptr fs:[00000030h] 3_2_0144E10E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E10E mov ecx, dword ptr fs:[00000030h] 3_2_0144E10E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E10E mov eax, dword ptr fs:[00000030h] 3_2_0144E10E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E10E mov eax, dword ptr fs:[00000030h] 3_2_0144E10E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E10E mov ecx, dword ptr fs:[00000030h] 3_2_0144E10E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E10E mov eax, dword ptr fs:[00000030h] 3_2_0144E10E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E10E mov ecx, dword ptr fs:[00000030h] 3_2_0144E10E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01460115 mov eax, dword ptr fs:[00000030h] 3_2_01460115
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144A118 mov ecx, dword ptr fs:[00000030h] 3_2_0144A118
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144A118 mov eax, dword ptr fs:[00000030h] 3_2_0144A118
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144A118 mov eax, dword ptr fs:[00000030h] 3_2_0144A118
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144A118 mov eax, dword ptr fs:[00000030h] 3_2_0144A118
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A6154 mov eax, dword ptr fs:[00000030h] 3_2_013A6154
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A6154 mov eax, dword ptr fs:[00000030h] 3_2_013A6154
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139C156 mov eax, dword ptr fs:[00000030h] 3_2_0139C156
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014661C3 mov eax, dword ptr fs:[00000030h] 3_2_014661C3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014661C3 mov eax, dword ptr fs:[00000030h] 3_2_014661C3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0141E1D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0141E1D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E1D0 mov ecx, dword ptr fs:[00000030h] 3_2_0141E1D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0141E1D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0141E1D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014761E5 mov eax, dword ptr fs:[00000030h] 3_2_014761E5
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139A197 mov eax, dword ptr fs:[00000030h] 3_2_0139A197
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139A197 mov eax, dword ptr fs:[00000030h] 3_2_0139A197
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139A197 mov eax, dword ptr fs:[00000030h] 3_2_0139A197
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E0185 mov eax, dword ptr fs:[00000030h] 3_2_013E0185
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01444180 mov eax, dword ptr fs:[00000030h] 3_2_01444180
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01444180 mov eax, dword ptr fs:[00000030h] 3_2_01444180
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D01F8 mov eax, dword ptr fs:[00000030h] 3_2_013D01F8
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0145C188 mov eax, dword ptr fs:[00000030h] 3_2_0145C188
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0145C188 mov eax, dword ptr fs:[00000030h] 3_2_0145C188
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142019F mov eax, dword ptr fs:[00000030h] 3_2_0142019F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142019F mov eax, dword ptr fs:[00000030h] 3_2_0142019F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142019F mov eax, dword ptr fs:[00000030h] 3_2_0142019F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142019F mov eax, dword ptr fs:[00000030h] 3_2_0142019F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01426050 mov eax, dword ptr fs:[00000030h] 3_2_01426050
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139A020 mov eax, dword ptr fs:[00000030h] 3_2_0139A020
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139C020 mov eax, dword ptr fs:[00000030h] 3_2_0139C020
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BE016 mov eax, dword ptr fs:[00000030h] 3_2_013BE016
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BE016 mov eax, dword ptr fs:[00000030h] 3_2_013BE016
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BE016 mov eax, dword ptr fs:[00000030h] 3_2_013BE016
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BE016 mov eax, dword ptr fs:[00000030h] 3_2_013BE016
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01424000 mov ecx, dword ptr fs:[00000030h] 3_2_01424000
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01442000 mov eax, dword ptr fs:[00000030h] 3_2_01442000
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01442000 mov eax, dword ptr fs:[00000030h] 3_2_01442000
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01442000 mov eax, dword ptr fs:[00000030h] 3_2_01442000
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01442000 mov eax, dword ptr fs:[00000030h] 3_2_01442000
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01442000 mov eax, dword ptr fs:[00000030h] 3_2_01442000
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01442000 mov eax, dword ptr fs:[00000030h] 3_2_01442000
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01442000 mov eax, dword ptr fs:[00000030h] 3_2_01442000
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01442000 mov eax, dword ptr fs:[00000030h] 3_2_01442000
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CC073 mov eax, dword ptr fs:[00000030h] 3_2_013CC073
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A2050 mov eax, dword ptr fs:[00000030h] 3_2_013A2050
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01436030 mov eax, dword ptr fs:[00000030h] 3_2_01436030
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013980A0 mov eax, dword ptr fs:[00000030h] 3_2_013980A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014220DE mov eax, dword ptr fs:[00000030h] 3_2_014220DE
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014260E0 mov eax, dword ptr fs:[00000030h] 3_2_014260E0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A208A mov eax, dword ptr fs:[00000030h] 3_2_013A208A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139C0F0 mov eax, dword ptr fs:[00000030h] 3_2_0139C0F0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E20F0 mov ecx, dword ptr fs:[00000030h] 3_2_013E20F0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A80E9 mov eax, dword ptr fs:[00000030h] 3_2_013A80E9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139A0E3 mov ecx, dword ptr fs:[00000030h] 3_2_0139A0E3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014380A8 mov eax, dword ptr fs:[00000030h] 3_2_014380A8
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014660B8 mov eax, dword ptr fs:[00000030h] 3_2_014660B8
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014660B8 mov ecx, dword ptr fs:[00000030h] 3_2_014660B8
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0147634F mov eax, dword ptr fs:[00000030h] 3_2_0147634F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01422349 mov eax, dword ptr fs:[00000030h] 3_2_01422349
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146A352 mov eax, dword ptr fs:[00000030h] 3_2_0146A352
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01448350 mov ecx, dword ptr fs:[00000030h] 3_2_01448350
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142035C mov eax, dword ptr fs:[00000030h] 3_2_0142035C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142035C mov eax, dword ptr fs:[00000030h] 3_2_0142035C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142035C mov eax, dword ptr fs:[00000030h] 3_2_0142035C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142035C mov ecx, dword ptr fs:[00000030h] 3_2_0142035C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142035C mov eax, dword ptr fs:[00000030h] 3_2_0142035C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142035C mov eax, dword ptr fs:[00000030h] 3_2_0142035C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139C310 mov ecx, dword ptr fs:[00000030h] 3_2_0139C310
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C0310 mov ecx, dword ptr fs:[00000030h] 3_2_013C0310
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DA30B mov eax, dword ptr fs:[00000030h] 3_2_013DA30B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DA30B mov eax, dword ptr fs:[00000030h] 3_2_013DA30B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DA30B mov eax, dword ptr fs:[00000030h] 3_2_013DA30B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144437C mov eax, dword ptr fs:[00000030h] 3_2_0144437C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01478324 mov eax, dword ptr fs:[00000030h] 3_2_01478324
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01478324 mov ecx, dword ptr fs:[00000030h] 3_2_01478324
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01478324 mov eax, dword ptr fs:[00000030h] 3_2_01478324
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01478324 mov eax, dword ptr fs:[00000030h] 3_2_01478324
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014263C0 mov eax, dword ptr fs:[00000030h] 3_2_014263C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0145C3CD mov eax, dword ptr fs:[00000030h] 3_2_0145C3CD
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014443D4 mov eax, dword ptr fs:[00000030h] 3_2_014443D4
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014443D4 mov eax, dword ptr fs:[00000030h] 3_2_014443D4
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E3DB mov eax, dword ptr fs:[00000030h] 3_2_0144E3DB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E3DB mov eax, dword ptr fs:[00000030h] 3_2_0144E3DB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E3DB mov ecx, dword ptr fs:[00000030h] 3_2_0144E3DB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144E3DB mov eax, dword ptr fs:[00000030h] 3_2_0144E3DB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01398397 mov eax, dword ptr fs:[00000030h] 3_2_01398397
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01398397 mov eax, dword ptr fs:[00000030h] 3_2_01398397
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01398397 mov eax, dword ptr fs:[00000030h] 3_2_01398397
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139E388 mov eax, dword ptr fs:[00000030h] 3_2_0139E388
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139E388 mov eax, dword ptr fs:[00000030h] 3_2_0139E388
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139E388 mov eax, dword ptr fs:[00000030h] 3_2_0139E388
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C438F mov eax, dword ptr fs:[00000030h] 3_2_013C438F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C438F mov eax, dword ptr fs:[00000030h] 3_2_013C438F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D63FF mov eax, dword ptr fs:[00000030h] 3_2_013D63FF
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BE3F0 mov eax, dword ptr fs:[00000030h] 3_2_013BE3F0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BE3F0 mov eax, dword ptr fs:[00000030h] 3_2_013BE3F0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BE3F0 mov eax, dword ptr fs:[00000030h] 3_2_013BE3F0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B03E9 mov eax, dword ptr fs:[00000030h] 3_2_013B03E9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B03E9 mov eax, dword ptr fs:[00000030h] 3_2_013B03E9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B03E9 mov eax, dword ptr fs:[00000030h] 3_2_013B03E9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B03E9 mov eax, dword ptr fs:[00000030h] 3_2_013B03E9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B03E9 mov eax, dword ptr fs:[00000030h] 3_2_013B03E9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B03E9 mov eax, dword ptr fs:[00000030h] 3_2_013B03E9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B03E9 mov eax, dword ptr fs:[00000030h] 3_2_013B03E9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B03E9 mov eax, dword ptr fs:[00000030h] 3_2_013B03E9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA3C0 mov eax, dword ptr fs:[00000030h] 3_2_013AA3C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA3C0 mov eax, dword ptr fs:[00000030h] 3_2_013AA3C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA3C0 mov eax, dword ptr fs:[00000030h] 3_2_013AA3C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA3C0 mov eax, dword ptr fs:[00000030h] 3_2_013AA3C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA3C0 mov eax, dword ptr fs:[00000030h] 3_2_013AA3C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA3C0 mov eax, dword ptr fs:[00000030h] 3_2_013AA3C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A83C0 mov eax, dword ptr fs:[00000030h] 3_2_013A83C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A83C0 mov eax, dword ptr fs:[00000030h] 3_2_013A83C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A83C0 mov eax, dword ptr fs:[00000030h] 3_2_013A83C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A83C0 mov eax, dword ptr fs:[00000030h] 3_2_013A83C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01428243 mov eax, dword ptr fs:[00000030h] 3_2_01428243
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01428243 mov ecx, dword ptr fs:[00000030h] 3_2_01428243
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139823B mov eax, dword ptr fs:[00000030h] 3_2_0139823B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0145A250 mov eax, dword ptr fs:[00000030h] 3_2_0145A250
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0145A250 mov eax, dword ptr fs:[00000030h] 3_2_0145A250
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0147625D mov eax, dword ptr fs:[00000030h] 3_2_0147625D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01450274 mov eax, dword ptr fs:[00000030h] 3_2_01450274
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139826B mov eax, dword ptr fs:[00000030h] 3_2_0139826B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A4260 mov eax, dword ptr fs:[00000030h] 3_2_013A4260
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A4260 mov eax, dword ptr fs:[00000030h] 3_2_013A4260
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A4260 mov eax, dword ptr fs:[00000030h] 3_2_013A4260
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A6259 mov eax, dword ptr fs:[00000030h] 3_2_013A6259
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139A250 mov eax, dword ptr fs:[00000030h] 3_2_0139A250
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014762D6 mov eax, dword ptr fs:[00000030h] 3_2_014762D6
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE284 mov eax, dword ptr fs:[00000030h] 3_2_013DE284
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE284 mov eax, dword ptr fs:[00000030h] 3_2_013DE284
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01420283 mov eax, dword ptr fs:[00000030h] 3_2_01420283
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01420283 mov eax, dword ptr fs:[00000030h] 3_2_01420283
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01420283 mov eax, dword ptr fs:[00000030h] 3_2_01420283
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B02E1 mov eax, dword ptr fs:[00000030h] 3_2_013B02E1
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B02E1 mov eax, dword ptr fs:[00000030h] 3_2_013B02E1
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B02E1 mov eax, dword ptr fs:[00000030h] 3_2_013B02E1
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014362A0 mov eax, dword ptr fs:[00000030h] 3_2_014362A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014362A0 mov ecx, dword ptr fs:[00000030h] 3_2_014362A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014362A0 mov eax, dword ptr fs:[00000030h] 3_2_014362A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014362A0 mov eax, dword ptr fs:[00000030h] 3_2_014362A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014362A0 mov eax, dword ptr fs:[00000030h] 3_2_014362A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014362A0 mov eax, dword ptr fs:[00000030h] 3_2_014362A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA2C3 mov eax, dword ptr fs:[00000030h] 3_2_013AA2C3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA2C3 mov eax, dword ptr fs:[00000030h] 3_2_013AA2C3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA2C3 mov eax, dword ptr fs:[00000030h] 3_2_013AA2C3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA2C3 mov eax, dword ptr fs:[00000030h] 3_2_013AA2C3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA2C3 mov eax, dword ptr fs:[00000030h] 3_2_013AA2C3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE53E mov eax, dword ptr fs:[00000030h] 3_2_013CE53E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE53E mov eax, dword ptr fs:[00000030h] 3_2_013CE53E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE53E mov eax, dword ptr fs:[00000030h] 3_2_013CE53E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE53E mov eax, dword ptr fs:[00000030h] 3_2_013CE53E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE53E mov eax, dword ptr fs:[00000030h] 3_2_013CE53E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0535 mov eax, dword ptr fs:[00000030h] 3_2_013B0535
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0535 mov eax, dword ptr fs:[00000030h] 3_2_013B0535
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0535 mov eax, dword ptr fs:[00000030h] 3_2_013B0535
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0535 mov eax, dword ptr fs:[00000030h] 3_2_013B0535
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0535 mov eax, dword ptr fs:[00000030h] 3_2_013B0535
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0535 mov eax, dword ptr fs:[00000030h] 3_2_013B0535
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01436500 mov eax, dword ptr fs:[00000030h] 3_2_01436500
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01474500 mov eax, dword ptr fs:[00000030h] 3_2_01474500
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01474500 mov eax, dword ptr fs:[00000030h] 3_2_01474500
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01474500 mov eax, dword ptr fs:[00000030h] 3_2_01474500
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01474500 mov eax, dword ptr fs:[00000030h] 3_2_01474500
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01474500 mov eax, dword ptr fs:[00000030h] 3_2_01474500
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01474500 mov eax, dword ptr fs:[00000030h] 3_2_01474500
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01474500 mov eax, dword ptr fs:[00000030h] 3_2_01474500
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D656A mov eax, dword ptr fs:[00000030h] 3_2_013D656A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D656A mov eax, dword ptr fs:[00000030h] 3_2_013D656A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D656A mov eax, dword ptr fs:[00000030h] 3_2_013D656A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A8550 mov eax, dword ptr fs:[00000030h] 3_2_013A8550
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A8550 mov eax, dword ptr fs:[00000030h] 3_2_013A8550
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C45B1 mov eax, dword ptr fs:[00000030h] 3_2_013C45B1
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C45B1 mov eax, dword ptr fs:[00000030h] 3_2_013C45B1
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE59C mov eax, dword ptr fs:[00000030h] 3_2_013DE59C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D4588 mov eax, dword ptr fs:[00000030h] 3_2_013D4588
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A2582 mov eax, dword ptr fs:[00000030h] 3_2_013A2582
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A2582 mov ecx, dword ptr fs:[00000030h] 3_2_013A2582
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DC5ED mov eax, dword ptr fs:[00000030h] 3_2_013DC5ED
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DC5ED mov eax, dword ptr fs:[00000030h] 3_2_013DC5ED
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A25E0 mov eax, dword ptr fs:[00000030h] 3_2_013A25E0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE5E7 mov eax, dword ptr fs:[00000030h] 3_2_013CE5E7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE5E7 mov eax, dword ptr fs:[00000030h] 3_2_013CE5E7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE5E7 mov eax, dword ptr fs:[00000030h] 3_2_013CE5E7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE5E7 mov eax, dword ptr fs:[00000030h] 3_2_013CE5E7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE5E7 mov eax, dword ptr fs:[00000030h] 3_2_013CE5E7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE5E7 mov eax, dword ptr fs:[00000030h] 3_2_013CE5E7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE5E7 mov eax, dword ptr fs:[00000030h] 3_2_013CE5E7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE5E7 mov eax, dword ptr fs:[00000030h] 3_2_013CE5E7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014205A7 mov eax, dword ptr fs:[00000030h] 3_2_014205A7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014205A7 mov eax, dword ptr fs:[00000030h] 3_2_014205A7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014205A7 mov eax, dword ptr fs:[00000030h] 3_2_014205A7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A65D0 mov eax, dword ptr fs:[00000030h] 3_2_013A65D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DA5D0 mov eax, dword ptr fs:[00000030h] 3_2_013DA5D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DA5D0 mov eax, dword ptr fs:[00000030h] 3_2_013DA5D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE5CF mov eax, dword ptr fs:[00000030h] 3_2_013DE5CF
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE5CF mov eax, dword ptr fs:[00000030h] 3_2_013DE5CF
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DA430 mov eax, dword ptr fs:[00000030h] 3_2_013DA430
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0145A456 mov eax, dword ptr fs:[00000030h] 3_2_0145A456
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139E420 mov eax, dword ptr fs:[00000030h] 3_2_0139E420
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139E420 mov eax, dword ptr fs:[00000030h] 3_2_0139E420
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139E420 mov eax, dword ptr fs:[00000030h] 3_2_0139E420
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139C427 mov eax, dword ptr fs:[00000030h] 3_2_0139C427
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142C460 mov ecx, dword ptr fs:[00000030h] 3_2_0142C460
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D8402 mov eax, dword ptr fs:[00000030h] 3_2_013D8402
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D8402 mov eax, dword ptr fs:[00000030h] 3_2_013D8402
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D8402 mov eax, dword ptr fs:[00000030h] 3_2_013D8402
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CA470 mov eax, dword ptr fs:[00000030h] 3_2_013CA470
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CA470 mov eax, dword ptr fs:[00000030h] 3_2_013CA470
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CA470 mov eax, dword ptr fs:[00000030h] 3_2_013CA470
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01426420 mov eax, dword ptr fs:[00000030h] 3_2_01426420
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01426420 mov eax, dword ptr fs:[00000030h] 3_2_01426420
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01426420 mov eax, dword ptr fs:[00000030h] 3_2_01426420
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01426420 mov eax, dword ptr fs:[00000030h] 3_2_01426420
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01426420 mov eax, dword ptr fs:[00000030h] 3_2_01426420
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01426420 mov eax, dword ptr fs:[00000030h] 3_2_01426420
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01426420 mov eax, dword ptr fs:[00000030h] 3_2_01426420
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139645D mov eax, dword ptr fs:[00000030h] 3_2_0139645D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C245A mov eax, dword ptr fs:[00000030h] 3_2_013C245A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE443 mov eax, dword ptr fs:[00000030h] 3_2_013DE443
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE443 mov eax, dword ptr fs:[00000030h] 3_2_013DE443
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE443 mov eax, dword ptr fs:[00000030h] 3_2_013DE443
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE443 mov eax, dword ptr fs:[00000030h] 3_2_013DE443
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE443 mov eax, dword ptr fs:[00000030h] 3_2_013DE443
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE443 mov eax, dword ptr fs:[00000030h] 3_2_013DE443
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE443 mov eax, dword ptr fs:[00000030h] 3_2_013DE443
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DE443 mov eax, dword ptr fs:[00000030h] 3_2_013DE443
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D44B0 mov ecx, dword ptr fs:[00000030h] 3_2_013D44B0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A64AB mov eax, dword ptr fs:[00000030h] 3_2_013A64AB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A04E5 mov ecx, dword ptr fs:[00000030h] 3_2_013A04E5
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0145A49A mov eax, dword ptr fs:[00000030h] 3_2_0145A49A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142A4B0 mov eax, dword ptr fs:[00000030h] 3_2_0142A4B0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D273C mov eax, dword ptr fs:[00000030h] 3_2_013D273C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D273C mov ecx, dword ptr fs:[00000030h] 3_2_013D273C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D273C mov eax, dword ptr fs:[00000030h] 3_2_013D273C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01424755 mov eax, dword ptr fs:[00000030h] 3_2_01424755
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DC720 mov eax, dword ptr fs:[00000030h] 3_2_013DC720
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DC720 mov eax, dword ptr fs:[00000030h] 3_2_013DC720
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142E75D mov eax, dword ptr fs:[00000030h] 3_2_0142E75D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A0710 mov eax, dword ptr fs:[00000030h] 3_2_013A0710
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D0710 mov eax, dword ptr fs:[00000030h] 3_2_013D0710
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DC700 mov eax, dword ptr fs:[00000030h] 3_2_013DC700
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A8770 mov eax, dword ptr fs:[00000030h] 3_2_013A8770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0770 mov eax, dword ptr fs:[00000030h] 3_2_013B0770
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A0750 mov eax, dword ptr fs:[00000030h] 3_2_013A0750
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2750 mov eax, dword ptr fs:[00000030h] 3_2_013E2750
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2750 mov eax, dword ptr fs:[00000030h] 3_2_013E2750
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D674D mov esi, dword ptr fs:[00000030h] 3_2_013D674D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D674D mov eax, dword ptr fs:[00000030h] 3_2_013D674D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D674D mov eax, dword ptr fs:[00000030h] 3_2_013D674D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141C730 mov eax, dword ptr fs:[00000030h] 3_2_0141C730
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014207C3 mov eax, dword ptr fs:[00000030h] 3_2_014207C3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A07AF mov eax, dword ptr fs:[00000030h] 3_2_013A07AF
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142E7E1 mov eax, dword ptr fs:[00000030h] 3_2_0142E7E1
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A47FB mov eax, dword ptr fs:[00000030h] 3_2_013A47FB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A47FB mov eax, dword ptr fs:[00000030h] 3_2_013A47FB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144678E mov eax, dword ptr fs:[00000030h] 3_2_0144678E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C27ED mov eax, dword ptr fs:[00000030h] 3_2_013C27ED
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C27ED mov eax, dword ptr fs:[00000030h] 3_2_013C27ED
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C27ED mov eax, dword ptr fs:[00000030h] 3_2_013C27ED
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014547A0 mov eax, dword ptr fs:[00000030h] 3_2_014547A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AC7C0 mov eax, dword ptr fs:[00000030h] 3_2_013AC7C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A262C mov eax, dword ptr fs:[00000030h] 3_2_013A262C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BE627 mov eax, dword ptr fs:[00000030h] 3_2_013BE627
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D6620 mov eax, dword ptr fs:[00000030h] 3_2_013D6620
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D8620 mov eax, dword ptr fs:[00000030h] 3_2_013D8620
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E2619 mov eax, dword ptr fs:[00000030h] 3_2_013E2619
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146866E mov eax, dword ptr fs:[00000030h] 3_2_0146866E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146866E mov eax, dword ptr fs:[00000030h] 3_2_0146866E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B260B mov eax, dword ptr fs:[00000030h] 3_2_013B260B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B260B mov eax, dword ptr fs:[00000030h] 3_2_013B260B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B260B mov eax, dword ptr fs:[00000030h] 3_2_013B260B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B260B mov eax, dword ptr fs:[00000030h] 3_2_013B260B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B260B mov eax, dword ptr fs:[00000030h] 3_2_013B260B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B260B mov eax, dword ptr fs:[00000030h] 3_2_013B260B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B260B mov eax, dword ptr fs:[00000030h] 3_2_013B260B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E609 mov eax, dword ptr fs:[00000030h] 3_2_0141E609
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D2674 mov eax, dword ptr fs:[00000030h] 3_2_013D2674
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DA660 mov eax, dword ptr fs:[00000030h] 3_2_013DA660
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DA660 mov eax, dword ptr fs:[00000030h] 3_2_013DA660
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013BC640 mov eax, dword ptr fs:[00000030h] 3_2_013BC640
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D66B0 mov eax, dword ptr fs:[00000030h] 3_2_013D66B0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DC6A6 mov eax, dword ptr fs:[00000030h] 3_2_013DC6A6
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A4690 mov eax, dword ptr fs:[00000030h] 3_2_013A4690
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A4690 mov eax, dword ptr fs:[00000030h] 3_2_013A4690
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0141E6F2
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0141E6F2
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0141E6F2
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0141E6F2
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014206F1 mov eax, dword ptr fs:[00000030h] 3_2_014206F1
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014206F1 mov eax, dword ptr fs:[00000030h] 3_2_014206F1
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DA6C7 mov ebx, dword ptr fs:[00000030h] 3_2_013DA6C7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DA6C7 mov eax, dword ptr fs:[00000030h] 3_2_013DA6C7
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01420946 mov eax, dword ptr fs:[00000030h] 3_2_01420946
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01474940 mov eax, dword ptr fs:[00000030h] 3_2_01474940
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01398918 mov eax, dword ptr fs:[00000030h] 3_2_01398918
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01398918 mov eax, dword ptr fs:[00000030h] 3_2_01398918
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01444978 mov eax, dword ptr fs:[00000030h] 3_2_01444978
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01444978 mov eax, dword ptr fs:[00000030h] 3_2_01444978
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142C97C mov eax, dword ptr fs:[00000030h] 3_2_0142C97C
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E908 mov eax, dword ptr fs:[00000030h] 3_2_0141E908
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141E908 mov eax, dword ptr fs:[00000030h] 3_2_0141E908
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E096E mov eax, dword ptr fs:[00000030h] 3_2_013E096E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E096E mov edx, dword ptr fs:[00000030h] 3_2_013E096E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013E096E mov eax, dword ptr fs:[00000030h] 3_2_013E096E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142C912 mov eax, dword ptr fs:[00000030h] 3_2_0142C912
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C6962 mov eax, dword ptr fs:[00000030h] 3_2_013C6962
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C6962 mov eax, dword ptr fs:[00000030h] 3_2_013C6962
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C6962 mov eax, dword ptr fs:[00000030h] 3_2_013C6962
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142892A mov eax, dword ptr fs:[00000030h] 3_2_0142892A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0143892B mov eax, dword ptr fs:[00000030h] 3_2_0143892B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014369C0 mov eax, dword ptr fs:[00000030h] 3_2_014369C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146A9D3 mov eax, dword ptr fs:[00000030h] 3_2_0146A9D3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A09AD mov eax, dword ptr fs:[00000030h] 3_2_013A09AD
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A09AD mov eax, dword ptr fs:[00000030h] 3_2_013A09AD
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B29A0 mov eax, dword ptr fs:[00000030h] 3_2_013B29A0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142E9E0 mov eax, dword ptr fs:[00000030h] 3_2_0142E9E0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D29F9 mov eax, dword ptr fs:[00000030h] 3_2_013D29F9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D29F9 mov eax, dword ptr fs:[00000030h] 3_2_013D29F9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA9D0 mov eax, dword ptr fs:[00000030h] 3_2_013AA9D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA9D0 mov eax, dword ptr fs:[00000030h] 3_2_013AA9D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA9D0 mov eax, dword ptr fs:[00000030h] 3_2_013AA9D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA9D0 mov eax, dword ptr fs:[00000030h] 3_2_013AA9D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA9D0 mov eax, dword ptr fs:[00000030h] 3_2_013AA9D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AA9D0 mov eax, dword ptr fs:[00000030h] 3_2_013AA9D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D49D0 mov eax, dword ptr fs:[00000030h] 3_2_013D49D0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014289B3 mov esi, dword ptr fs:[00000030h] 3_2_014289B3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014289B3 mov eax, dword ptr fs:[00000030h] 3_2_014289B3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014289B3 mov eax, dword ptr fs:[00000030h] 3_2_014289B3
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C2835 mov eax, dword ptr fs:[00000030h] 3_2_013C2835
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C2835 mov eax, dword ptr fs:[00000030h] 3_2_013C2835
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C2835 mov eax, dword ptr fs:[00000030h] 3_2_013C2835
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C2835 mov ecx, dword ptr fs:[00000030h] 3_2_013C2835
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C2835 mov eax, dword ptr fs:[00000030h] 3_2_013C2835
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C2835 mov eax, dword ptr fs:[00000030h] 3_2_013C2835
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DA830 mov eax, dword ptr fs:[00000030h] 3_2_013DA830
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142E872 mov eax, dword ptr fs:[00000030h] 3_2_0142E872
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142E872 mov eax, dword ptr fs:[00000030h] 3_2_0142E872
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01436870 mov eax, dword ptr fs:[00000030h] 3_2_01436870
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01436870 mov eax, dword ptr fs:[00000030h] 3_2_01436870
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142C810 mov eax, dword ptr fs:[00000030h] 3_2_0142C810
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A4859 mov eax, dword ptr fs:[00000030h] 3_2_013A4859
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A4859 mov eax, dword ptr fs:[00000030h] 3_2_013A4859
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D0854 mov eax, dword ptr fs:[00000030h] 3_2_013D0854
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B2840 mov ecx, dword ptr fs:[00000030h] 3_2_013B2840
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144483A mov eax, dword ptr fs:[00000030h] 3_2_0144483A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144483A mov eax, dword ptr fs:[00000030h] 3_2_0144483A
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_014708C0 mov eax, dword ptr fs:[00000030h] 3_2_014708C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146A8E4 mov eax, dword ptr fs:[00000030h] 3_2_0146A8E4
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A0887 mov eax, dword ptr fs:[00000030h] 3_2_013A0887
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DC8F9 mov eax, dword ptr fs:[00000030h] 3_2_013DC8F9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DC8F9 mov eax, dword ptr fs:[00000030h] 3_2_013DC8F9
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142C89D mov eax, dword ptr fs:[00000030h] 3_2_0142C89D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CE8C0 mov eax, dword ptr fs:[00000030h] 3_2_013CE8C0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01436B40 mov eax, dword ptr fs:[00000030h] 3_2_01436B40
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01436B40 mov eax, dword ptr fs:[00000030h] 3_2_01436B40
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0146AB40 mov eax, dword ptr fs:[00000030h] 3_2_0146AB40
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01448B42 mov eax, dword ptr fs:[00000030h] 3_2_01448B42
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01454B4B mov eax, dword ptr fs:[00000030h] 3_2_01454B4B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01454B4B mov eax, dword ptr fs:[00000030h] 3_2_01454B4B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01472B57 mov eax, dword ptr fs:[00000030h] 3_2_01472B57
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01472B57 mov eax, dword ptr fs:[00000030h] 3_2_01472B57
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01472B57 mov eax, dword ptr fs:[00000030h] 3_2_01472B57
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01472B57 mov eax, dword ptr fs:[00000030h] 3_2_01472B57
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144EB50 mov eax, dword ptr fs:[00000030h] 3_2_0144EB50
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CEB20 mov eax, dword ptr fs:[00000030h] 3_2_013CEB20
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CEB20 mov eax, dword ptr fs:[00000030h] 3_2_013CEB20
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0139CB7E mov eax, dword ptr fs:[00000030h] 3_2_0139CB7E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01474B00 mov eax, dword ptr fs:[00000030h] 3_2_01474B00
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141EB1D mov eax, dword ptr fs:[00000030h] 3_2_0141EB1D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141EB1D mov eax, dword ptr fs:[00000030h] 3_2_0141EB1D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141EB1D mov eax, dword ptr fs:[00000030h] 3_2_0141EB1D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141EB1D mov eax, dword ptr fs:[00000030h] 3_2_0141EB1D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141EB1D mov eax, dword ptr fs:[00000030h] 3_2_0141EB1D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141EB1D mov eax, dword ptr fs:[00000030h] 3_2_0141EB1D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141EB1D mov eax, dword ptr fs:[00000030h] 3_2_0141EB1D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141EB1D mov eax, dword ptr fs:[00000030h] 3_2_0141EB1D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141EB1D mov eax, dword ptr fs:[00000030h] 3_2_0141EB1D
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01398B50 mov eax, dword ptr fs:[00000030h] 3_2_01398B50
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01468B28 mov eax, dword ptr fs:[00000030h] 3_2_01468B28
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01468B28 mov eax, dword ptr fs:[00000030h] 3_2_01468B28
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0BBE mov eax, dword ptr fs:[00000030h] 3_2_013B0BBE
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0BBE mov eax, dword ptr fs:[00000030h] 3_2_013B0BBE
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144EBD0 mov eax, dword ptr fs:[00000030h] 3_2_0144EBD0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142CBF0 mov eax, dword ptr fs:[00000030h] 3_2_0142CBF0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CEBFC mov eax, dword ptr fs:[00000030h] 3_2_013CEBFC
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A8BF0 mov eax, dword ptr fs:[00000030h] 3_2_013A8BF0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A8BF0 mov eax, dword ptr fs:[00000030h] 3_2_013A8BF0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A8BF0 mov eax, dword ptr fs:[00000030h] 3_2_013A8BF0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01454BB0 mov eax, dword ptr fs:[00000030h] 3_2_01454BB0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_01454BB0 mov eax, dword ptr fs:[00000030h] 3_2_01454BB0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C0BCB mov eax, dword ptr fs:[00000030h] 3_2_013C0BCB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C0BCB mov eax, dword ptr fs:[00000030h] 3_2_013C0BCB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C0BCB mov eax, dword ptr fs:[00000030h] 3_2_013C0BCB
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A0BCD mov eax, dword ptr fs:[00000030h] 3_2_013A0BCD
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A0BCD mov eax, dword ptr fs:[00000030h] 3_2_013A0BCD
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A0BCD mov eax, dword ptr fs:[00000030h] 3_2_013A0BCD
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DCA38 mov eax, dword ptr fs:[00000030h] 3_2_013DCA38
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C4A35 mov eax, dword ptr fs:[00000030h] 3_2_013C4A35
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013C4A35 mov eax, dword ptr fs:[00000030h] 3_2_013C4A35
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013CEA2E mov eax, dword ptr fs:[00000030h] 3_2_013CEA2E
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DCA24 mov eax, dword ptr fs:[00000030h] 3_2_013DCA24
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0144EA60 mov eax, dword ptr fs:[00000030h] 3_2_0144EA60
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141CA72 mov eax, dword ptr fs:[00000030h] 3_2_0141CA72
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0141CA72 mov eax, dword ptr fs:[00000030h] 3_2_0141CA72
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DCA6F mov eax, dword ptr fs:[00000030h] 3_2_013DCA6F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DCA6F mov eax, dword ptr fs:[00000030h] 3_2_013DCA6F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013DCA6F mov eax, dword ptr fs:[00000030h] 3_2_013DCA6F
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_0142CA11 mov eax, dword ptr fs:[00000030h] 3_2_0142CA11
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0A5B mov eax, dword ptr fs:[00000030h] 3_2_013B0A5B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013B0A5B mov eax, dword ptr fs:[00000030h] 3_2_013B0A5B
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A6A50 mov eax, dword ptr fs:[00000030h] 3_2_013A6A50
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A6A50 mov eax, dword ptr fs:[00000030h] 3_2_013A6A50
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A6A50 mov eax, dword ptr fs:[00000030h] 3_2_013A6A50
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A6A50 mov eax, dword ptr fs:[00000030h] 3_2_013A6A50
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A6A50 mov eax, dword ptr fs:[00000030h] 3_2_013A6A50
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A6A50 mov eax, dword ptr fs:[00000030h] 3_2_013A6A50
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A6A50 mov eax, dword ptr fs:[00000030h] 3_2_013A6A50
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A8AA0 mov eax, dword ptr fs:[00000030h] 3_2_013A8AA0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013A8AA0 mov eax, dword ptr fs:[00000030h] 3_2_013A8AA0
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013F6AA4 mov eax, dword ptr fs:[00000030h] 3_2_013F6AA4
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013D8A90 mov edx, dword ptr fs:[00000030h] 3_2_013D8A90
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AEA80 mov eax, dword ptr fs:[00000030h] 3_2_013AEA80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AEA80 mov eax, dword ptr fs:[00000030h] 3_2_013AEA80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AEA80 mov eax, dword ptr fs:[00000030h] 3_2_013AEA80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AEA80 mov eax, dword ptr fs:[00000030h] 3_2_013AEA80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AEA80 mov eax, dword ptr fs:[00000030h] 3_2_013AEA80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AEA80 mov eax, dword ptr fs:[00000030h] 3_2_013AEA80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AEA80 mov eax, dword ptr fs:[00000030h] 3_2_013AEA80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AEA80 mov eax, dword ptr fs:[00000030h] 3_2_013AEA80
Source: C:\Users\user\Desktop\Confirm!!.exe Code function: 3_2_013AEA80 mov eax, dword ptr fs:[00000030h] 3_2_013AEA80
Enables debug privileges
Source: C:\Users\user\Desktop\Confirm!!.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_00A31B93 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00A31B93
Source: C:\Users\user\Desktop\Confirm!!.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 202.124.241.178 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.227.130.26 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Section loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Confirm!!.exe Thread register set: target process: 4004 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Thread register set: target process: 4004 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Confirm!!.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Confirm!!.exe Section unmapped: C:\Windows\SysWOW64\systray.exe base address: A30000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Confirm!!.exe Process created: C:\Users\user\Desktop\Confirm!!.exe "C:\Users\user\Desktop\Confirm!!.exe" Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Process created: C:\Users\user\Desktop\Confirm!!.exe "C:\Users\user\Desktop\Confirm!!.exe" Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Confirm!!.exe" Jump to behavior
Source: explorer.exe, 00000004.00000000.2056689905.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3328739349.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: explorer.exe, 00000004.00000000.2075883369.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2056689905.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3328739349.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.2056689905.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3328739349.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.2056128063.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3328195467.0000000000D60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: +Progman
Source: explorer.exe, 00000004.00000000.2056689905.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3328739349.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000002.3333056902.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2078111722.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd31A
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Confirm!!.exe Queries volume information: C:\Users\user\Desktop\Confirm!!.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Confirm!!.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Code function: 6_2_00A31A45 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 6_2_00A31A45
Source: C:\Users\user\Desktop\Confirm!!.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.Confirm!!.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Confirm!!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3328088031.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3328245937.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2124860833.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3328311975.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053686766.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Confirm!!.exe.29e67c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.29f743c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.52c0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.52c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.29f743c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.29b35a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.29e67c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.2c3b550.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.2c39538.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.2c38520.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2056798364.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053213623.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053213623.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.Confirm!!.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Confirm!!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3328088031.0000000000980000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3328245937.0000000002BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2124860833.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3328311975.0000000002F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053686766.0000000003B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Confirm!!.exe.29e67c4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.29f743c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.52c0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.52c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.29f743c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.29b35a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.29e67c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.2c3b550.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.2c39538.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Confirm!!.exe.2c38520.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2056798364.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053213623.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2053213623.0000000002BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436229 Sample: Confirm!!.exe Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 32 www.theaustralianbrisketboard.com 2->32 34 www.qfs-capital.com 2->34 36 3 other IPs or domains 2->36 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 12 other signatures 2->48 11 Confirm!!.exe 3 2->11         started        signatures3 process4 signatures5 58 Tries to detect virtualization through RDTSC time measurements 11->58 14 Confirm!!.exe 11->14         started        17 Confirm!!.exe 11->17         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 19 explorer.exe 25 1 14->19 injected process8 dnsIp9 38 www.theaustralianbrisketboard.com 202.124.241.178, 49708, 80 NETREGISTRY-AS-APNetRegistryPtyLtdAU Australia 19->38 40 qfs-capital.com 192.227.130.26, 49707, 80 AS-COLOCROSSINGUS United States 19->40 50 System process connects to network (likely due to code injection or exploit) 19->50 23 systray.exe 19->23         started        26 autoconv.exe 19->26         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 23->52 54 Maps a DLL or memory area into another process 23->54 56 Tries to detect virtualization through RDTSC time measurements 23->56 28 cmd.exe 1 23->28         started        process13 process14 30 conhost.exe 28->30         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
202.124.241.178
 www.theaustralianbrisketboard.com Australia
24446 NETREGISTRY-AS-APNetRegistryPtyLtdAU true
192.227.130.26
 qfs-capital.com United States
36352 AS-COLOCROSSINGUS true

Contacted Domains

Name IP Active
www.theaustralianbrisketboard.com 202.124.241.178 true
qfs-capital.com 192.227.130.26 true
www.oktravelhi.com unknown unknown
www.qfs-capital.com unknown unknown
www.giuila.online unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.qfs-capital.com/he2a/?JzrDMTwh=DlTSXcqNMc/eIm04yg00yQhMr4k/78J4L3shN4/4/VEr7otGcEkt4QUsswClQbB7ROijRjUf3A==&uDHX=NtTTaB true
  • Avira URL Cloud: malware
 unknown
http://www.theaustralianbrisketboard.com/he2a/?uDHX=NtTTaB&JzrDMTwh=OUTCM60j1GyCH9lbRdMZH2fDR4+aODlMrRGupFh1zUOB6Dok3GIrGaEH03LGWK74faeOXvHbbw== true
  • Avira URL Cloud: malware
 unknown
www.qfs-capital.com/he2a/ true
  • Avira URL Cloud: malware
 low