Windows Analysis Report
Doc 1Z881A080453968203.exe

Overview

General Information

Sample name: Doc 1Z881A080453968203.exe
Analysis ID: 1436308
MD5: 51812b068c74b61db320570d6d13ee07
SHA1: b7ab99a410a35b08a97edab12cc460863fd9d300
SHA256: 62ce98f7fcd773efa3deac85904b54c17b456af92b6e778c2adfc998bd07f5c3
Tags: exe
Infos:

Detection

FormBook, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Doc 1Z881A080453968203.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.coppercookwarekitchen.com Avira URL Cloud: Label: malware
Source: http://www.coppercookwarekitchen.com/gtit/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Doc 1Z881A080453968203.exe ReversingLabs: Detection: 63%
Source: Doc 1Z881A080453968203.exe Virustotal: Detection: 65% Perma Link
Yara detected FormBook
Source: Yara match File source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: Doc 1Z881A080453968203.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Doc 1Z881A080453968203.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Doc 1Z881A080453968203.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: cttune.pdb source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037453632.0000000001138000.00000004.00000020.00020000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2600415684.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cttune.pdbGCTL source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037453632.0000000001138000.00000004.00000020.00020000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2600415684.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945831392.0000000000C0E000.00000002.00000001.01000000.00000009.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2599935900.0000000000C0E000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: wntdll.pdbUGP source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2040039193.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2037858373.0000000004BD7000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Doc 1Z881A080453968203.exe, Doc 1Z881A080453968203.exe, 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, cttune.exe, 0000000E.00000003.2040039193.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2037858373.0000000004BD7000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F1B7A0 FindFirstFileW,FindNextFileW,FindClose, 14_2_02F1B7A0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\cttune.exe Code function: 4x nop then xor eax, eax 14_2_02F09480
Source: C:\Windows\SysWOW64\cttune.exe Code function: 4x nop then pop edi 14_2_02F11D10

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:49709 -> 91.195.240.123:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:49710 -> 87.107.55.55:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:49711 -> 87.107.55.55:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:49713 -> 87.107.55.55:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:49714 -> 35.215.179.87:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:49715 -> 35.215.179.87:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.195.240.123 91.195.240.123
Source: Joe Sandbox View IP Address: 91.195.240.123 91.195.240.123
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SINET-ASAccessServiceProviderIR SINET-ASAccessServiceProviderIR
Source: Joe Sandbox View ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View ASN Name: SEDO-ASDE SEDO-ASDE
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /gtit/?h2hLp=lXUTv2j8Xvb&6t=7JoAjWU6fcQ7CNTtX/U31Su9rRPUkr/mRT6nto1Tw/3EsD0jLMtc/bvrMEH2PX3CJD1RySmx+2JNj33ZBcO0uuHomTTQmPBBQgDcEfgCf/hj3/XBz9l0dPBO2TTZTjDWug== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.ty8yd.usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Source: global traffic HTTP traffic detected: GET /gtit/?6t=MgfHm/AWJcZtJWhW2C0E/J+QQ7KNY47B4fJU/YR8UcoonAYwvhq6NXdlvEESKTg86057McGoCNEDbpDsB8WVIewJXmm9gpc24T96Iv1w6gUl0XtnH9Aw4uL+4GJqM1s/fA==&h2hLp=lXUTv2j8Xvb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.tehranrizcomputer.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Source: global traffic DNS traffic detected: DNS query: www.ty8yd.us
Source: global traffic DNS traffic detected: DNS query: www.tehranrizcomputer.com
Source: global traffic DNS traffic detected: DNS query: www.coppercookwarekitchen.com
Source: unknown HTTP traffic detected: POST /gtit/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.tehranrizcomputer.comOrigin: http://www.tehranrizcomputer.comContent-Length: 203Connection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedReferer: http://www.tehranrizcomputer.com/gtit/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36Data Raw: 36 74 3d 42 69 33 6e 6c 4b 68 72 50 71 38 73 4c 46 31 65 2f 53 6f 77 2b 59 33 74 41 4d 37 79 45 35 72 71 73 70 5a 49 70 35 31 4c 41 59 31 51 7a 31 6b 6d 6f 69 69 56 46 55 73 42 68 6b 30 56 43 51 41 6d 34 56 52 43 44 73 61 73 4e 2b 45 66 63 70 61 55 66 35 6d 68 54 2f 63 75 50 51 44 78 6d 36 45 45 2b 54 46 48 58 4e 68 53 34 6b 45 6e 73 47 4a 59 50 34 51 45 70 4e 66 79 2f 56 59 64 4c 6c 6c 77 64 56 6a 2f 62 64 30 4d 75 67 76 36 73 6e 48 69 50 30 66 59 47 66 75 37 6b 72 71 4c 52 44 62 52 6a 67 38 63 72 41 2f 52 73 53 41 44 57 62 6e 31 33 63 54 74 6f 56 56 52 63 32 62 37 6e 33 4d 33 59 47 5a 58 35 62 63 3d Data Ascii: 6t=Bi3nlKhrPq8sLF1e/Sow+Y3tAM7yE5rqspZIp51LAY1Qz1kmoiiVFUsBhk0VCQAm4VRCDsasN+EfcpaUf5mhT/cuPQDxm6EE+TFHXNhS4kEnsGJYP4QEpNfy/VYdLllwdVj/bd0Mugv6snHiP0fYGfu7krqLRDbRjg8crA/RsSADWbn13cTtoVVRc2b7n3M3YGZX5bc=
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 3ec_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://tehranrizcomputer.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Sat, 04 May 2024 08:10:35 GMTData Raw: 35 65 64 63 0d 0a f4 ff 1b 66 23 ec 9e 95 da 7b a8 ca 80 39 69 f5 00 a8 ce c4 18 37 f4 c7 af 3f ff fe 2a 30 76 37 c4 3a ae e7 fb 7f b3 d4 fe d7 ac 73 bc d8 df 40 47 91 4a 2e 80 00 87 1a 28 97 12 79 48 e2 1e 1c b7 65 b7 bb db d2 e1 01 89 cb 22 24 92 60 00 b0 58 65 45 ef ff 39 59 78 b3 f7 1f a6 37 8d 9b b5 d4 d9 fd cb a6 d5 7b e7 f3 52 d9 1b ec da 96 a7 bb 91 84 60 76 ef ce 89 cb e1 47 90 19 86 20 0e e1 74 e1 af 74 d6 9f f1 e5 f4 d4 53 5e 26 35 52 4b 02 24 0f 68 e2 6e b6 bd 29 53 8d d4 80 66 94 be 24 8c bd 21 92 0e aa fb 3f 47 8d 99 a0 8f d9 10 7d 39 bf 06 b3 8f e5 e7 e9 aa 9a dd b0 dd 51 4b 1c a0 97 f0 ec 35 e8 aa f9 34 4b 64 87 fe 7f df b4 72 57 52 34 cd ee 96 37 b9 0f 6d da 4d 37 8e 23 e7 22 29 74 36 ba e6 05 ff 57 55 50 85 42 50 05 30 28 98 a0 40 30 a8 22 70 8e 40 a2 ef bb ef fd 5f bf 7e 15 d0 f0 03 82 a6 c1 b6 00 bb 77 17 04 c9 11 db 07 60 83 01 c7 d8 a6 bc 0b 75 72 92 e3 7b 64 38 32 ce 04 99 fb c0 3a b6 9c e5 66 0a 67 33 39 17 84 9b 06 32 2e 94 42 2d 63 66 d3 7e ff ae dd 4a 06 21 84 a1 12 f5 31 66 dd 1c ff 4d 40 c4 ba 04 69 f8 63 a4 6f 7e bb d3 9d de 70 20 22 3c 51 2f f9 cb a1 51 ef e7 e8 b8 1a 41 10 09 a1 be 1c 59 7f f7 6b d9 55 06 41 d4 bc c5 3c 86 5a 1d b7 c6 7f 4e 05 11 50 31 9a d1 c4 a7 12 f0 88 b3 c9 93 da b7 0d 1c 53 69 bf f5 8d bc d7 56 92 be 7c b3 b7 83 ed 73 f1 91 65 2d ad 43 bf 26 63 c0 9b 65 63 3a d9 e2 9a 28 4d 82 b0 c5 a3 a9 b7 ad 59 98 31 83 01 df b7 a3 ae 94 0d ae 05 e3 33 4d b0 66 d7 06 87 36 58 a3 2c 1a 5c 77 86 e0 e7 ae d1 dd 0d 58 6c d6 a4 b7 a6 d2 0d f6 ed be 91 9b b6 df 30 63 37 e1 ae ea 42 21 e0 36 a7 bb 4d 21 cb 9b e9 33 f3 58 5b d9 59 fd b1 34 6d 3f 78 b4 97 06 e0 f5 ec da c6 f6 25 eb eb 9e 9c 4d 26 41 10 3c 71 63 f9 b7 9d 9d 55 fd f6 bf bd 78 d9 f5 83 ff 2d fa da a8 41 f2 df df ce c3 97 5f 82 32 e5 d0 62 e7 d9 1f e7 fe d6 28 5c 78 ec 68 b5 c7 e3 23 9c 29 e0 f8 df 8f 9d be b1 a7 42 e5 ac f3 27 87 d1 18 d5 4a eb c3 6b 17 36 ba 70 a1 46 21 9e 0d ce 9b f6 b5 35 3d 5a af d1 ed 29 dd 73 19 f2 df 76 b4 67 c9 ac 49 90 80 8f 38 b2 a6 30 de 1d bd 2e 3b ea cc 05 08 28 cf c0 6b de d8 23 08 cf 26 93 c0 c5 80 3c 91 c8 3b ec b4 47 d0 0e 4c ef 75 ab 3f a2 82 51 fb fa 1c 2a b7 f9 a3 91 ce c3 c5 8b ef c1 f1 de 47 09 db 28 62 1c 28 d4 de f7 2e 0b c3 bd 91 ce c7 ef 78 63 55 6f d1 b9 30 f8 76 2e 74 68 42 a0 f4 6c 62 41 d8 ad e4 eb 7b f8 09 1e fe ed 97 4f f7 ff f7 fe 33 3c fc d7 fb bf b9 ff bf 40 c1 51 c5 1f 53 3f df ff cd 9f ff ef fd e7 87 9f e0 fe 7f 3c fc 74 ff 97 f7 9f 1f fe 2b dc ff e5 2f 9f ee ff 0a fe fc df ef 3f 3f fc 97 87 7f fb e5 d3 c3 cf f7 ff e3 fe 2f 7d e0 b1 f2 da f9 71 c3 c6 94 b2 41 0d 7e 09
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 3ec_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://tehranrizcomputer.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Sat, 04 May 2024 08:10:40 GMTData Raw: 35 65 64 63 0d 0a f4 ff 1b 66 23 ec 9e 95 da 7b a8 ca 80 39 69 f5 00 a8 ce c4 18 37 f4 c7 af 3f ff fe 2a 30 76 37 c4 3a ae e7 fb 7f b3 d4 fe d7 ac 73 bc d8 df 40 47 91 4a 2e 80 00 87 1a 28 97 12 79 48 e2 1e 1c b7 65 b7 bb db d2 e1 01 89 cb 22 24 92 60 00 b0 58 65 45 ef ff 39 59 78 b3 f7 1f a6 37 8d 9b b5 d4 d9 fd cb a6 d5 7b e7 f3 52 d9 1b ec da 96 a7 bb 91 84 60 76 ef ce 89 cb e1 47 90 19 86 20 0e e1 74 e1 af 74 d6 9f f1 e5 f4 d4 53 5e 26 35 52 4b 02 24 0f 68 e2 6e b6 bd 29 53 8d d4 80 66 94 be 24 8c bd 21 92 0e aa fb 3f 47 8d 99 a0 8f d9 10 7d 39 bf 06 b3 8f e5 e7 e9 aa 9a dd b0 dd 51 4b 1c a0 97 f0 ec 35 e8 aa f9 34 4b 64 87 fe 7f df b4 72 57 52 34 cd ee 96 37 b9 0f 6d da 4d 37 8e 23 e7 22 29 74 36 ba e6 05 ff 57 55 50 85 42 50 05 30 28 98 a0 40 30 a8 22 70 8e 40 a2 ef bb ef fd 5f bf 7e 15 d0 f0 03 82 a6 c1 b6 00 bb 77 17 04 c9 11 db 07 60 83 01 c7 d8 a6 bc 0b 75 72 92 e3 7b 64 38 32 ce 04 99 fb c0 3a b6 9c e5 66 0a 67 33 39 17 84 9b 06 32 2e 94 42 2d 63 66 d3 7e ff ae dd 4a 06 21 84 a1 12 f5 31 66 dd 1c ff 4d 40 c4 ba 04 69 f8 63 a4 6f 7e bb d3 9d de 70 20 22 3c 51 2f f9 cb a1 51 ef e7 e8 b8 1a 41 10 09 a1 be 1c 59 7f f7 6b d9 55 06 41 d4 bc c5 3c 86 5a 1d b7 c6 7f 4e 05 11 50 31 9a d1 c4 a7 12 f0 88 b3 c9 93 da b7 0d 1c 53 69 bf f5 8d bc d7 56 92 be 7c b3 b7 83 ed 73 f1 91 65 2d ad 43 bf 26 63 c0 9b 65 63 3a d9 e2 9a 28 4d 82 b0 c5 a3 a9 b7 ad 59 98 31 83 01 df b7 a3 ae 94 0d ae 05 e3 33 4d b0 66 d7 06 87 36 58 a3 2c 1a 5c 77 86 e0 e7 ae d1 dd 0d 58 6c d6 a4 b7 a6 d2 0d f6 ed be 91 9b b6 df 30 63 37 e1 ae ea 42 21 e0 36 a7 bb 4d 21 cb 9b e9 33 f3 58 5b d9 59 fd b1 34 6d 3f 78 b4 97 06 e0 f5 ec da c6 f6 25 eb eb 9e 9c 4d 26 41 10 3c 71 63 f9 b7 9d 9d 55 fd f6 bf bd 78 d9 f5 83 ff 2d fa da a8 41 f2 df df ce c3 97 5f 82 32 e5 d0 62 e7 d9 1f e7 fe d6 28 5c 78 ec 68 b5 c7 e3 23 9c 29 e0 f8 df 8f 9d be b1 a7 42 e5 ac f3 27 87 d1 18 d5 4a eb c3 6b 17 36 ba 70 a1 46 21 9e 0d ce 9b f6 b5 35 3d 5a af d1 ed 29 dd 73 19 f2 df 76 b4 67 c9 ac 49 90 80 8f 38 b2 a6 30 de 1d bd 2e 3b ea cc 05 08 28 cf c0 6b de d8 23 08 cf 26 93 c0 c5 80 3c 91 c8 3b ec b4 47 d0 0e 4c ef 75 ab 3f a2 82 51 fb fa 1c 2a b7 f9 a3 91 ce c3 c5 8b ef c1 f1 de 47 09 db 28 62 1c 28 d4 de f7 2e 0b c3 bd 91 ce c7 ef 78 63 55 6f d1 b9 30 f8 76 2e 74 68 42 a0 f4 6c 62 41 d8 ad e4 eb 7b f8 09 1e fe ed 97 4f f7 ff f7 fe 33 3c fc d7 fb bf b9 ff bf 40 c1 51 c5 1f 53 3f df ff cd 9f ff ef fd e7 87 9f e0 fe 7f 3c fc 74 ff 97 f7 9f 1f fe 2b dc ff e5 2f 9f ee ff 0a fe fc df ef 3f 3f fc 97 87 7f fb e5 d3 c3 cf f7 ff e3 fe 2f 7d e0 b1 f2 da f9 71 c3 c6 94 b2 41 0d 7e 09
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 3ec_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://tehranrizcomputer.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Sat, 04 May 2024 08:10:42 GMTData Raw: 35 65 64 63 0d 0a f4 ff 1b 66 23 ec 9e 95 da 7b a8 ca 80 39 69 f5 00 a8 ce c4 18 37 f4 c7 af 3f ff fe 2a 30 76 37 c4 3a ae e7 fb 7f b3 d4 fe d7 ac 73 bc d8 df 40 47 91 4a 2e 80 00 87 1a 28 97 12 79 48 e2 1e 1c b7 65 b7 bb db d2 e1 01 89 cb 22 24 92 60 00 b0 58 65 45 ef ff 39 59 78 b3 f7 1f a6 37 8d 9b b5 d4 d9 fd cb a6 d5 7b e7 f3 52 d9 1b ec da 96 a7 bb 91 84 60 76 ef ce 89 cb e1 47 90 19 86 20 0e e1 74 e1 af 74 d6 9f f1 e5 f4 d4 53 5e 26 35 52 4b 02 24 0f 68 e2 6e b6 bd 29 53 8d d4 80 66 94 be 24 8c bd 21 92 0e aa fb 3f 47 8d 99 a0 8f d9 10 7d 39 bf 06 b3 8f e5 e7 e9 aa 9a dd b0 dd 51 4b 1c a0 97 f0 ec 35 e8 aa f9 34 4b 64 87 fe 7f df b4 72 57 52 34 cd ee 96 37 b9 0f 6d da 4d 37 8e 23 e7 22 29 74 36 ba e6 05 ff 57 55 50 85 42 50 05 30 28 98 a0 40 30 a8 22 70 8e 40 a2 ef bb ef fd 5f bf 7e 15 d0 f0 03 82 a6 c1 b6 00 bb 77 17 04 c9 11 db 07 60 83 01 c7 d8 a6 bc 0b 75 72 92 e3 7b 64 38 32 ce 04 99 fb c0 3a b6 9c e5 66 0a 67 33 39 17 84 9b 06 32 2e 94 42 2d 63 66 d3 7e ff ae dd 4a 06 21 84 a1 12 f5 31 66 dd 1c ff 4d 40 c4 ba 04 69 f8 63 a4 6f 7e bb d3 9d de 70 20 22 3c 51 2f f9 cb a1 51 ef e7 e8 b8 1a 41 10 09 a1 be 1c 59 7f f7 6b d9 55 06 41 d4 bc c5 3c 86 5a 1d b7 c6 7f 4e 05 11 50 31 9a d1 c4 a7 12 f0 88 b3 c9 93 da b7 0d 1c 53 69 bf f5 8d bc d7 56 92 be 7c b3 b7 83 ed 73 f1 91 65 2d ad 43 bf 26 63 c0 9b 65 63 3a d9 e2 9a 28 4d 82 b0 c5 a3 a9 b7 ad 59 98 31 83 01 df b7 a3 ae 94 0d ae 05 e3 33 4d b0 66 d7 06 87 36 58 a3 2c 1a 5c 77 86 e0 e7 ae d1 dd 0d 58 6c d6 a4 b7 a6 d2 0d f6 ed be 91 9b b6 df 30 63 37 e1 ae ea 42 21 e0 36 a7 bb 4d 21 cb 9b e9 33 f3 58 5b d9 59 fd b1 34 6d 3f 78 b4 97 06 e0 f5 ec da c6 f6 25 eb eb 9e 9c 4d 26 41 10 3c 71 63 f9 b7 9d 9d 55 fd f6 bf bd 78 d9 f5 83 ff 2d fa da a8 41 f2 df df ce c3 97 5f 82 32 e5 d0 62 e7 d9 1f e7 fe d6 28 5c 78 ec 68 b5 c7 e3 23 9c 29 e0 f8 df 8f 9d be b1 a7 42 e5 ac f3 27 87 d1 18 d5 4a eb c3 6b 17 36 ba 70 a1 46 21 9e 0d ce 9b f6 b5 35 3d 5a af d1 ed 29 dd 73 19 f2 df 76 b4 67 c9 ac 49 90 80 8f 38 b2 a6 30 de 1d bd 2e 3b ea cc 05 08 28 cf c0 6b de d8 23 08 cf 26 93 c0 c5 80 3c 91 c8 3b ec b4 47 d0 0e 4c ef 75 ab 3f a2 82 51 fb fa 1c 2a b7 f9 a3 91 ce c3 c5 8b ef c1 f1 de 47 09 db 28 62 1c 28 d4 de f7 2e 0b c3 bd 91 ce c7 ef 78 63 55 6f d1 b9 30 f8 76 2e 74 68 42 a0 f4 6c 62 41 d8 ad e4 eb 7b f8 09 1e fe ed 97 4f f7 ff f7 fe 33 3c fc d7 fb bf b9 ff bf 40 c1 51 c5 1f 53 3f df ff cd 9f ff ef fd e7 87 9f e0 fe 7f 3c fc 74 ff 97 f7 9f 1f fe 2b dc ff e5 2f 9f ee ff 0a fe fc df ef 3f 3f fc 97 87 7f fb e5 d3 c3 cf f7 ff e3 fe 2f 7d e0 b1 f2 da f9 71 c3 c6 94 b2 41 0d 7e 09
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 04 May 2024 08:10:52 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 04 May 2024 08:10:55 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 04 May 2024 08:10:58 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1414525368.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cttune.exe, 0000000E.00000002.2603455875.0000000005AE6000.00000004.10000000.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2601998398.00000000033C6000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://tehranrizcomputer.com/gtit/?6t=MgfHm/AWJcZtJWhW2C0E/J
Source: ShWVPkMdEfalHck.exe, 0000000F.00000002.2600975698.0000000000F63000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.coppercookwarekitchen.com
Source: ShWVPkMdEfalHck.exe, 0000000F.00000002.2600975698.0000000000F63000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.coppercookwarekitchen.com/gtit/
Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: cttune.exe, 0000000E.00000003.2236150618.0000000008235000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: cttune.exe, 0000000E.00000002.2600153010.00000000030FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: cttune.exe, 0000000E.00000003.2239960453.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0042AEF3 NtClose, 7_2_0042AEF3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762B60 NtClose,LdrInitializeThunk, 7_2_01762B60
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_01762DF0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_01762C70
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017635C0 NtCreateMutant,LdrInitializeThunk, 7_2_017635C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01764340 NtSetContextThread, 7_2_01764340
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01764650 NtSuspendThread, 7_2_01764650
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762BF0 NtAllocateVirtualMemory, 7_2_01762BF0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762BE0 NtQueryValueKey, 7_2_01762BE0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762BA0 NtEnumerateValueKey, 7_2_01762BA0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762B80 NtQueryInformationFile, 7_2_01762B80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762AF0 NtWriteFile, 7_2_01762AF0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762AD0 NtReadFile, 7_2_01762AD0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762AB0 NtWaitForSingleObject, 7_2_01762AB0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762D30 NtUnmapViewOfSection, 7_2_01762D30
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762D10 NtMapViewOfSection, 7_2_01762D10
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762D00 NtSetInformationFile, 7_2_01762D00
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762DD0 NtDelayExecution, 7_2_01762DD0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762DB0 NtEnumerateKey, 7_2_01762DB0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762C60 NtCreateKey, 7_2_01762C60
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762C00 NtQueryInformationProcess, 7_2_01762C00
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762CF0 NtOpenProcess, 7_2_01762CF0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762CC0 NtQueryVirtualMemory, 7_2_01762CC0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762CA0 NtQueryInformationToken, 7_2_01762CA0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762F60 NtCreateProcessEx, 7_2_01762F60
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762F30 NtCreateSection, 7_2_01762F30
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762FE0 NtCreateFile, 7_2_01762FE0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762FB0 NtResumeThread, 7_2_01762FB0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762FA0 NtQuerySection, 7_2_01762FA0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762F90 NtProtectVirtualMemory, 7_2_01762F90
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762E30 NtWriteVirtualMemory, 7_2_01762E30
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762EE0 NtQueueApcThread, 7_2_01762EE0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762EA0 NtAdjustPrivilegesToken, 7_2_01762EA0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762E80 NtReadVirtualMemory, 7_2_01762E80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01763010 NtOpenDirectoryObject, 7_2_01763010
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01763090 NtSetValueKey, 7_2_01763090
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017639B0 NtGetContextThread, 7_2_017639B0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01763D70 NtOpenThread, 7_2_01763D70
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01763D10 NtOpenProcessToken, 7_2_01763D10
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB4650 NtSuspendThread,LdrInitializeThunk, 14_2_04FB4650
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB4340 NtSetContextThread,LdrInitializeThunk, 14_2_04FB4340
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2CA0 NtQueryInformationToken,LdrInitializeThunk, 14_2_04FB2CA0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2C70 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_04FB2C70
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2C60 NtCreateKey,LdrInitializeThunk, 14_2_04FB2C60
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2DF0 NtQuerySystemInformation,LdrInitializeThunk, 14_2_04FB2DF0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2DD0 NtDelayExecution,LdrInitializeThunk, 14_2_04FB2DD0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2D30 NtUnmapViewOfSection,LdrInitializeThunk, 14_2_04FB2D30
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2D10 NtMapViewOfSection,LdrInitializeThunk, 14_2_04FB2D10
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2EE0 NtQueueApcThread,LdrInitializeThunk, 14_2_04FB2EE0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2E80 NtReadVirtualMemory,LdrInitializeThunk, 14_2_04FB2E80
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2FE0 NtCreateFile,LdrInitializeThunk, 14_2_04FB2FE0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2FB0 NtResumeThread,LdrInitializeThunk, 14_2_04FB2FB0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2F30 NtCreateSection,LdrInitializeThunk, 14_2_04FB2F30
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2AF0 NtWriteFile,LdrInitializeThunk, 14_2_04FB2AF0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2AD0 NtReadFile,LdrInitializeThunk, 14_2_04FB2AD0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_04FB2BF0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2BE0 NtQueryValueKey,LdrInitializeThunk, 14_2_04FB2BE0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2BA0 NtEnumerateValueKey,LdrInitializeThunk, 14_2_04FB2BA0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2B60 NtClose,LdrInitializeThunk, 14_2_04FB2B60
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB35C0 NtCreateMutant,LdrInitializeThunk, 14_2_04FB35C0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB39B0 NtGetContextThread,LdrInitializeThunk, 14_2_04FB39B0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2CF0 NtOpenProcess, 14_2_04FB2CF0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2CC0 NtQueryVirtualMemory, 14_2_04FB2CC0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2C00 NtQueryInformationProcess, 14_2_04FB2C00
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2DB0 NtEnumerateKey, 14_2_04FB2DB0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2D00 NtSetInformationFile, 14_2_04FB2D00
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2EA0 NtAdjustPrivilegesToken, 14_2_04FB2EA0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2E30 NtWriteVirtualMemory, 14_2_04FB2E30
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2FA0 NtQuerySection, 14_2_04FB2FA0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2F90 NtProtectVirtualMemory, 14_2_04FB2F90
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2F60 NtCreateProcessEx, 14_2_04FB2F60
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2AB0 NtWaitForSingleObject, 14_2_04FB2AB0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB2B80 NtQueryInformationFile, 14_2_04FB2B80
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB3090 NtSetValueKey, 14_2_04FB3090
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB3010 NtOpenDirectoryObject, 14_2_04FB3010
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB3D70 NtOpenThread, 14_2_04FB3D70
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB3D10 NtOpenProcessToken, 14_2_04FB3D10
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F27640 NtCreateFile, 14_2_02F27640
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F277A0 NtReadFile, 14_2_02F277A0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F27A70 NtAllocateVirtualMemory, 14_2_02F27A70
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F27880 NtDeleteFile, 14_2_02F27880
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F27910 NtClose, 14_2_02F27910
Detected potential crypto function
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 0_2_0146EFC4 0_2_0146EFC4
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 0_2_054901A8 0_2_054901A8
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 0_2_0549F698 0_2_0549F698
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 0_2_05491D18 0_2_05491D18
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 0_2_05491D28 0_2_05491D28
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 0_2_05491991 0_2_05491991
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 0_2_054919A0 0_2_054919A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 0_2_054986E8 0_2_054986E8
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_004028A0 7_2_004028A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00401120 7_2_00401120
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00404984 7_2_00404984
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00401280 7_2_00401280
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0040FAAA 7_2_0040FAAA
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0040FAB3 7_2_0040FAB3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0042D323 7_2_0042D323
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00403330 7_2_00403330
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_004163E3 7_2_004163E3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_004023AB 7_2_004023AB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_004023B0 7_2_004023B0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0040FCD3 7_2_0040FCD3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00402546 7_2_00402546
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00402550 7_2_00402550
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0040DD53 7_2_0040DD53
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00402EC0 7_2_00402EC0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00402EBC 7_2_00402EBC
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0040DF2B 7_2_0040DF2B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B8158 7_2_017B8158
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CA118 7_2_017CA118
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720100 7_2_01720100
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E81CC 7_2_017E81CC
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F01AA 7_2_017F01AA
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C2000 7_2_017C2000
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EA352 7_2_017EA352
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173E3F0 7_2_0173E3F0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F03E6 7_2_017F03E6
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B02C0 7_2_017B02C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730535 7_2_01730535
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F0591 7_2_017F0591
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E2446 7_2_017E2446
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D4420 7_2_017D4420
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017DE4F6 7_2_017DE4F6
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01754750 7_2_01754750
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172C7C0 7_2_0172C7C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174C6E0 7_2_0174C6E0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01746962 7_2_01746962
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017FA9A6 7_2_017FA9A6
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173A840 7_2_0173A840
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01732840 7_2_01732840
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E8F0 7_2_0175E8F0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017168B8 7_2_017168B8
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EAB40 7_2_017EAB40
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E6BD7 7_2_017E6BD7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172EA80 7_2_0172EA80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CCD1F 7_2_017CCD1F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173AD00 7_2_0173AD00
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172ADE0 7_2_0172ADE0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01748DBF 7_2_01748DBF
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730C00 7_2_01730C00
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720CF2 7_2_01720CF2
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0CB5 7_2_017D0CB5
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A4F40 7_2_017A4F40
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01750F30 7_2_01750F30
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D2F30 7_2_017D2F30
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01772F28 7_2_01772F28
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173CFE0 7_2_0173CFE0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01722FC8 7_2_01722FC8
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AEFA0 7_2_017AEFA0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730E59 7_2_01730E59
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EEE26 7_2_017EEE26
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EEEDB 7_2_017EEEDB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01742E90 7_2_01742E90
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017ECE93 7_2_017ECE93
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171F172 7_2_0171F172
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017FB16B 7_2_017FB16B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0176516C 7_2_0176516C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173B1B0 7_2_0173B1B0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E70E9 7_2_017E70E9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EF0E0 7_2_017EF0E0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017DF0CC 7_2_017DF0CC
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017370C0 7_2_017370C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171D34C 7_2_0171D34C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E132D 7_2_017E132D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0177739A 7_2_0177739A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D12ED 7_2_017D12ED
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174B2C0 7_2_0174B2C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017352A0 7_2_017352A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E7571 7_2_017E7571
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CD5B0 7_2_017CD5B0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01721460 7_2_01721460
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EF43F 7_2_017EF43F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EF7B0 7_2_017EF7B0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E16CC 7_2_017E16CC
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01739950 7_2_01739950
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174B950 7_2_0174B950
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C5910 7_2_017C5910
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179D800 7_2_0179D800
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017338E0 7_2_017338E0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EFB76 7_2_017EFB76
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A5BF0 7_2_017A5BF0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0176DBF9 7_2_0176DBF9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174FB80 7_2_0174FB80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A3A6C 7_2_017A3A6C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EFA49 7_2_017EFA49
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E7A46 7_2_017E7A46
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017DDAC6 7_2_017DDAC6
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CDAAC 7_2_017CDAAC
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01775AA0 7_2_01775AA0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D1AA3 7_2_017D1AA3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E7D73 7_2_017E7D73
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E1D5A 7_2_017E1D5A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01733D40 7_2_01733D40
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174FDC0 7_2_0174FDC0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A9C32 7_2_017A9C32
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EFCF2 7_2_017EFCF2
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EFF09 7_2_017EFF09
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_016F3FD5 7_2_016F3FD5
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_016F3FD2 7_2_016F3FD2
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EFFB1 7_2_017EFFB1
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01731F92 7_2_01731F92
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01739EB0 7_2_01739EB0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_05040591 14_2_05040591
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_05032446 14_2_05032446
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F80535 14_2_04F80535
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0502E4F6 14_2_0502E4F6
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F9C6E0 14_2_04F9C6E0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F7C7C0 14_2_04F7C7C0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F80770 14_2_04F80770
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FA4750 14_2_04FA4750
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0501A118 14_2_0501A118
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_05008158 14_2_05008158
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_050401AA 14_2_050401AA
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_050381CC 14_2_050381CC
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F70100 14_2_04F70100
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503A352 14_2_0503A352
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_050403E6 14_2_050403E6
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F8E3F0 14_2_04F8E3F0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_05020274 14_2_05020274
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_050002C0 14_2_050002C0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F70CF2 14_2_04F70CF2
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F80C00 14_2_04F80C00
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F7ADE0 14_2_04F7ADE0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F98DBF 14_2_04F98DBF
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_05020CB5 14_2_05020CB5
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F8AD00 14_2_04F8AD00
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F92E90 14_2_04F92E90
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F80E59 14_2_04F80E59
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F8CFE0 14_2_04F8CFE0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503EE26 14_2_0503EE26
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F72FC8 14_2_04F72FC8
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FFEFA0 14_2_04FFEFA0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503CE93 14_2_0503CE93
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FF4F40 14_2_04FF4F40
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FA0F30 14_2_04FA0F30
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FC2F28 14_2_04FC2F28
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503EEDB 14_2_0503EEDB
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FAE8F0 14_2_04FAE8F0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F668B8 14_2_04F668B8
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0504A9A6 14_2_0504A9A6
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F8A840 14_2_04F8A840
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F82840 14_2_04F82840
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F829A0 14_2_04F829A0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F96962 14_2_04F96962
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503AB40 14_2_0503AB40
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F7EA80 14_2_04F7EA80
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_05036BD7 14_2_05036BD7
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_05037571 14_2_05037571
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F71460 14_2_04F71460
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0501D5B0 14_2_0501D5B0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503F43F 14_2_0503F43F
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503F7B0 14_2_0503F7B0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_050316CC 14_2_050316CC
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F870C0 14_2_04F870C0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0504B16B 14_2_0504B16B
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F8B1B0 14_2_04F8B1B0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F6F172 14_2_04F6F172
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FB516C 14_2_04FB516C
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0502F0CC 14_2_0502F0CC
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503F0E0 14_2_0503F0E0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_050370E9 14_2_050370E9
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503132D 14_2_0503132D
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F9B2C0 14_2_04F9B2C0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F852A0 14_2_04F852A0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FC739A 14_2_04FC739A
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F6D34C 14_2_04F6D34C
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_050212ED 14_2_050212ED
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_05031D5A 14_2_05031D5A
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_05037D73 14_2_05037D73
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FF9C32 14_2_04FF9C32
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F9FDC0 14_2_04F9FDC0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F83D40 14_2_04F83D40
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503FCF2 14_2_0503FCF2
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503FF09 14_2_0503FF09
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F89EB0 14_2_04F89EB0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503FFB1 14_2_0503FFB1
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F81F92 14_2_04F81F92
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F838E0 14_2_04F838E0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FED800 14_2_04FED800
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F89950 14_2_04F89950
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F9B950 14_2_04F9B950
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FC5AA0 14_2_04FC5AA0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503FB76 14_2_0503FB76
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FF3A6C 14_2_04FF3A6C
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FBDBF9 14_2_04FBDBF9
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04FF5BF0 14_2_04FF5BF0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_05037A46 14_2_05037A46
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0503FA49 14_2_0503FA49
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F9FB80 14_2_04F9FB80
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0501DAAC 14_2_0501DAAC
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_0502DAC6 14_2_0502DAC6
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F112E0 14_2_02F112E0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F013A1 14_2_02F013A1
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F0C6F0 14_2_02F0C6F0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F0A770 14_2_02F0A770
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F0C4D0 14_2_02F0C4D0
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F0C4C7 14_2_02F0C4C7
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F0A948 14_2_02F0A948
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F12E00 14_2_02F12E00
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F29D40 14_2_02F29D40
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cttune.exe Code function: String function: 04F6B970 appears 272 times
Source: C:\Windows\SysWOW64\cttune.exe Code function: String function: 04FB5130 appears 37 times
Source: C:\Windows\SysWOW64\cttune.exe Code function: String function: 04FEEA12 appears 86 times
Source: C:\Windows\SysWOW64\cttune.exe Code function: String function: 04FFF290 appears 105 times
Source: C:\Windows\SysWOW64\cttune.exe Code function: String function: 04FC7E54 appears 98 times
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: String function: 017AF290 appears 105 times
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: String function: 01777E54 appears 102 times
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: String function: 0179EA12 appears 86 times
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: String function: 0171B970 appears 280 times
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: String function: 01765130 appears 58 times
Sample file is different than original file name gathered from version info
Source: Doc 1Z881A080453968203.exe, 00000000.00000000.1350167796.0000000000B32000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameeawO.exe8 vs Doc 1Z881A080453968203.exe
Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1417378517.0000000006310000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Doc 1Z881A080453968203.exe
Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1407364422.000000000109E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Doc 1Z881A080453968203.exe
Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1415284131.00000000041C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Doc 1Z881A080453968203.exe
Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1416840004.00000000053E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs Doc 1Z881A080453968203.exe
Source: Doc 1Z881A080453968203.exe, 00000000.00000002.1414525368.0000000002E71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs Doc 1Z881A080453968203.exe
Source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037717484.000000000181D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Doc 1Z881A080453968203.exe
Source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037453632.0000000001138000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCTTUNE.EXEj% vs Doc 1Z881A080453968203.exe
Source: Doc 1Z881A080453968203.exe Binary or memory string: OriginalFilenameeawO.exe8 vs Doc 1Z881A080453968203.exe
Uses 32bit PE files
Source: Doc 1Z881A080453968203.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Doc 1Z881A080453968203.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, GufG7tGXRf6WvLPGu5.cs Security API names: _0020.SetAccessControl
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, GufG7tGXRf6WvLPGu5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, GufG7tGXRf6WvLPGu5.cs Security API names: _0020.AddAccessRule
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, CKuiFuwbUv7jQAoi78.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, GufG7tGXRf6WvLPGu5.cs Security API names: _0020.SetAccessControl
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, GufG7tGXRf6WvLPGu5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, GufG7tGXRf6WvLPGu5.cs Security API names: _0020.AddAccessRule
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, CKuiFuwbUv7jQAoi78.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@16/7@3/3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Doc 1Z881A080453968203.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Mutant created: \Sessions\1\BaseNamedObjects\JnOGrOqYvvHHWiifiLhiP
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tggyfibh.la0.ps1 Jump to behavior
Source: Doc 1Z881A080453968203.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Doc 1Z881A080453968203.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cttune.exe, 0000000E.00000002.2600153010.0000000003157000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2236758590.0000000003157000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2238823304.0000000003161000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2236643499.0000000003137000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2600153010.0000000003184000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Doc 1Z881A080453968203.exe ReversingLabs: Detection: 63%
Source: Doc 1Z881A080453968203.exe Virustotal: Detection: 65%
Source: unknown Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"
Source: C:\Windows\SysWOW64\cttune.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Doc 1Z881A080453968203.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Doc 1Z881A080453968203.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: cttune.pdb source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037453632.0000000001138000.00000004.00000020.00020000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2600415684.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cttune.pdbGCTL source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037453632.0000000001138000.00000004.00000020.00020000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2600415684.000000000077E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945831392.0000000000C0E000.00000002.00000001.01000000.00000009.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2599935900.0000000000C0E000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: wntdll.pdbUGP source: Doc 1Z881A080453968203.exe, 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2040039193.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2037858373.0000000004BD7000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Doc 1Z881A080453968203.exe, Doc 1Z881A080453968203.exe, 00000007.00000002.2037717484.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, cttune.exe, 0000000E.00000003.2040039193.0000000004D8E000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000003.2037858373.0000000004BD7000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.00000000050DE000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000E.00000002.2602332777.0000000004F40000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
.NET source code contains potential unpacker
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, GufG7tGXRf6WvLPGu5.cs .Net Code: j9EYHO3oi1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, GufG7tGXRf6WvLPGu5.cs .Net Code: j9EYHO3oi1 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00413863 push esp; retf 7_2_0041386C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0041A1C3 push esi; iretd 7_2_0041A1DC
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00413999 push ebx; ret 7_2_004139A4
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0041A246 push 54822BC7h; retf 7_2_0041A250
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00422A53 push esp; ret 7_2_00422A72
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00414341 push ecx; ret 7_2_0041435A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0040842C push es; ret 7_2_00408435
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0040852D push es; ret 7_2_0040852F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_004035E0 push eax; ret 7_2_004035E2
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00417D9F push cs; ret 7_2_00417DA1
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_016F225F pushad ; ret 7_2_016F27F9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_016F27FA pushad ; ret 7_2_016F27F9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017209AD push ecx; mov dword ptr [esp], ecx 7_2_017209B6
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_016F283D push eax; iretd 7_2_016F2858
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_04F709AD push ecx; mov dword ptr [esp], ecx 14_2_04F709B6
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F10280 push esp; retf 14_2_02F10289
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F103B6 push ebx; ret 14_2_02F103C1
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F147BC push cs; ret 14_2_02F147BE
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F1F470 push esp; ret 14_2_02F1F48F
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F16BE0 push esi; iretd 14_2_02F16BF9
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F04E49 push es; ret 14_2_02F04E52
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F04F4A push es; ret 14_2_02F04F4C
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F16C63 push 54822BC7h; retf 14_2_02F16C6D
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F10D5E push ecx; ret 14_2_02F10D77
Source: Doc 1Z881A080453968203.exe Static PE information: section name: .text entropy: 7.976391309328641
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, q5jGnyqaB7IbpaHE4J.cs High entropy of concatenated method names: 'X0AmvguyaN', 'RFtmPXVIFF', 'MUkmIG6bHo', 'BAKm7TUfYl', 'hETmxPJUpZ', 'rmgmiDUj8v', 'g7QmGGdIk3', 'P4ImJD8KaQ', 'QJvmtpPG1m', 'q8EmhXLthM'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, zBCVMZUByrs5YB2Jk5.cs High entropy of concatenated method names: 'sRMeK8dmO2', 'beIeDNX1ly', 't2PeU7ZXl7', 'mRyeoHZhxG', 'qqQeT7Rin8', 'us8eEdprK8', 'sVHeMfuudE', 'jPpegdbZ3E', 'gGVeaPgWFO', 'enQeBEW3Ut'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, SQHUDkV9u6Tc5vi4PD.cs High entropy of concatenated method names: 'xTbcq9byDQ', 'X2yc4hUw6m', 'gm3mQOkAja', 'N5bmWK45jT', 'EqGcFxdtv9', 'cLbcD2Pmly', 'GyDcfHyI69', 'p9BcU1ajRa', 'rd1coAWqmA', 'RxGcyPAfbb'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, VNyw9Sz5H5ax9LDTww.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i8au84BlcW', 'tSjueT1Q7P', 'WleuATkmFt', 'yInucjhUP1', 'Wm5umZc2FG', 'r7auu4TFAP', 'qoOunWcFgy'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, mXVh055C31sAylO3R5.cs High entropy of concatenated method names: 'QSC7pt4XeV', 'eDT79MhjNw', 'F1jIEsfVsw', 'vvHIMIl8UR', 'u2eIgbNash', 'Fd2IaBWTNI', 'z0gIBKdM5t', 'VkcId5xgir', 'NP1I1rubRj', 'GeDIK1ovcw'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, MGC2kE1GeTrZuhdARo.cs High entropy of concatenated method names: 'b2yirkIXOF', 'IPniNT5kA7', 'KDjiHGQoKJ', 'qUsikBSDK4', 'dN1iploqSr', 'GwZiLiu9gk', 'hXNi9ZPsHZ', 'GugiwJVIrG', 'SVxiX3mYHQ', 'jmDi5h9jxa'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, wle9kb4l95GgLsLqLM.cs High entropy of concatenated method names: 'FYTuWMKjSS', 'RqZu6jaHyy', 'JvLuYU3EBc', 'syCuvchT9a', 'mrJuPRxIfS', 'XA8u7gZlOO', 't2nuxnJX9X', 'RKYmSVVwmq', 'xZdmqvfMWu', 'rlEmRgpyKt'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, w662Q0C3PDPuKY1SwB.cs High entropy of concatenated method names: 'mgHHXhBi4', 'JOOkkhXeB', 'ND4LyUpls', 'hSv9lIe16', 'JRIX3wfth', 'bgT5rtwrx', 'Y9YlhglBb0qjxwBN9g', 'ybOER36LwDLkqJpukL', 'RRBmxgqZ9', 'niOnP35aX'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, CKuiFuwbUv7jQAoi78.cs High entropy of concatenated method names: 'jeSPUED4V7', 'vfjPo0utIB', 'df6PyW1cRP', 'TPOPlOiUyQ', 'wCVPjMpfhk', 'PTTPVgNf5O', 'HmLPSvLvaF', 'TKhPqKD4yT', 'h7uPR7JAP4', 'CFMP4YnoiR'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, GufG7tGXRf6WvLPGu5.cs High entropy of concatenated method names: 'Qas6s9roxw', 'zou6vyh8ri', 'KaR6PTq3Fr', 'B8k6ItQxrZ', 'B3T67InfIR', 's1D6x0kZRg', 'tGK6i9MlkR', 'JEw6GWPxPm', 'TkG6Jf4Rmc', 'nO26tjNadt'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, DeE2FFPwwTUaTkx65n.cs High entropy of concatenated method names: 'Dispose', 'hMdWRIND7V', 'XSlCTbufZ6', 'JwkGGBtHAV', 'Ec5W4jGnya', 'L7IWzbpaHE', 'ProcessDialogKey', 'YJCCQBmpAL', 'zqqCWhIRM9', 'UZsCCZle9k'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, PP565wX3u45xhWFeM0.cs High entropy of concatenated method names: 'sh5Ik4GZQe', 'vPlILw5msT', 'YmwIwVcBed', 'hBSIXCD3pK', 'lMLIeObu3v', 'ectIAo7aXu', 'K5OIcRosxE', 'IVmImaSJT6', 'NP8IuoN9kB', 'rxZInqmHtu'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, J20CiFlNbjYrDNXUbv.cs High entropy of concatenated method names: 'D0wctrT9cF', 'qgBch7s518', 'ToString', 'IrvcvJdHIR', 'kt6cPHBvjG', 'bvWcIfqM8c', 'o9wc7sQHBh', 'yBccxd0Tjs', 'OLYciar4vY', 'BhocGklYlW'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, bNmdJFYRSrLObHd2ot.cs High entropy of concatenated method names: 'Su9WiKuiFu', 'uUvWG7jQAo', 'D3uWt45xhW', 'OeMWh0tXVh', 'TO3WeR5WyM', 'o2fWAXcQms', 'MXv0hCIwCrPPTnI0vP', 'nnsRN6jRUgZyhepjvY', 'ImsWWhF3cB', 'G0hW6EsJ8n'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, cBmpALRHqqhIRM9jZs.cs High entropy of concatenated method names: 'RI2mO6kBk2', 'vdemT8lwB4', 'XhnmEJiKe5', 'on1mMjsgkZ', 'pklmULxb4X', 'r5ymgLS5pa', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, byMe2fOXcQms1qZVGS.cs High entropy of concatenated method names: 'bMpxsDeavl', 'k47xPOIt3g', 'cUfx728G4K', 'qf9xi5ow9o', 'nnJxGQCxEJ', 'ggv7jsroDX', 'fE37V2RhgN', 'cyj7SMsc9t', 'xRb7qbRxev', 'IHP7R2pnvm'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, Yo4fi1WQ7iv9EiIkb6f.cs High entropy of concatenated method names: 'B9OurxEmF2', 'u7puNF92bI', 'pO5uHnvIHE', 'WOKukg1Cd9', 'vrvupAZ5Wv', 'nwouLbVER0', 'Nrgu9TKG1x', 'XSAuwtDd4d', 'vkOuXd8sEP', 'OPJu5GNtqX'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, JqReToW6A5roPTmnRbx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kWOnUTuXYG', 'jfJnodXwkR', 'ue8nyGDS9w', 'vR3nlwSNfJ', 'htbnj64VrR', 'qIunVwIy9w', 'LnrnS5C0Bu'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, T9jWBWfb6RtM9K5gaC.cs High entropy of concatenated method names: 'drP8wAZGJ6', 'xmL8XkimWN', 'yo48OG6lvD', 'b3E8TWeJRX', 'Bwb8MueArf', 'cfn8gF1kqm', 'MBj8BJJ9B3', 'gLo8d0db6d', 'V9q8KFalkE', 'djf8Fkih6m'
Source: 0.2.Doc 1Z881A080453968203.exe.6310000.9.raw.unpack, OB2YfUybyNFhG01KSE.cs High entropy of concatenated method names: 'ToString', 'ssHAFdathe', 'KV2ATFqtIe', 'f5ZAEqhgSS', 'd9uAMIndlF', 'B8sAgbm89y', 'FiHAa12HGg', 'SLhABInbeL', 'o7tAdxkQ57', 'B2xA1DMMCq'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, q5jGnyqaB7IbpaHE4J.cs High entropy of concatenated method names: 'X0AmvguyaN', 'RFtmPXVIFF', 'MUkmIG6bHo', 'BAKm7TUfYl', 'hETmxPJUpZ', 'rmgmiDUj8v', 'g7QmGGdIk3', 'P4ImJD8KaQ', 'QJvmtpPG1m', 'q8EmhXLthM'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, zBCVMZUByrs5YB2Jk5.cs High entropy of concatenated method names: 'sRMeK8dmO2', 'beIeDNX1ly', 't2PeU7ZXl7', 'mRyeoHZhxG', 'qqQeT7Rin8', 'us8eEdprK8', 'sVHeMfuudE', 'jPpegdbZ3E', 'gGVeaPgWFO', 'enQeBEW3Ut'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, SQHUDkV9u6Tc5vi4PD.cs High entropy of concatenated method names: 'xTbcq9byDQ', 'X2yc4hUw6m', 'gm3mQOkAja', 'N5bmWK45jT', 'EqGcFxdtv9', 'cLbcD2Pmly', 'GyDcfHyI69', 'p9BcU1ajRa', 'rd1coAWqmA', 'RxGcyPAfbb'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, VNyw9Sz5H5ax9LDTww.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i8au84BlcW', 'tSjueT1Q7P', 'WleuATkmFt', 'yInucjhUP1', 'Wm5umZc2FG', 'r7auu4TFAP', 'qoOunWcFgy'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, mXVh055C31sAylO3R5.cs High entropy of concatenated method names: 'QSC7pt4XeV', 'eDT79MhjNw', 'F1jIEsfVsw', 'vvHIMIl8UR', 'u2eIgbNash', 'Fd2IaBWTNI', 'z0gIBKdM5t', 'VkcId5xgir', 'NP1I1rubRj', 'GeDIK1ovcw'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, MGC2kE1GeTrZuhdARo.cs High entropy of concatenated method names: 'b2yirkIXOF', 'IPniNT5kA7', 'KDjiHGQoKJ', 'qUsikBSDK4', 'dN1iploqSr', 'GwZiLiu9gk', 'hXNi9ZPsHZ', 'GugiwJVIrG', 'SVxiX3mYHQ', 'jmDi5h9jxa'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, wle9kb4l95GgLsLqLM.cs High entropy of concatenated method names: 'FYTuWMKjSS', 'RqZu6jaHyy', 'JvLuYU3EBc', 'syCuvchT9a', 'mrJuPRxIfS', 'XA8u7gZlOO', 't2nuxnJX9X', 'RKYmSVVwmq', 'xZdmqvfMWu', 'rlEmRgpyKt'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, w662Q0C3PDPuKY1SwB.cs High entropy of concatenated method names: 'mgHHXhBi4', 'JOOkkhXeB', 'ND4LyUpls', 'hSv9lIe16', 'JRIX3wfth', 'bgT5rtwrx', 'Y9YlhglBb0qjxwBN9g', 'ybOER36LwDLkqJpukL', 'RRBmxgqZ9', 'niOnP35aX'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, CKuiFuwbUv7jQAoi78.cs High entropy of concatenated method names: 'jeSPUED4V7', 'vfjPo0utIB', 'df6PyW1cRP', 'TPOPlOiUyQ', 'wCVPjMpfhk', 'PTTPVgNf5O', 'HmLPSvLvaF', 'TKhPqKD4yT', 'h7uPR7JAP4', 'CFMP4YnoiR'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, GufG7tGXRf6WvLPGu5.cs High entropy of concatenated method names: 'Qas6s9roxw', 'zou6vyh8ri', 'KaR6PTq3Fr', 'B8k6ItQxrZ', 'B3T67InfIR', 's1D6x0kZRg', 'tGK6i9MlkR', 'JEw6GWPxPm', 'TkG6Jf4Rmc', 'nO26tjNadt'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, DeE2FFPwwTUaTkx65n.cs High entropy of concatenated method names: 'Dispose', 'hMdWRIND7V', 'XSlCTbufZ6', 'JwkGGBtHAV', 'Ec5W4jGnya', 'L7IWzbpaHE', 'ProcessDialogKey', 'YJCCQBmpAL', 'zqqCWhIRM9', 'UZsCCZle9k'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, PP565wX3u45xhWFeM0.cs High entropy of concatenated method names: 'sh5Ik4GZQe', 'vPlILw5msT', 'YmwIwVcBed', 'hBSIXCD3pK', 'lMLIeObu3v', 'ectIAo7aXu', 'K5OIcRosxE', 'IVmImaSJT6', 'NP8IuoN9kB', 'rxZInqmHtu'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, J20CiFlNbjYrDNXUbv.cs High entropy of concatenated method names: 'D0wctrT9cF', 'qgBch7s518', 'ToString', 'IrvcvJdHIR', 'kt6cPHBvjG', 'bvWcIfqM8c', 'o9wc7sQHBh', 'yBccxd0Tjs', 'OLYciar4vY', 'BhocGklYlW'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, bNmdJFYRSrLObHd2ot.cs High entropy of concatenated method names: 'Su9WiKuiFu', 'uUvWG7jQAo', 'D3uWt45xhW', 'OeMWh0tXVh', 'TO3WeR5WyM', 'o2fWAXcQms', 'MXv0hCIwCrPPTnI0vP', 'nnsRN6jRUgZyhepjvY', 'ImsWWhF3cB', 'G0hW6EsJ8n'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, cBmpALRHqqhIRM9jZs.cs High entropy of concatenated method names: 'RI2mO6kBk2', 'vdemT8lwB4', 'XhnmEJiKe5', 'on1mMjsgkZ', 'pklmULxb4X', 'r5ymgLS5pa', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, byMe2fOXcQms1qZVGS.cs High entropy of concatenated method names: 'bMpxsDeavl', 'k47xPOIt3g', 'cUfx728G4K', 'qf9xi5ow9o', 'nnJxGQCxEJ', 'ggv7jsroDX', 'fE37V2RhgN', 'cyj7SMsc9t', 'xRb7qbRxev', 'IHP7R2pnvm'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, Yo4fi1WQ7iv9EiIkb6f.cs High entropy of concatenated method names: 'B9OurxEmF2', 'u7puNF92bI', 'pO5uHnvIHE', 'WOKukg1Cd9', 'vrvupAZ5Wv', 'nwouLbVER0', 'Nrgu9TKG1x', 'XSAuwtDd4d', 'vkOuXd8sEP', 'OPJu5GNtqX'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, JqReToW6A5roPTmnRbx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kWOnUTuXYG', 'jfJnodXwkR', 'ue8nyGDS9w', 'vR3nlwSNfJ', 'htbnj64VrR', 'qIunVwIy9w', 'LnrnS5C0Bu'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, T9jWBWfb6RtM9K5gaC.cs High entropy of concatenated method names: 'drP8wAZGJ6', 'xmL8XkimWN', 'yo48OG6lvD', 'b3E8TWeJRX', 'Bwb8MueArf', 'cfn8gF1kqm', 'MBj8BJJ9B3', 'gLo8d0db6d', 'V9q8KFalkE', 'djf8Fkih6m'
Source: 0.2.Doc 1Z881A080453968203.exe.4272c00.6.raw.unpack, OB2YfUybyNFhG01KSE.cs High entropy of concatenated method names: 'ToString', 'ssHAFdathe', 'KV2ATFqtIe', 'f5ZAEqhgSS', 'd9uAMIndlF', 'B8sAgbm89y', 'FiHAa12HGg', 'SLhABInbeL', 'o7tAdxkQ57', 'B2xA1DMMCq'
Source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Doc 1Z881A080453968203.exe PID: 7492, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Memory allocated: 1460000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Memory allocated: 2E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Memory allocated: 4E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Memory allocated: 63A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Memory allocated: 73A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Memory allocated: 75E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Memory allocated: 85E0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0176096E rdtsc 7_2_0176096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5234 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2958 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\cttune.exe API coverage: 2.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe TID: 7512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cttune.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cttune.exe Code function: 14_2_02F1B7A0 FindFirstFileW,FindNextFileW,FindClose, 14_2_02F1B7A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nge Transaction PasswordVMware20,11696494690^
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: entralVMware20,11696494690
Source: F-385HLwx.14.dr Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20
Source: F-385HLwx.14.dr Binary or memory string: AMC password management pageVMware20,11696494690
Source: cttune.exe, 0000000E.00000002.2600153010.00000000030EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM%hc
Source: F-385HLwx.14.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: F-385HLwx.14.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: F-385HLwx.14.dr Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: F-385HLwx.14.dr Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: F-385HLwx.14.dr Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ctivebrokers.comVMware20,11696494690}
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rs.comVMware20,11696494690
Source: F-385HLwx.14.dr Binary or memory string: tasks.office.comVMware20,11696494690o
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .comVMware20,11696494690x
Source: F-385HLwx.14.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: block list test formVMware20,11696494690
Source: F-385HLwx.14.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: F-385HLwx.14.dr Binary or memory string: global block list test formVMware20,11696494690
Source: F-385HLwx.14.dr Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: F-385HLwx.14.dr Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: F-385HLwx.14.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: F-385HLwx.14.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: F-385HLwx.14.dr Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: F-385HLwx.14.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: F-385HLwx.14.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: F-385HLwx.14.dr Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: COM.HKVMware20,11696494690
Source: F-385HLwx.14.dr Binary or memory string: discord.comVMware20,11696494690f
Source: F-385HLwx.14.dr Binary or memory string: outlook.office.comVMware20,11696494690s
Source: F-385HLwx.14.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: F-385HLwx.14.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,
Source: F-385HLwx.14.dr Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: F-385HLwx.14.dr Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: n.utiitsl.comVMware20,11696494690h
Source: F-385HLwx.14.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: F-385HLwx.14.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: F-385HLwx.14.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: ShWVPkMdEfalHck.exe, 0000000F.00000002.2600562201.0000000000D2F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: F-385HLwx.14.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: F-385HLwx.14.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ansaction PasswordVMware20,11696494690x
Source: F-385HLwx.14.dr Binary or memory string: dev.azure.comVMware20,11696494690j
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: omVMware20,11696494690|UE
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ropeVMware20,11696494690
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: agement pageVMware20,11696494690
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sswords blocklistVMware20,11696494690
Source: firefox.exe, 00000010.00000002.2345144750.0000020C47DEC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt
Source: cttune.exe, 0000000E.00000002.2604915896.0000000008363000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,1169649
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0176096E rdtsc 7_2_0176096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_00417393 LdrLoadDll, 7_2_00417393
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B8158 mov eax, dword ptr fs:[00000030h] 7_2_017B8158
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01726154 mov eax, dword ptr fs:[00000030h] 7_2_01726154
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01726154 mov eax, dword ptr fs:[00000030h] 7_2_01726154
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171C156 mov eax, dword ptr fs:[00000030h] 7_2_0171C156
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B4144 mov eax, dword ptr fs:[00000030h] 7_2_017B4144
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B4144 mov eax, dword ptr fs:[00000030h] 7_2_017B4144
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B4144 mov ecx, dword ptr fs:[00000030h] 7_2_017B4144
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B4144 mov eax, dword ptr fs:[00000030h] 7_2_017B4144
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B4144 mov eax, dword ptr fs:[00000030h] 7_2_017B4144
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01750124 mov eax, dword ptr fs:[00000030h] 7_2_01750124
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CA118 mov ecx, dword ptr fs:[00000030h] 7_2_017CA118
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CA118 mov eax, dword ptr fs:[00000030h] 7_2_017CA118
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CA118 mov eax, dword ptr fs:[00000030h] 7_2_017CA118
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CA118 mov eax, dword ptr fs:[00000030h] 7_2_017CA118
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E0115 mov eax, dword ptr fs:[00000030h] 7_2_017E0115
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h] 7_2_017CE10E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE10E mov ecx, dword ptr fs:[00000030h] 7_2_017CE10E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h] 7_2_017CE10E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h] 7_2_017CE10E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE10E mov ecx, dword ptr fs:[00000030h] 7_2_017CE10E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h] 7_2_017CE10E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h] 7_2_017CE10E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE10E mov ecx, dword ptr fs:[00000030h] 7_2_017CE10E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE10E mov eax, dword ptr fs:[00000030h] 7_2_017CE10E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE10E mov ecx, dword ptr fs:[00000030h] 7_2_017CE10E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017501F8 mov eax, dword ptr fs:[00000030h] 7_2_017501F8
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F61E5 mov eax, dword ptr fs:[00000030h] 7_2_017F61E5
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0179E1D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0179E1D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E1D0 mov ecx, dword ptr fs:[00000030h] 7_2_0179E1D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0179E1D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0179E1D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E61C3 mov eax, dword ptr fs:[00000030h] 7_2_017E61C3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E61C3 mov eax, dword ptr fs:[00000030h] 7_2_017E61C3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A019F mov eax, dword ptr fs:[00000030h] 7_2_017A019F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A019F mov eax, dword ptr fs:[00000030h] 7_2_017A019F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A019F mov eax, dword ptr fs:[00000030h] 7_2_017A019F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A019F mov eax, dword ptr fs:[00000030h] 7_2_017A019F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171A197 mov eax, dword ptr fs:[00000030h] 7_2_0171A197
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171A197 mov eax, dword ptr fs:[00000030h] 7_2_0171A197
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171A197 mov eax, dword ptr fs:[00000030h] 7_2_0171A197
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01760185 mov eax, dword ptr fs:[00000030h] 7_2_01760185
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017DC188 mov eax, dword ptr fs:[00000030h] 7_2_017DC188
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017DC188 mov eax, dword ptr fs:[00000030h] 7_2_017DC188
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C4180 mov eax, dword ptr fs:[00000030h] 7_2_017C4180
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C4180 mov eax, dword ptr fs:[00000030h] 7_2_017C4180
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174C073 mov eax, dword ptr fs:[00000030h] 7_2_0174C073
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01722050 mov eax, dword ptr fs:[00000030h] 7_2_01722050
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A6050 mov eax, dword ptr fs:[00000030h] 7_2_017A6050
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B6030 mov eax, dword ptr fs:[00000030h] 7_2_017B6030
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171A020 mov eax, dword ptr fs:[00000030h] 7_2_0171A020
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171C020 mov eax, dword ptr fs:[00000030h] 7_2_0171C020
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173E016 mov eax, dword ptr fs:[00000030h] 7_2_0173E016
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173E016 mov eax, dword ptr fs:[00000030h] 7_2_0173E016
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173E016 mov eax, dword ptr fs:[00000030h] 7_2_0173E016
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173E016 mov eax, dword ptr fs:[00000030h] 7_2_0173E016
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A4000 mov ecx, dword ptr fs:[00000030h] 7_2_017A4000
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h] 7_2_017C2000
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h] 7_2_017C2000
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h] 7_2_017C2000
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h] 7_2_017C2000
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h] 7_2_017C2000
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h] 7_2_017C2000
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h] 7_2_017C2000
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C2000 mov eax, dword ptr fs:[00000030h] 7_2_017C2000
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171C0F0 mov eax, dword ptr fs:[00000030h] 7_2_0171C0F0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017620F0 mov ecx, dword ptr fs:[00000030h] 7_2_017620F0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171A0E3 mov ecx, dword ptr fs:[00000030h] 7_2_0171A0E3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A60E0 mov eax, dword ptr fs:[00000030h] 7_2_017A60E0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017280E9 mov eax, dword ptr fs:[00000030h] 7_2_017280E9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A20DE mov eax, dword ptr fs:[00000030h] 7_2_017A20DE
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E60B8 mov eax, dword ptr fs:[00000030h] 7_2_017E60B8
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E60B8 mov ecx, dword ptr fs:[00000030h] 7_2_017E60B8
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B80A8 mov eax, dword ptr fs:[00000030h] 7_2_017B80A8
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172208A mov eax, dword ptr fs:[00000030h] 7_2_0172208A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C437C mov eax, dword ptr fs:[00000030h] 7_2_017C437C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A035C mov eax, dword ptr fs:[00000030h] 7_2_017A035C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A035C mov eax, dword ptr fs:[00000030h] 7_2_017A035C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A035C mov eax, dword ptr fs:[00000030h] 7_2_017A035C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A035C mov ecx, dword ptr fs:[00000030h] 7_2_017A035C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A035C mov eax, dword ptr fs:[00000030h] 7_2_017A035C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A035C mov eax, dword ptr fs:[00000030h] 7_2_017A035C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EA352 mov eax, dword ptr fs:[00000030h] 7_2_017EA352
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C8350 mov ecx, dword ptr fs:[00000030h] 7_2_017C8350
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A2349 mov eax, dword ptr fs:[00000030h] 7_2_017A2349
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171C310 mov ecx, dword ptr fs:[00000030h] 7_2_0171C310
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01740310 mov ecx, dword ptr fs:[00000030h] 7_2_01740310
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175A30B mov eax, dword ptr fs:[00000030h] 7_2_0175A30B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175A30B mov eax, dword ptr fs:[00000030h] 7_2_0175A30B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175A30B mov eax, dword ptr fs:[00000030h] 7_2_0175A30B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173E3F0 mov eax, dword ptr fs:[00000030h] 7_2_0173E3F0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173E3F0 mov eax, dword ptr fs:[00000030h] 7_2_0173E3F0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173E3F0 mov eax, dword ptr fs:[00000030h] 7_2_0173E3F0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017563FF mov eax, dword ptr fs:[00000030h] 7_2_017563FF
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h] 7_2_017303E9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h] 7_2_017303E9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h] 7_2_017303E9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h] 7_2_017303E9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h] 7_2_017303E9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h] 7_2_017303E9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h] 7_2_017303E9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017303E9 mov eax, dword ptr fs:[00000030h] 7_2_017303E9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE3DB mov eax, dword ptr fs:[00000030h] 7_2_017CE3DB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE3DB mov eax, dword ptr fs:[00000030h] 7_2_017CE3DB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE3DB mov ecx, dword ptr fs:[00000030h] 7_2_017CE3DB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CE3DB mov eax, dword ptr fs:[00000030h] 7_2_017CE3DB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C43D4 mov eax, dword ptr fs:[00000030h] 7_2_017C43D4
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C43D4 mov eax, dword ptr fs:[00000030h] 7_2_017C43D4
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017DC3CD mov eax, dword ptr fs:[00000030h] 7_2_017DC3CD
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0172A3C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0172A3C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0172A3C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0172A3C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0172A3C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 7_2_0172A3C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017283C0 mov eax, dword ptr fs:[00000030h] 7_2_017283C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017283C0 mov eax, dword ptr fs:[00000030h] 7_2_017283C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017283C0 mov eax, dword ptr fs:[00000030h] 7_2_017283C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017283C0 mov eax, dword ptr fs:[00000030h] 7_2_017283C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A63C0 mov eax, dword ptr fs:[00000030h] 7_2_017A63C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01718397 mov eax, dword ptr fs:[00000030h] 7_2_01718397
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01718397 mov eax, dword ptr fs:[00000030h] 7_2_01718397
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01718397 mov eax, dword ptr fs:[00000030h] 7_2_01718397
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171E388 mov eax, dword ptr fs:[00000030h] 7_2_0171E388
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171E388 mov eax, dword ptr fs:[00000030h] 7_2_0171E388
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171E388 mov eax, dword ptr fs:[00000030h] 7_2_0171E388
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174438F mov eax, dword ptr fs:[00000030h] 7_2_0174438F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174438F mov eax, dword ptr fs:[00000030h] 7_2_0174438F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D0274 mov eax, dword ptr fs:[00000030h] 7_2_017D0274
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01724260 mov eax, dword ptr fs:[00000030h] 7_2_01724260
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01724260 mov eax, dword ptr fs:[00000030h] 7_2_01724260
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01724260 mov eax, dword ptr fs:[00000030h] 7_2_01724260
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171826B mov eax, dword ptr fs:[00000030h] 7_2_0171826B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171A250 mov eax, dword ptr fs:[00000030h] 7_2_0171A250
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01726259 mov eax, dword ptr fs:[00000030h] 7_2_01726259
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017DA250 mov eax, dword ptr fs:[00000030h] 7_2_017DA250
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017DA250 mov eax, dword ptr fs:[00000030h] 7_2_017DA250
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A8243 mov eax, dword ptr fs:[00000030h] 7_2_017A8243
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A8243 mov ecx, dword ptr fs:[00000030h] 7_2_017A8243
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171823B mov eax, dword ptr fs:[00000030h] 7_2_0171823B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017302E1 mov eax, dword ptr fs:[00000030h] 7_2_017302E1
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017302E1 mov eax, dword ptr fs:[00000030h] 7_2_017302E1
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017302E1 mov eax, dword ptr fs:[00000030h] 7_2_017302E1
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 7_2_0172A2C3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 7_2_0172A2C3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 7_2_0172A2C3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 7_2_0172A2C3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 7_2_0172A2C3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017302A0 mov eax, dword ptr fs:[00000030h] 7_2_017302A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017302A0 mov eax, dword ptr fs:[00000030h] 7_2_017302A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B62A0 mov eax, dword ptr fs:[00000030h] 7_2_017B62A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B62A0 mov ecx, dword ptr fs:[00000030h] 7_2_017B62A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B62A0 mov eax, dword ptr fs:[00000030h] 7_2_017B62A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B62A0 mov eax, dword ptr fs:[00000030h] 7_2_017B62A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B62A0 mov eax, dword ptr fs:[00000030h] 7_2_017B62A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B62A0 mov eax, dword ptr fs:[00000030h] 7_2_017B62A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E284 mov eax, dword ptr fs:[00000030h] 7_2_0175E284
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E284 mov eax, dword ptr fs:[00000030h] 7_2_0175E284
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A0283 mov eax, dword ptr fs:[00000030h] 7_2_017A0283
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A0283 mov eax, dword ptr fs:[00000030h] 7_2_017A0283
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A0283 mov eax, dword ptr fs:[00000030h] 7_2_017A0283
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175656A mov eax, dword ptr fs:[00000030h] 7_2_0175656A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175656A mov eax, dword ptr fs:[00000030h] 7_2_0175656A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175656A mov eax, dword ptr fs:[00000030h] 7_2_0175656A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01728550 mov eax, dword ptr fs:[00000030h] 7_2_01728550
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01728550 mov eax, dword ptr fs:[00000030h] 7_2_01728550
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730535 mov eax, dword ptr fs:[00000030h] 7_2_01730535
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730535 mov eax, dword ptr fs:[00000030h] 7_2_01730535
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730535 mov eax, dword ptr fs:[00000030h] 7_2_01730535
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730535 mov eax, dword ptr fs:[00000030h] 7_2_01730535
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730535 mov eax, dword ptr fs:[00000030h] 7_2_01730535
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730535 mov eax, dword ptr fs:[00000030h] 7_2_01730535
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E53E mov eax, dword ptr fs:[00000030h] 7_2_0174E53E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E53E mov eax, dword ptr fs:[00000030h] 7_2_0174E53E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E53E mov eax, dword ptr fs:[00000030h] 7_2_0174E53E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E53E mov eax, dword ptr fs:[00000030h] 7_2_0174E53E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E53E mov eax, dword ptr fs:[00000030h] 7_2_0174E53E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B6500 mov eax, dword ptr fs:[00000030h] 7_2_017B6500
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h] 7_2_017F4500
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h] 7_2_017F4500
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h] 7_2_017F4500
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h] 7_2_017F4500
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h] 7_2_017F4500
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h] 7_2_017F4500
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F4500 mov eax, dword ptr fs:[00000030h] 7_2_017F4500
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017225E0 mov eax, dword ptr fs:[00000030h] 7_2_017225E0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0174E5E7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0174E5E7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0174E5E7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0174E5E7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0174E5E7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0174E5E7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0174E5E7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 7_2_0174E5E7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175C5ED mov eax, dword ptr fs:[00000030h] 7_2_0175C5ED
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175C5ED mov eax, dword ptr fs:[00000030h] 7_2_0175C5ED
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017265D0 mov eax, dword ptr fs:[00000030h] 7_2_017265D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175A5D0 mov eax, dword ptr fs:[00000030h] 7_2_0175A5D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175A5D0 mov eax, dword ptr fs:[00000030h] 7_2_0175A5D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E5CF mov eax, dword ptr fs:[00000030h] 7_2_0175E5CF
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E5CF mov eax, dword ptr fs:[00000030h] 7_2_0175E5CF
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017445B1 mov eax, dword ptr fs:[00000030h] 7_2_017445B1
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017445B1 mov eax, dword ptr fs:[00000030h] 7_2_017445B1
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A05A7 mov eax, dword ptr fs:[00000030h] 7_2_017A05A7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A05A7 mov eax, dword ptr fs:[00000030h] 7_2_017A05A7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A05A7 mov eax, dword ptr fs:[00000030h] 7_2_017A05A7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E59C mov eax, dword ptr fs:[00000030h] 7_2_0175E59C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01722582 mov eax, dword ptr fs:[00000030h] 7_2_01722582
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01722582 mov ecx, dword ptr fs:[00000030h] 7_2_01722582
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01754588 mov eax, dword ptr fs:[00000030h] 7_2_01754588
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174A470 mov eax, dword ptr fs:[00000030h] 7_2_0174A470
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174A470 mov eax, dword ptr fs:[00000030h] 7_2_0174A470
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174A470 mov eax, dword ptr fs:[00000030h] 7_2_0174A470
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AC460 mov ecx, dword ptr fs:[00000030h] 7_2_017AC460
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017DA456 mov eax, dword ptr fs:[00000030h] 7_2_017DA456
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171645D mov eax, dword ptr fs:[00000030h] 7_2_0171645D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174245A mov eax, dword ptr fs:[00000030h] 7_2_0174245A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h] 7_2_0175E443
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h] 7_2_0175E443
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h] 7_2_0175E443
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h] 7_2_0175E443
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h] 7_2_0175E443
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h] 7_2_0175E443
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h] 7_2_0175E443
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175E443 mov eax, dword ptr fs:[00000030h] 7_2_0175E443
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175A430 mov eax, dword ptr fs:[00000030h] 7_2_0175A430
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171E420 mov eax, dword ptr fs:[00000030h] 7_2_0171E420
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171E420 mov eax, dword ptr fs:[00000030h] 7_2_0171E420
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171E420 mov eax, dword ptr fs:[00000030h] 7_2_0171E420
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171C427 mov eax, dword ptr fs:[00000030h] 7_2_0171C427
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h] 7_2_017A6420
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h] 7_2_017A6420
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h] 7_2_017A6420
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h] 7_2_017A6420
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h] 7_2_017A6420
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h] 7_2_017A6420
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A6420 mov eax, dword ptr fs:[00000030h] 7_2_017A6420
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01758402 mov eax, dword ptr fs:[00000030h] 7_2_01758402
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01758402 mov eax, dword ptr fs:[00000030h] 7_2_01758402
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01758402 mov eax, dword ptr fs:[00000030h] 7_2_01758402
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017204E5 mov ecx, dword ptr fs:[00000030h] 7_2_017204E5
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017544B0 mov ecx, dword ptr fs:[00000030h] 7_2_017544B0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AA4B0 mov eax, dword ptr fs:[00000030h] 7_2_017AA4B0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017264AB mov eax, dword ptr fs:[00000030h] 7_2_017264AB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017DA49A mov eax, dword ptr fs:[00000030h] 7_2_017DA49A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01728770 mov eax, dword ptr fs:[00000030h] 7_2_01728770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730770 mov eax, dword ptr fs:[00000030h] 7_2_01730770
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720750 mov eax, dword ptr fs:[00000030h] 7_2_01720750
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762750 mov eax, dword ptr fs:[00000030h] 7_2_01762750
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762750 mov eax, dword ptr fs:[00000030h] 7_2_01762750
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AE75D mov eax, dword ptr fs:[00000030h] 7_2_017AE75D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A4755 mov eax, dword ptr fs:[00000030h] 7_2_017A4755
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175674D mov esi, dword ptr fs:[00000030h] 7_2_0175674D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175674D mov eax, dword ptr fs:[00000030h] 7_2_0175674D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175674D mov eax, dword ptr fs:[00000030h] 7_2_0175674D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175273C mov eax, dword ptr fs:[00000030h] 7_2_0175273C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175273C mov ecx, dword ptr fs:[00000030h] 7_2_0175273C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175273C mov eax, dword ptr fs:[00000030h] 7_2_0175273C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179C730 mov eax, dword ptr fs:[00000030h] 7_2_0179C730
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175C720 mov eax, dword ptr fs:[00000030h] 7_2_0175C720
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175C720 mov eax, dword ptr fs:[00000030h] 7_2_0175C720
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720710 mov eax, dword ptr fs:[00000030h] 7_2_01720710
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01750710 mov eax, dword ptr fs:[00000030h] 7_2_01750710
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175C700 mov eax, dword ptr fs:[00000030h] 7_2_0175C700
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017247FB mov eax, dword ptr fs:[00000030h] 7_2_017247FB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017247FB mov eax, dword ptr fs:[00000030h] 7_2_017247FB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017427ED mov eax, dword ptr fs:[00000030h] 7_2_017427ED
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017427ED mov eax, dword ptr fs:[00000030h] 7_2_017427ED
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017427ED mov eax, dword ptr fs:[00000030h] 7_2_017427ED
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AE7E1 mov eax, dword ptr fs:[00000030h] 7_2_017AE7E1
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172C7C0 mov eax, dword ptr fs:[00000030h] 7_2_0172C7C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A07C3 mov eax, dword ptr fs:[00000030h] 7_2_017A07C3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017207AF mov eax, dword ptr fs:[00000030h] 7_2_017207AF
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D47A0 mov eax, dword ptr fs:[00000030h] 7_2_017D47A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C678E mov eax, dword ptr fs:[00000030h] 7_2_017C678E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01752674 mov eax, dword ptr fs:[00000030h] 7_2_01752674
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E866E mov eax, dword ptr fs:[00000030h] 7_2_017E866E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E866E mov eax, dword ptr fs:[00000030h] 7_2_017E866E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175A660 mov eax, dword ptr fs:[00000030h] 7_2_0175A660
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175A660 mov eax, dword ptr fs:[00000030h] 7_2_0175A660
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173C640 mov eax, dword ptr fs:[00000030h] 7_2_0173C640
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173E627 mov eax, dword ptr fs:[00000030h] 7_2_0173E627
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01756620 mov eax, dword ptr fs:[00000030h] 7_2_01756620
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01758620 mov eax, dword ptr fs:[00000030h] 7_2_01758620
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172262C mov eax, dword ptr fs:[00000030h] 7_2_0172262C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01762619 mov eax, dword ptr fs:[00000030h] 7_2_01762619
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E609 mov eax, dword ptr fs:[00000030h] 7_2_0179E609
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173260B mov eax, dword ptr fs:[00000030h] 7_2_0173260B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173260B mov eax, dword ptr fs:[00000030h] 7_2_0173260B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173260B mov eax, dword ptr fs:[00000030h] 7_2_0173260B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173260B mov eax, dword ptr fs:[00000030h] 7_2_0173260B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173260B mov eax, dword ptr fs:[00000030h] 7_2_0173260B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173260B mov eax, dword ptr fs:[00000030h] 7_2_0173260B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0173260B mov eax, dword ptr fs:[00000030h] 7_2_0173260B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 7_2_0179E6F2
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 7_2_0179E6F2
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 7_2_0179E6F2
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 7_2_0179E6F2
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A06F1 mov eax, dword ptr fs:[00000030h] 7_2_017A06F1
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A06F1 mov eax, dword ptr fs:[00000030h] 7_2_017A06F1
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175A6C7 mov ebx, dword ptr fs:[00000030h] 7_2_0175A6C7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175A6C7 mov eax, dword ptr fs:[00000030h] 7_2_0175A6C7
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017566B0 mov eax, dword ptr fs:[00000030h] 7_2_017566B0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175C6A6 mov eax, dword ptr fs:[00000030h] 7_2_0175C6A6
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01724690 mov eax, dword ptr fs:[00000030h] 7_2_01724690
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01724690 mov eax, dword ptr fs:[00000030h] 7_2_01724690
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C4978 mov eax, dword ptr fs:[00000030h] 7_2_017C4978
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C4978 mov eax, dword ptr fs:[00000030h] 7_2_017C4978
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AC97C mov eax, dword ptr fs:[00000030h] 7_2_017AC97C
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01746962 mov eax, dword ptr fs:[00000030h] 7_2_01746962
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01746962 mov eax, dword ptr fs:[00000030h] 7_2_01746962
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01746962 mov eax, dword ptr fs:[00000030h] 7_2_01746962
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0176096E mov eax, dword ptr fs:[00000030h] 7_2_0176096E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0176096E mov edx, dword ptr fs:[00000030h] 7_2_0176096E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0176096E mov eax, dword ptr fs:[00000030h] 7_2_0176096E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A0946 mov eax, dword ptr fs:[00000030h] 7_2_017A0946
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A892A mov eax, dword ptr fs:[00000030h] 7_2_017A892A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B892B mov eax, dword ptr fs:[00000030h] 7_2_017B892B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AC912 mov eax, dword ptr fs:[00000030h] 7_2_017AC912
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01718918 mov eax, dword ptr fs:[00000030h] 7_2_01718918
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01718918 mov eax, dword ptr fs:[00000030h] 7_2_01718918
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E908 mov eax, dword ptr fs:[00000030h] 7_2_0179E908
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179E908 mov eax, dword ptr fs:[00000030h] 7_2_0179E908
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017529F9 mov eax, dword ptr fs:[00000030h] 7_2_017529F9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017529F9 mov eax, dword ptr fs:[00000030h] 7_2_017529F9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AE9E0 mov eax, dword ptr fs:[00000030h] 7_2_017AE9E0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 7_2_0172A9D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 7_2_0172A9D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 7_2_0172A9D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 7_2_0172A9D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 7_2_0172A9D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 7_2_0172A9D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017549D0 mov eax, dword ptr fs:[00000030h] 7_2_017549D0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EA9D3 mov eax, dword ptr fs:[00000030h] 7_2_017EA9D3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B69C0 mov eax, dword ptr fs:[00000030h] 7_2_017B69C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A89B3 mov esi, dword ptr fs:[00000030h] 7_2_017A89B3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A89B3 mov eax, dword ptr fs:[00000030h] 7_2_017A89B3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017A89B3 mov eax, dword ptr fs:[00000030h] 7_2_017A89B3
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017329A0 mov eax, dword ptr fs:[00000030h] 7_2_017329A0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017209AD mov eax, dword ptr fs:[00000030h] 7_2_017209AD
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017209AD mov eax, dword ptr fs:[00000030h] 7_2_017209AD
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AE872 mov eax, dword ptr fs:[00000030h] 7_2_017AE872
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AE872 mov eax, dword ptr fs:[00000030h] 7_2_017AE872
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B6870 mov eax, dword ptr fs:[00000030h] 7_2_017B6870
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B6870 mov eax, dword ptr fs:[00000030h] 7_2_017B6870
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01750854 mov eax, dword ptr fs:[00000030h] 7_2_01750854
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01724859 mov eax, dword ptr fs:[00000030h] 7_2_01724859
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01724859 mov eax, dword ptr fs:[00000030h] 7_2_01724859
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01732840 mov ecx, dword ptr fs:[00000030h] 7_2_01732840
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01742835 mov eax, dword ptr fs:[00000030h] 7_2_01742835
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01742835 mov eax, dword ptr fs:[00000030h] 7_2_01742835
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01742835 mov eax, dword ptr fs:[00000030h] 7_2_01742835
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01742835 mov ecx, dword ptr fs:[00000030h] 7_2_01742835
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01742835 mov eax, dword ptr fs:[00000030h] 7_2_01742835
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01742835 mov eax, dword ptr fs:[00000030h] 7_2_01742835
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175A830 mov eax, dword ptr fs:[00000030h] 7_2_0175A830
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C483A mov eax, dword ptr fs:[00000030h] 7_2_017C483A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C483A mov eax, dword ptr fs:[00000030h] 7_2_017C483A
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AC810 mov eax, dword ptr fs:[00000030h] 7_2_017AC810
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175C8F9 mov eax, dword ptr fs:[00000030h] 7_2_0175C8F9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175C8F9 mov eax, dword ptr fs:[00000030h] 7_2_0175C8F9
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EA8E4 mov eax, dword ptr fs:[00000030h] 7_2_017EA8E4
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174E8C0 mov eax, dword ptr fs:[00000030h] 7_2_0174E8C0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017AC89D mov eax, dword ptr fs:[00000030h] 7_2_017AC89D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720887 mov eax, dword ptr fs:[00000030h] 7_2_01720887
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0171CB7E mov eax, dword ptr fs:[00000030h] 7_2_0171CB7E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CEB50 mov eax, dword ptr fs:[00000030h] 7_2_017CEB50
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D4B4B mov eax, dword ptr fs:[00000030h] 7_2_017D4B4B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D4B4B mov eax, dword ptr fs:[00000030h] 7_2_017D4B4B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B6B40 mov eax, dword ptr fs:[00000030h] 7_2_017B6B40
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B6B40 mov eax, dword ptr fs:[00000030h] 7_2_017B6B40
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017EAB40 mov eax, dword ptr fs:[00000030h] 7_2_017EAB40
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017C8B42 mov eax, dword ptr fs:[00000030h] 7_2_017C8B42
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174EB20 mov eax, dword ptr fs:[00000030h] 7_2_0174EB20
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174EB20 mov eax, dword ptr fs:[00000030h] 7_2_0174EB20
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E8B28 mov eax, dword ptr fs:[00000030h] 7_2_017E8B28
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017E8B28 mov eax, dword ptr fs:[00000030h] 7_2_017E8B28
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h] 7_2_0179EB1D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h] 7_2_0179EB1D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h] 7_2_0179EB1D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h] 7_2_0179EB1D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h] 7_2_0179EB1D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h] 7_2_0179EB1D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h] 7_2_0179EB1D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h] 7_2_0179EB1D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179EB1D mov eax, dword ptr fs:[00000030h] 7_2_0179EB1D
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01728BF0 mov eax, dword ptr fs:[00000030h] 7_2_01728BF0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01728BF0 mov eax, dword ptr fs:[00000030h] 7_2_01728BF0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01728BF0 mov eax, dword ptr fs:[00000030h] 7_2_01728BF0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174EBFC mov eax, dword ptr fs:[00000030h] 7_2_0174EBFC
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017ACBF0 mov eax, dword ptr fs:[00000030h] 7_2_017ACBF0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CEBD0 mov eax, dword ptr fs:[00000030h] 7_2_017CEBD0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01740BCB mov eax, dword ptr fs:[00000030h] 7_2_01740BCB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01740BCB mov eax, dword ptr fs:[00000030h] 7_2_01740BCB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01740BCB mov eax, dword ptr fs:[00000030h] 7_2_01740BCB
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720BCD mov eax, dword ptr fs:[00000030h] 7_2_01720BCD
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720BCD mov eax, dword ptr fs:[00000030h] 7_2_01720BCD
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720BCD mov eax, dword ptr fs:[00000030h] 7_2_01720BCD
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730BBE mov eax, dword ptr fs:[00000030h] 7_2_01730BBE
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730BBE mov eax, dword ptr fs:[00000030h] 7_2_01730BBE
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D4BB0 mov eax, dword ptr fs:[00000030h] 7_2_017D4BB0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017D4BB0 mov eax, dword ptr fs:[00000030h] 7_2_017D4BB0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179CA72 mov eax, dword ptr fs:[00000030h] 7_2_0179CA72
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0179CA72 mov eax, dword ptr fs:[00000030h] 7_2_0179CA72
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175CA6F mov eax, dword ptr fs:[00000030h] 7_2_0175CA6F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175CA6F mov eax, dword ptr fs:[00000030h] 7_2_0175CA6F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175CA6F mov eax, dword ptr fs:[00000030h] 7_2_0175CA6F
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017CEA60 mov eax, dword ptr fs:[00000030h] 7_2_017CEA60
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h] 7_2_01726A50
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h] 7_2_01726A50
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h] 7_2_01726A50
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h] 7_2_01726A50
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h] 7_2_01726A50
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h] 7_2_01726A50
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01726A50 mov eax, dword ptr fs:[00000030h] 7_2_01726A50
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730A5B mov eax, dword ptr fs:[00000030h] 7_2_01730A5B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01730A5B mov eax, dword ptr fs:[00000030h] 7_2_01730A5B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01744A35 mov eax, dword ptr fs:[00000030h] 7_2_01744A35
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01744A35 mov eax, dword ptr fs:[00000030h] 7_2_01744A35
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175CA38 mov eax, dword ptr fs:[00000030h] 7_2_0175CA38
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175CA24 mov eax, dword ptr fs:[00000030h] 7_2_0175CA24
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0174EA2E mov eax, dword ptr fs:[00000030h] 7_2_0174EA2E
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017ACA11 mov eax, dword ptr fs:[00000030h] 7_2_017ACA11
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175AAEE mov eax, dword ptr fs:[00000030h] 7_2_0175AAEE
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0175AAEE mov eax, dword ptr fs:[00000030h] 7_2_0175AAEE
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720AD0 mov eax, dword ptr fs:[00000030h] 7_2_01720AD0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01754AD0 mov eax, dword ptr fs:[00000030h] 7_2_01754AD0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01754AD0 mov eax, dword ptr fs:[00000030h] 7_2_01754AD0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01776ACC mov eax, dword ptr fs:[00000030h] 7_2_01776ACC
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01776ACC mov eax, dword ptr fs:[00000030h] 7_2_01776ACC
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01776ACC mov eax, dword ptr fs:[00000030h] 7_2_01776ACC
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01728AA0 mov eax, dword ptr fs:[00000030h] 7_2_01728AA0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01728AA0 mov eax, dword ptr fs:[00000030h] 7_2_01728AA0
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01776AA4 mov eax, dword ptr fs:[00000030h] 7_2_01776AA4
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01758A90 mov edx, dword ptr fs:[00000030h] 7_2_01758A90
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h] 7_2_0172EA80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h] 7_2_0172EA80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h] 7_2_0172EA80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h] 7_2_0172EA80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h] 7_2_0172EA80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h] 7_2_0172EA80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h] 7_2_0172EA80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h] 7_2_0172EA80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_0172EA80 mov eax, dword ptr fs:[00000030h] 7_2_0172EA80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017F4A80 mov eax, dword ptr fs:[00000030h] 7_2_017F4A80
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_017B8D6B mov eax, dword ptr fs:[00000030h] 7_2_017B8D6B
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720D59 mov eax, dword ptr fs:[00000030h] 7_2_01720D59
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720D59 mov eax, dword ptr fs:[00000030h] 7_2_01720D59
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01720D59 mov eax, dword ptr fs:[00000030h] 7_2_01720D59
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01728D59 mov eax, dword ptr fs:[00000030h] 7_2_01728D59
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01728D59 mov eax, dword ptr fs:[00000030h] 7_2_01728D59
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Code function: 7_2_01728D59 mov eax, dword ptr fs:[00000030h] 7_2_01728D59
Enables debug privileges
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe"
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtCreateMutant: Direct from: 0x774635CC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtWriteVirtualMemory: Direct from: 0x77462E3C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtMapViewOfSection: Direct from: 0x77462D1C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtResumeThread: Direct from: 0x774636AC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtProtectVirtualMemory: Direct from: 0x77462F9C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtSetInformationProcess: Direct from: 0x77462C5C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtSetInformationThread: Direct from: 0x774563F9 Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtNotifyChangeKey: Direct from: 0x77463C2C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtProtectVirtualMemory: Direct from: 0x77457B2E Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtAllocateVirtualMemory: Direct from: 0x77462BFC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtQueryInformationProcess: Direct from: 0x77462C26 Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtResumeThread: Direct from: 0x77462FBC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtReadFile: Direct from: 0x77462ADC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtQuerySystemInformation: Direct from: 0x77462DFC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtDelayExecution: Direct from: 0x77462DDC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtAllocateVirtualMemory: Direct from: 0x77463C9C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtCreateUserProcess: Direct from: 0x7746371C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtWriteVirtualMemory: Direct from: 0x7746490C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtAllocateVirtualMemory: Direct from: 0x774648EC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtQuerySystemInformation: Direct from: 0x774648CC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtQueryVolumeInformationFile: Direct from: 0x77462F2C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtReadVirtualMemory: Direct from: 0x77462E8C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtCreateKey: Direct from: 0x77462C6C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtSetInformationThread: Direct from: 0x77462B4C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtQueryAttributesFile: Direct from: 0x77462E6C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtDeviceIoControlFile: Direct from: 0x77462AEC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtOpenSection: Direct from: 0x77462E0C Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtCreateFile: Direct from: 0x77462FEC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtOpenFile: Direct from: 0x77462DCC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtQueryInformationToken: Direct from: 0x77462CAC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtTerminateThread: Direct from: 0x77462FCC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtAllocateVirtualMemory: Direct from: 0x77462BEC Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe NtOpenKeyEx: Direct from: 0x77462B9C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: NULL target: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Section loaded: NULL target: C:\Windows\SysWOW64\cttune.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: NULL target: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: NULL target: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\cttune.exe Thread register set: target process: 3568 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\cttune.exe Thread APC queued: target process: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Process created: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe "C:\Users\user\Desktop\Doc 1Z881A080453968203.exe" Jump to behavior
Source: C:\Program Files (x86)\xIOtVlNOKTJJgUmrxRSjaUaTfeifqxOizQOAJxzktpgFM\ShWVPkMdEfalHck.exe Process created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945871071.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2601034788.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2601373900.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945871071.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2601034788.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2601373900.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945871071.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2601034788.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2601373900.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: 0Program Manager
Source: ShWVPkMdEfalHck.exe, 0000000D.00000000.1945871071.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000D.00000002.2601034788.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, ShWVPkMdEfalHck.exe, 0000000F.00000002.2601373900.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Queries volume information: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc 1Z881A080453968203.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.2e935e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.3119640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.311b658.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.3118628.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1417000725.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1414525368.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1414525368.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cttune.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cttune.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\cttune.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.Doc 1Z881A080453968203.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Doc 1Z881A080453968203.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2600975698.0000000000F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2038647178.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2037292581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2601515677.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2601810779.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2599613488.0000000002F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2038799247.00000000025F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2601294723.0000000002DC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.5680000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.2ed747c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.2e935e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.2ec6804.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.3119640.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.311b658.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc 1Z881A080453968203.exe.3118628.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1417000725.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1414525368.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1414525368.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436308 Sample: Doc 1Z881A080453968203.exe Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 36 www.ty8yd.us 2->36 38 www.tehranrizcomputer.com 2->38 40 2 other IPs or domains 2->40 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 10 other signatures 2->54 10 Doc 1Z881A080453968203.exe 4 2->10         started        signatures3 process4 signatures5 58 Adds a directory exclusion to Windows Defender 10->58 13 Doc 1Z881A080453968203.exe 10->13         started        16 powershell.exe 23 10->16         started        18 Doc 1Z881A080453968203.exe 10->18         started        20 2 other processes 10->20 process6 signatures7 68 Maps a DLL or memory area into another process 13->68 22 ShWVPkMdEfalHck.exe 13->22 injected 70 Loading BitLocker PowerShell Module 16->70 25 conhost.exe 16->25         started        process8 signatures9 56 Found direct / indirect Syscall (likely to bypass EDR) 22->56 27 cttune.exe 13 22->27         started        process10 signatures11 60 Tries to steal Mail credentials (via file / registry access) 27->60 62 Tries to harvest and steal browser information (history, passwords, etc) 27->62 64 Modifies the context of a thread in another process (thread injection) 27->64 66 2 other signatures 27->66 30 ShWVPkMdEfalHck.exe 27->30 injected 34 firefox.exe 27->34         started        process12 dnsIp13 42 tehranrizcomputer.com 87.107.55.55, 49710, 49711, 49712 SINET-ASAccessServiceProviderIR Iran (ISLAMIC Republic Of) 30->42 44 www.ty8yd.us 91.195.240.123, 49709, 80 SEDO-ASDE Germany 30->44 46 www.coppercookwarekitchen.com 35.215.179.87, 49714, 49715, 49716 GOOGLE-2US United States 30->46 72 Found direct / indirect Syscall (likely to bypass EDR) 30->72 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.107.55.55
 tehranrizcomputer.com Iran (ISLAMIC Republic Of)
21341 SINET-ASAccessServiceProviderIR true
35.215.179.87
 www.coppercookwarekitchen.com United States
19527 GOOGLE-2US true
91.195.240.123
 www.ty8yd.us Germany
47846 SEDO-ASDE true

Contacted Domains

Name IP Active
www.coppercookwarekitchen.com 35.215.179.87 true
www.ty8yd.us 91.195.240.123 true
tehranrizcomputer.com 87.107.55.55 true
www.tehranrizcomputer.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.ty8yd.us/gtit/?h2hLp=lXUTv2j8Xvb&6t=7JoAjWU6fcQ7CNTtX/U31Su9rRPUkr/mRT6nto1Tw/3EsD0jLMtc/bvrMEH2PX3CJD1RySmx+2JNj33ZBcO0uuHomTTQmPBBQgDcEfgCf/hj3/XBz9l0dPBO2TTZTjDWug== true
  • Avira URL Cloud: safe
 unknown
http://www.tehranrizcomputer.com/gtit/ true
  • Avira URL Cloud: safe
 unknown
http://www.tehranrizcomputer.com/gtit/?6t=MgfHm/AWJcZtJWhW2C0E/J+QQ7KNY47B4fJU/YR8UcoonAYwvhq6NXdlvEESKTg86057McGoCNEDbpDsB8WVIewJXmm9gpc24T96Iv1w6gUl0XtnH9Aw4uL+4GJqM1s/fA==&h2hLp=lXUTv2j8Xvb true
  • Avira URL Cloud: safe
 unknown
http://www.coppercookwarekitchen.com/gtit/ true
  • Avira URL Cloud: malware
 unknown