Windows Analysis Report
mQY9ka5sW6hv2Ri.exe

Overview

General Information

Sample name: mQY9ka5sW6hv2Ri.exe
Analysis ID: 1465619
MD5: e97620420d37596704d9f4fa70303453
SHA1: 533b98b289ba07c446f8350950fdbee2ab39dcf2
SHA256: a5a3067e6a3c4e957152655df5c68ce4db77f8308feff43c53e7535031033be5
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: mQY9ka5sW6hv2Ri.exe Avira: detected
Found malware configuration
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.cpuk-finance.com/dy13/"], "decoy": ["manga-house.com", "kjsdhklssk51.xyz", "b0ba138.xyz", "bt365033.com", "ccbsinc.net", "mrwine.xyz", "nrxkrd527o.xyz", "hoshi.social", "1912ai.com", "serco2020.com", "byfchfyr.xyz", "imuschestvostorgov.online", "austinheafey.com", "mrdfa.club", "883106.photos", "profitablefxmarkets.com", "taini00.net", "brye.top", "ginsm.com", "sportglid.com", "hdretailllc.com", "umeshraja.com", "bum-arch.com", "carefulapp.com", "kjqlq.top", "3dsciagames.com", "520yhy.com", "magahatinu.com", "freedompopo.com", "directgaragedoor.com", "tyupok.xyz", "thecrystore.com", "camperelektrikde.shop", "soloparentconnect.com", "sonderfullcoaching.com", "jesuscrewofficial.com", "oioc.xyz", "assineunitv.com", "whysco.com", "484844.vip", "gdctus840t.top", "acc-pay.top", "bdsmnutzbar.info", "sdplat.media", "cioncarp4213.com", "facecasino2.top", "bankablebark.com", "gulerweb.online", "radheyranidailyproduct.com", "fin4d-sl.com", "northshorehousekeeping.com", "femmeteefatale.com", "d0ge6or54x07cfn.xyz", "craftwhirl.com", "kgfna.biz", "real-estate-96841.bond", "cfuhtkwo.xyz", "nestormediaproduction.com", "txglobedev.com", "kermoal.dev", "yr8gl32.vip", "bathroomremodelnearyou.today", "nearmeacupuncture.com", "chicstop.store"]}
Multi AV Scanner detection for submitted file
Source: mQY9ka5sW6hv2Ri.exe ReversingLabs: Detection: 31%
Yara detected FormBook
Source: Yara match File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: mQY9ka5sW6hv2Ri.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008AAFB8 CertGetCertificateContextProperty,GetLastError,CryptHashCertificate,GetLastError,GetLastError,CertFreeCertificateContext, 6_2_008AAFB8
Uses 32bit PE files
Source: mQY9ka5sW6hv2Ri.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: mQY9ka5sW6hv2Ri.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: msdt.pdbGCTL source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771720567.00000000010F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000006.00000002.4091465372.0000000000870000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771924925.0000000001160000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1771716252.00000000046B8000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1773310292.0000000004863000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004A10000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: mQY9ka5sW6hv2Ri.exe, mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771924925.0000000001160000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000006.00000003.1771716252.00000000046B8000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1773310292.0000000004863000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004A10000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: msdt.pdb source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771720567.00000000010F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, msdt.exe, 00000006.00000002.4091465372.0000000000870000.00000040.80000000.00040000.00000000.sdmp
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008B60A8 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_008B60A8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree, 6_2_008A602D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A1B92 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 6_2_008A1B92
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A4CB6 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 6_2_008A4CB6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A5C20 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_008A5C20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008B743A memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_008B743A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A4EDC memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 6_2_008A4EDC
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4x nop then pop ebx 4_2_00407B26
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop ebx 6_2_00807B26

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49741 -> 185.53.179.90:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49743 -> 3.226.182.14:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49744 -> 3.33.130.190:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 104.21.74.89:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49746 -> 185.151.30.212:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49747 -> 3.33.130.190:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49748 -> 147.92.43.172:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 3.226.182.14 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.53.179.90 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.151.30.212 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 147.92.43.172 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.33.130.190 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.74.89 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.cpuk-finance.com/dy13/
Performs DNS queries to domains with low reputation
Source: DNS query: www.b0ba138.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=QEHoM+aYI3hCf+czBdOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAifn9DzIiC0 HTTP/1.1Host: www.real-estate-96841.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=ZKZE34nO5+VJCQ7V97/Oxkx+yV2XZDJ4QNe5btj3ut8Iv1OZ3MT37vqx38H3jKbLJXyY HTTP/1.1Host: www.sdplat.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?0N=KHSNHic8JLxjXMUSHETQCf7bHtnol1DEJErUxVAiAFyfNffMOGuO7wY/4dfl/zB0OOAe&Cj9LK=8pm41D0p HTTP/1.1Host: www.soloparentconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=LVVXn+3XMgScWvA+gustfxAGGBCnrJhvM+qFjqFs2KSrXwfcw3kbTxGlCeyN42Y88s8h HTTP/1.1Host: www.b0ba138.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=gDxxMnt83apdqDd0VF+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPHOMA9Jp0yBU HTTP/1.1Host: www.cpuk-finance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=LqTJXJ5089mrTceMc0p83ZaAEN5I+KgWBnSPa3/fnIguC6SsnRdV26ZHA6opskXgqsBG HTTP/1.1Host: www.umeshraja.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?0N=AG4Ye1FrkmCiFPqbKlnZ1dM6YK/DoI/B/9McINMFJI+SypkU6UbY406xkx1Fqy5gp249&Cj9LK=8pm41D0p HTTP/1.1Host: www.883106.photosConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 3.226.182.14 3.226.182.14
Source: Joe Sandbox View IP Address: 185.53.179.90 185.53.179.90
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
Source: Joe Sandbox View ASN Name: TWENTYIGB TWENTYIGB
Source: Joe Sandbox View ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 5_2_0FBBCF82 getaddrinfo,setsockopt,recv, 5_2_0FBBCF82
Source: global traffic HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=QEHoM+aYI3hCf+czBdOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAifn9DzIiC0 HTTP/1.1Host: www.real-estate-96841.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=ZKZE34nO5+VJCQ7V97/Oxkx+yV2XZDJ4QNe5btj3ut8Iv1OZ3MT37vqx38H3jKbLJXyY HTTP/1.1Host: www.sdplat.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?0N=KHSNHic8JLxjXMUSHETQCf7bHtnol1DEJErUxVAiAFyfNffMOGuO7wY/4dfl/zB0OOAe&Cj9LK=8pm41D0p HTTP/1.1Host: www.soloparentconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=LVVXn+3XMgScWvA+gustfxAGGBCnrJhvM+qFjqFs2KSrXwfcw3kbTxGlCeyN42Y88s8h HTTP/1.1Host: www.b0ba138.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=gDxxMnt83apdqDd0VF+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPHOMA9Jp0yBU HTTP/1.1Host: www.cpuk-finance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=LqTJXJ5089mrTceMc0p83ZaAEN5I+KgWBnSPa3/fnIguC6SsnRdV26ZHA6opskXgqsBG HTTP/1.1Host: www.umeshraja.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy13/?0N=AG4Ye1FrkmCiFPqbKlnZ1dM6YK/DoI/B/9McINMFJI+SypkU6UbY406xkx1Fqy5gp249&Cj9LK=8pm41D0p HTTP/1.1Host: www.883106.photosConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: www.real-estate-96841.bond
Source: global traffic DNS traffic detected: DNS query: www.taini00.net
Source: global traffic DNS traffic detected: DNS query: www.sdplat.media
Source: global traffic DNS traffic detected: DNS query: www.soloparentconnect.com
Source: global traffic DNS traffic detected: DNS query: www.b0ba138.xyz
Source: global traffic DNS traffic detected: DNS query: www.imuschestvostorgov.online
Source: global traffic DNS traffic detected: DNS query: www.cpuk-finance.com
Source: global traffic DNS traffic detected: DNS query: www.acc-pay.top
Source: global traffic DNS traffic detected: DNS query: www.umeshraja.com
Source: global traffic DNS traffic detected: DNS query: www.883106.photos
Source: global traffic DNS traffic detected: DNS query: www.484844.vip
Source: explorer.exe, 00000005.00000000.1665871823.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105812901.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426278192.0000000009833000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000005.00000000.1665871823.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105812901.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426278192.0000000009833000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000005.00000000.1665871823.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105812901.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426278192.0000000009833000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000005.00000000.1665871823.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105812901.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426278192.0000000009833000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000005.00000000.1674090829.000000000CA63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4102382128.000000000CA63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000005.00000000.1674090829.000000000CA63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4102382128.000000000CA63000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000005.00000000.1664847019.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1665286520.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1666809306.0000000009B60000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.484844.vip
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.484844.vip/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.484844.vip/dy13/www.manga-house.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.484844.vipReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.883106.photos
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.883106.photos/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.883106.photos/dy13/www.tyupok.xyz
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.883106.photosReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.acc-pay.top
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.acc-pay.top/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.acc-pay.top/dy13/www.umeshraja.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.acc-pay.topReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.1672208552.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106196438.000000000C9E7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b0ba138.xyz
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b0ba138.xyz/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b0ba138.xyz/dy13/www.imuschestvostorgov.online
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b0ba138.xyzReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bdsmnutzbar.info
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bdsmnutzbar.info/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bdsmnutzbar.info/dy13/H
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bdsmnutzbar.infoReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.carefulapp.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.carefulapp.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.carefulapp.com/dy13/www.freedompopo.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.carefulapp.comReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cpuk-finance.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cpuk-finance.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cpuk-finance.com/dy13/www.acc-pay.top
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cpuk-finance.comReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.freedompopo.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.freedompopo.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.freedompopo.com/dy13/www.bdsmnutzbar.info
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.freedompopo.comReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.imuschestvostorgov.online
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.imuschestvostorgov.online/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.imuschestvostorgov.online/dy13/www.cpuk-finance.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.imuschestvostorgov.onlineReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.manga-house.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.manga-house.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.manga-house.com/dy13/www.carefulapp.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.manga-house.comReferer:
Source: mQY9ka5sW6hv2Ri.exe String found in binary or memory: http://www.opcom.ro/rapoarte/export_csv_raportPIPsiVolumTranzactionat_PI.php?zi=
Source: mQY9ka5sW6hv2Ri.exe String found in binary or memory: http://www.opcom.ro/rapoarte/export_xml_PIPsiVolTranPI.php?zi=
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.real-estate-96841.bond
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.real-estate-96841.bond/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.real-estate-96841.bond/dy13/www.taini00.net
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.real-estate-96841.bondReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662514857.00000000053A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sdplat.media
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sdplat.media/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sdplat.media/dy13/www.soloparentconnect.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sdplat.mediaReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.soloparentconnect.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.soloparentconnect.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.soloparentconnect.com/dy13/www.b0ba138.xyz
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.soloparentconnect.comReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.taini00.net
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.taini00.net/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.taini00.net/dy13/www.sdplat.media
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.taini00.netReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tyupok.xyz
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tyupok.xyz/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tyupok.xyz/dy13/www.484844.vip
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tyupok.xyzReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.umeshraja.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.umeshraja.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.umeshraja.com/dy13/www.883106.photos
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.umeshraja.comReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000005.00000000.1672208552.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000005.00000003.3106253540.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4093721221.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426649414.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000005.00000003.3106253540.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4093721221.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426649414.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000005.00000000.1665871823.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000005.00000000.1665871823.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000005.00000000.1661541002.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4092474613.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4091496578.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1662369450.0000000003700000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000005.00000003.3106606841.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1665871823.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.0000000009701000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1665871823.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000003.3106606841.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1665871823.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.0000000009701000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000000.1672208552.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A2361 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree, 6_2_008A2361
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A2361 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree, 6_2_008A2361

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4103236234.000000000FBD4000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: mQY9ka5sW6hv2Ri.exe PID: 6912, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mQY9ka5sW6hv2Ri.exe PID: 2676, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 6956, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041A360 NtCreateFile, 4_2_0041A360
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041A410 NtReadFile, 4_2_0041A410
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041A490 NtClose, 4_2_0041A490
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041A540 NtAllocateVirtualMemory, 4_2_0041A540
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041A40A NtReadFile, 4_2_0041A40A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041A48C NtClose, 4_2_0041A48C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041A53D NtAllocateVirtualMemory, 4_2_0041A53D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2B60 NtClose,LdrInitializeThunk, 4_2_011D2B60
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_011D2BF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2AD0 NtReadFile,LdrInitializeThunk, 4_2_011D2AD0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2D10 NtMapViewOfSection,LdrInitializeThunk, 4_2_011D2D10
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2D30 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_011D2D30
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2DD0 NtDelayExecution,LdrInitializeThunk, 4_2_011D2DD0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_011D2DF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_011D2C70
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2CA0 NtQueryInformationToken,LdrInitializeThunk, 4_2_011D2CA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2F30 NtCreateSection,LdrInitializeThunk, 4_2_011D2F30
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2F90 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_011D2F90
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2FB0 NtResumeThread,LdrInitializeThunk, 4_2_011D2FB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2FE0 NtCreateFile,LdrInitializeThunk, 4_2_011D2FE0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2E80 NtReadVirtualMemory,LdrInitializeThunk, 4_2_011D2E80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_011D2EA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D4340 NtSetContextThread, 4_2_011D4340
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D4650 NtSuspendThread, 4_2_011D4650
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2B80 NtQueryInformationFile, 4_2_011D2B80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2BA0 NtEnumerateValueKey, 4_2_011D2BA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2BE0 NtQueryValueKey, 4_2_011D2BE0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2AB0 NtWaitForSingleObject, 4_2_011D2AB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2AF0 NtWriteFile, 4_2_011D2AF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2D00 NtSetInformationFile, 4_2_011D2D00
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2DB0 NtEnumerateKey, 4_2_011D2DB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2C00 NtQueryInformationProcess, 4_2_011D2C00
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2C60 NtCreateKey, 4_2_011D2C60
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2CC0 NtQueryVirtualMemory, 4_2_011D2CC0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2CF0 NtOpenProcess, 4_2_011D2CF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2F60 NtCreateProcessEx, 4_2_011D2F60
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2FA0 NtQuerySection, 4_2_011D2FA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2E30 NtWriteVirtualMemory, 4_2_011D2E30
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2EE0 NtQueueApcThread, 4_2_011D2EE0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D3010 NtOpenDirectoryObject, 4_2_011D3010
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D3090 NtSetValueKey, 4_2_011D3090
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D35C0 NtCreateMutant, 4_2_011D35C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D39B0 NtGetContextThread, 4_2_011D39B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D3D10 NtOpenProcessToken, 4_2_011D3D10
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D3D70 NtOpenThread, 4_2_011D3D70
Source: C:\Windows\explorer.exe Code function: 5_2_0FBBC232 NtCreateFile, 5_2_0FBBC232
Source: C:\Windows\explorer.exe Code function: 5_2_0FBBDE12 NtProtectVirtualMemory, 5_2_0FBBDE12
Source: C:\Windows\explorer.exe Code function: 5_2_0FBBDE0A NtProtectVirtualMemory, 5_2_0FBBDE0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008B1CBD NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtClose, 6_2_008B1CBD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008B1C50 NtQueryInformationToken,NtQueryInformationToken, 6_2_008B1C50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82CA0 NtQueryInformationToken,LdrInitializeThunk, 6_2_04A82CA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82C60 NtCreateKey,LdrInitializeThunk, 6_2_04A82C60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82C70 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_04A82C70
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82DF0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_04A82DF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82DD0 NtDelayExecution,LdrInitializeThunk, 6_2_04A82DD0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82D10 NtMapViewOfSection,LdrInitializeThunk, 6_2_04A82D10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_04A82EA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82FE0 NtCreateFile,LdrInitializeThunk, 6_2_04A82FE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82F30 NtCreateSection,LdrInitializeThunk, 6_2_04A82F30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82AD0 NtReadFile,LdrInitializeThunk, 6_2_04A82AD0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82BE0 NtQueryValueKey,LdrInitializeThunk, 6_2_04A82BE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_04A82BF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82B60 NtClose,LdrInitializeThunk, 6_2_04A82B60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A835C0 NtCreateMutant,LdrInitializeThunk, 6_2_04A835C0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A84650 NtSuspendThread, 6_2_04A84650
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A84340 NtSetContextThread, 6_2_04A84340
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82CF0 NtOpenProcess, 6_2_04A82CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82CC0 NtQueryVirtualMemory, 6_2_04A82CC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82C00 NtQueryInformationProcess, 6_2_04A82C00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82DB0 NtEnumerateKey, 6_2_04A82DB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82D30 NtUnmapViewOfSection, 6_2_04A82D30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82D00 NtSetInformationFile, 6_2_04A82D00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82E80 NtReadVirtualMemory, 6_2_04A82E80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82EE0 NtQueueApcThread, 6_2_04A82EE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82E30 NtWriteVirtualMemory, 6_2_04A82E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82FA0 NtQuerySection, 6_2_04A82FA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82FB0 NtResumeThread, 6_2_04A82FB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82F90 NtProtectVirtualMemory, 6_2_04A82F90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82F60 NtCreateProcessEx, 6_2_04A82F60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82AB0 NtWaitForSingleObject, 6_2_04A82AB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82AF0 NtWriteFile, 6_2_04A82AF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82BA0 NtEnumerateValueKey, 6_2_04A82BA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A82B80 NtQueryInformationFile, 6_2_04A82B80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A83090 NtSetValueKey, 6_2_04A83090
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A83010 NtOpenDirectoryObject, 6_2_04A83010
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A83D10 NtOpenProcessToken, 6_2_04A83D10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A83D70 NtOpenThread, 6_2_04A83D70
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A839B0 NtGetContextThread, 6_2_04A839B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0081A360 NtCreateFile, 6_2_0081A360
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0081A490 NtClose, 6_2_0081A490
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0081A410 NtReadFile, 6_2_0081A410
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0081A540 NtAllocateVirtualMemory, 6_2_0081A540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0081A48C NtClose, 6_2_0081A48C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0081A40A NtReadFile, 6_2_0081A40A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0081A53D NtAllocateVirtualMemory, 6_2_0081A53D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0475A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread, 6_2_0475A036
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04759BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 6_2_04759BAF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0475A042 NtQueryInformationProcess, 6_2_0475A042
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04759BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_04759BB2
Detected potential crypto function
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_01064071 0_2_01064071
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_01060040 0_2_01060040
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_01066048 0_2_01066048
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_01060610 0_2_01060610
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_02B263D8 0_2_02B263D8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_02B263C8 0_2_02B263C8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_0792E0D0 0_2_0792E0D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_0792E780 0_2_0792E780
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_0792B988 0_2_0792B988
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_079463AF 0_2_079463AF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_079463E8 0_2_079463E8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_0794E1C8 0_2_0794E1C8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_0794DD90 0_2_0794DD90
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_0794D938 0_2_0794D938
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041E140 4_2_0041E140
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_004012FB 4_2_004012FB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041ECC1 4_2_0041ECC1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041DDC2 4_2_0041DDC2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_00402D87 4_2_00402D87
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041D5A6 4_2_0041D5A6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_00409E60 4_2_00409E60
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041EEF4 4_2_0041EEF4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_00402FB0 4_2_00402FB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01190100 4_2_01190100
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123A118 4_2_0123A118
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01228158 4_2_01228158
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012541A2 4_2_012541A2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012601AA 4_2_012601AA
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012581CC 4_2_012581CC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01232000 4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125A352 4_2_0125A352
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012603E6 4_2_012603E6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AE3F0 4_2_011AE3F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012202C0 4_2_012202C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0535 4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01260591 4_2_01260591
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01244420 4_2_01244420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01252446 4_2_01252446
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0124E4F6 4_2_0124E4F6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C4750 4_2_011C4750
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119C7C0 4_2_0119C7C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BC6E0 4_2_011BC6E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B6962 4_2_011B6962
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0126A9A6 4_2_0126A9A6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A2840 4_2_011A2840
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AA840 4_2_011AA840
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011868B8 4_2_011868B8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE8F0 4_2_011CE8F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125AB40 4_2_0125AB40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01256BD7 4_2_01256BD7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119EA80 4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AAD00 4_2_011AAD00
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123CD1F 4_2_0123CD1F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B8DBF 4_2_011B8DBF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119ADE0 4_2_0119ADE0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0C00 4_2_011A0C00
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240CB5 4_2_01240CB5
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01190CF2 4_2_01190CF2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01242F30 4_2_01242F30
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C0F30 4_2_011C0F30
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011E2F28 4_2_011E2F28
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01214F40 4_2_01214F40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121EFA0 4_2_0121EFA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01192FC8 4_2_01192FC8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125EE26 4_2_0125EE26
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0E59 4_2_011A0E59
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B2E90 4_2_011B2E90
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125CE93 4_2_0125CE93
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125EEDB 4_2_0125EEDB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0126B16B 4_2_0126B16B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118F172 4_2_0118F172
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D516C 4_2_011D516C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AB1B0 4_2_011AB1B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125F0E0 4_2_0125F0E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012570E9 4_2_012570E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A70C0 4_2_011A70C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0124F0CC 4_2_0124F0CC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125132D 4_2_0125132D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118D34C 4_2_0118D34C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011E739A 4_2_011E739A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A52A0 4_2_011A52A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012412ED 4_2_012412ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BB2C0 4_2_011BB2C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BD2F0 4_2_011BD2F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01257571 4_2_01257571
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123D5B0 4_2_0123D5B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012695C3 4_2_012695C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125F43F 4_2_0125F43F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01191460 4_2_01191460
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125F7B0 4_2_0125F7B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011E5630 4_2_011E5630
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012516CC 4_2_012516CC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01235910 4_2_01235910
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A9950 4_2_011A9950
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BB950 4_2_011BB950
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120D800 4_2_0120D800
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A38E0 4_2_011A38E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125FB76 4_2_0125FB76
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BFB80 4_2_011BFB80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01215BF0 4_2_01215BF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011DDBF9 4_2_011DDBF9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01213A6C 4_2_01213A6C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01257A46 4_2_01257A46
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125FA49 4_2_0125FA49
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01241AA3 4_2_01241AA3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123DAAC 4_2_0123DAAC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011E5AA0 4_2_011E5AA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0124DAC6 4_2_0124DAC6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01257D73 4_2_01257D73
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A3D40 4_2_011A3D40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01251D5A 4_2_01251D5A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BFDC0 4_2_011BFDC0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01219C32 4_2_01219C32
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125FCF2 4_2_0125FCF2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125FF09 4_2_0125FF09
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A1F92 4_2_011A1F92
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125FFB1 4_2_0125FFB1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01163FD5 4_2_01163FD5
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01163FD2 4_2_01163FD2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A9EB0 4_2_011A9EB0
Source: C:\Windows\explorer.exe Code function: 5_2_0E8C3232 5_2_0E8C3232
Source: C:\Windows\explorer.exe Code function: 5_2_0E8BDB32 5_2_0E8BDB32
Source: C:\Windows\explorer.exe Code function: 5_2_0E8BDB30 5_2_0E8BDB30
Source: C:\Windows\explorer.exe Code function: 5_2_0E8B9082 5_2_0E8B9082
Source: C:\Windows\explorer.exe Code function: 5_2_0E8C2036 5_2_0E8C2036
Source: C:\Windows\explorer.exe Code function: 5_2_0E8C65CD 5_2_0E8C65CD
Source: C:\Windows\explorer.exe Code function: 5_2_0E8BAD02 5_2_0E8BAD02
Source: C:\Windows\explorer.exe Code function: 5_2_0E8C0912 5_2_0E8C0912
Source: C:\Windows\explorer.exe Code function: 5_2_0F6B2B32 5_2_0F6B2B32
Source: C:\Windows\explorer.exe Code function: 5_2_0F6B2B30 5_2_0F6B2B30
Source: C:\Windows\explorer.exe Code function: 5_2_0F6B8232 5_2_0F6B8232
Source: C:\Windows\explorer.exe Code function: 5_2_0F6AFD02 5_2_0F6AFD02
Source: C:\Windows\explorer.exe Code function: 5_2_0F6B5912 5_2_0F6B5912
Source: C:\Windows\explorer.exe Code function: 5_2_0F6BB5CD 5_2_0F6BB5CD
Source: C:\Windows\explorer.exe Code function: 5_2_0F6B7036 5_2_0F6B7036
Source: C:\Windows\explorer.exe Code function: 5_2_0F6AE082 5_2_0F6AE082
Source: C:\Windows\explorer.exe Code function: 5_2_0FBBC232 5_2_0FBBC232
Source: C:\Windows\explorer.exe Code function: 5_2_0FBBF5CD 5_2_0FBBF5CD
Source: C:\Windows\explorer.exe Code function: 5_2_0FBB6B32 5_2_0FBB6B32
Source: C:\Windows\explorer.exe Code function: 5_2_0FBB6B30 5_2_0FBB6B30
Source: C:\Windows\explorer.exe Code function: 5_2_0FBB9912 5_2_0FBB9912
Source: C:\Windows\explorer.exe Code function: 5_2_0FBB3D02 5_2_0FBB3D02
Source: C:\Windows\explorer.exe Code function: 5_2_0FBB2082 5_2_0FBB2082
Source: C:\Windows\explorer.exe Code function: 5_2_0FBBB036 5_2_0FBBB036
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0089F0DB 6_2_0089F0DB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008BC803 6_2_008BC803
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_00895950 6_2_00895950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008AFCE7 6_2_008AFCE7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008B2FD3 6_2_008B2FD3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A4702 6_2_008A4702
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AFE4F6 6_2_04AFE4F6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AF4420 6_2_04AF4420
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B02446 6_2_04B02446
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B10591 6_2_04B10591
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A50535 6_2_04A50535
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A6C6E0 6_2_04A6C6E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A4C7C0 6_2_04A4C7C0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A50770 6_2_04A50770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A74750 6_2_04A74750
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AE2000 6_2_04AE2000
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B041A2 6_2_04B041A2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B101AA 6_2_04B101AA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B081CC 6_2_04B081CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A40100 6_2_04A40100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AEA118 6_2_04AEA118
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AD8158 6_2_04AD8158
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AD02C0 6_2_04AD02C0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AF0274 6_2_04AF0274
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A5E3F0 6_2_04A5E3F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B103E6 6_2_04B103E6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0A352 6_2_04B0A352
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AF0CB5 6_2_04AF0CB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A40CF2 6_2_04A40CF2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A50C00 6_2_04A50C00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A68DBF 6_2_04A68DBF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A4ADE0 6_2_04A4ADE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A5AD00 6_2_04A5AD00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AECD1F 6_2_04AECD1F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0CE93 6_2_04B0CE93
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A62E90 6_2_04A62E90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0EEDB 6_2_04B0EEDB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0EE26 6_2_04B0EE26
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A50E59 6_2_04A50E59
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04ACEFA0 6_2_04ACEFA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A42FC8 6_2_04A42FC8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A92F28 6_2_04A92F28
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A70F30 6_2_04A70F30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AF2F30 6_2_04AF2F30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AC4F40 6_2_04AC4F40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A368B8 6_2_04A368B8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A7E8F0 6_2_04A7E8F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A52840 6_2_04A52840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A5A840 6_2_04A5A840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A529A0 6_2_04A529A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B1A9A6 6_2_04B1A9A6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A66962 6_2_04A66962
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A4EA80 6_2_04A4EA80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B06BD7 6_2_04B06BD7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0AB40 6_2_04B0AB40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0F43F 6_2_04B0F43F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A41460 6_2_04A41460
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AED5B0 6_2_04AED5B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B195C3 6_2_04B195C3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B07571 6_2_04B07571
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B016CC 6_2_04B016CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A95630 6_2_04A95630
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0F7B0 6_2_04B0F7B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0F0E0 6_2_04B0F0E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B070E9 6_2_04B070E9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AFF0CC 6_2_04AFF0CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A570C0 6_2_04A570C0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A5B1B0 6_2_04A5B1B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A8516C 6_2_04A8516C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A3F172 6_2_04A3F172
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B1B16B 6_2_04B1B16B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A552A0 6_2_04A552A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AF12ED 6_2_04AF12ED
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A6D2F0 6_2_04A6D2F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A6B2C0 6_2_04A6B2C0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A9739A 6_2_04A9739A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0132D 6_2_04B0132D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A3D34C 6_2_04A3D34C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0FCF2 6_2_04B0FCF2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AC9C32 6_2_04AC9C32
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A6FDC0 6_2_04A6FDC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B07D73 6_2_04B07D73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A53D40 6_2_04A53D40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B01D5A 6_2_04B01D5A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A59EB0 6_2_04A59EB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0FFB1 6_2_04B0FFB1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A51F92 6_2_04A51F92
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A13FD2 6_2_04A13FD2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A13FD5 6_2_04A13FD5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0FF09 6_2_04B0FF09
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A538E0 6_2_04A538E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04ABD800 6_2_04ABD800
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AE5910 6_2_04AE5910
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A59950 6_2_04A59950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A6B950 6_2_04A6B950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AEDAAC 6_2_04AEDAAC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A95AA0 6_2_04A95AA0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AF1AA3 6_2_04AF1AA3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AFDAC6 6_2_04AFDAC6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AC3A6C 6_2_04AC3A6C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B07A46 6_2_04B07A46
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0FA49 6_2_04B0FA49
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A6FB80 6_2_04A6FB80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04A8DBF9 6_2_04A8DBF9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04AC5BF0 6_2_04AC5BF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04B0FB76 6_2_04B0FB76
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0081D5A6 6_2_0081D5A6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0081ECC1 6_2_0081ECC1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_00802D87 6_2_00802D87
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_00802D90 6_2_00802D90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0081EEF4 6_2_0081EEF4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_00809E60 6_2_00809E60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_00802FB0 6_2_00802FB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0475A036 6_2_0475A036
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04752D02 6_2_04752D02
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0475E5CD 6_2_0475E5CD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04751082 6_2_04751082
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04758912 6_2_04758912
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0475B232 6_2_0475B232
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04755B30 6_2_04755B30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_04755B32 6_2_04755B32
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: String function: 0118B970 appears 262 times
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: String function: 011E7E54 appears 107 times
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: String function: 011D5130 appears 58 times
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: String function: 0120EA12 appears 86 times
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: String function: 0121F290 appears 103 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 04A97E54 appears 107 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 008BE523 appears 31 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 04A85130 appears 58 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 008899E8 appears 885 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 04ACF290 appears 103 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 04A3B970 appears 262 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 008819DB appears 34 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 04ABEA12 appears 86 times
Sample file is different than original file name gathered from version info
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1660916542.0000000003D2E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1658764239.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000000.1631739652.0000000000682000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFXDX.exe, vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1664185923.00000000079D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1663385257.0000000007000000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771720567.00000000010F0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771924925.000000000128D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe Binary or memory string: OriginalFilenameFXDX.exe, vs mQY9ka5sW6hv2Ri.exe
Uses 32bit PE files
Source: mQY9ka5sW6hv2Ri.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4103236234.000000000FBD4000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: mQY9ka5sW6hv2Ri.exe PID: 6912, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mQY9ka5sW6hv2Ri.exe PID: 2676, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 6956, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: mQY9ka5sW6hv2Ri.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAjfVuKcAf4Og71LT4.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAjfVuKcAf4Og71LT4.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAjfVuKcAf4Og71LT4.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAjfVuKcAf4Og71LT4.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAjfVuKcAf4Og71LT4.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAjfVuKcAf4Og71LT4.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAjfVuKcAf4Og71LT4.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAjfVuKcAf4Og71LT4.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAjfVuKcAf4Og71LT4.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mQY9ka5sW6hv2Ri.exe.2d14620.0.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.mQY9ka5sW6hv2Ri.exe.7120000.8.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.mQY9ka5sW6hv2Ri.exe.2d357f0.4.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.evad.winEXE@524/1@12/6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_0088A006 CoCreateInstance,SysAllocString,SysFreeString, 6_2_0088A006
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008B1DB3 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,SizeofResource,GetLastError,GlobalAlloc,GetLastError,GlobalLock,GetLastError,memcpy,CreateStreamOnHGlobal,FreeResource,GlobalUnlock,GlobalFree, 6_2_008B1DB3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mQY9ka5sW6hv2Ri.exe.log Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
Source: mQY9ka5sW6hv2Ri.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mQY9ka5sW6hv2Ri.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mQY9ka5sW6hv2Ri.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe" Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe" Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe" Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: mQY9ka5sW6hv2Ri.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: mQY9ka5sW6hv2Ri.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: msdt.pdbGCTL source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771720567.00000000010F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000006.00000002.4091465372.0000000000870000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771924925.0000000001160000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1771716252.00000000046B8000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1773310292.0000000004863000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004A10000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: mQY9ka5sW6hv2Ri.exe, mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771924925.0000000001160000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000006.00000003.1771716252.00000000046B8000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1773310292.0000000004863000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004A10000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: msdt.pdb source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771720567.00000000010F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, msdt.exe, 00000006.00000002.4091465372.0000000000870000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: mQY9ka5sW6hv2Ri.exe, OptionsWindow.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAjfVuKcAf4Og71LT4.cs .Net Code: SAsiXBqbo5 System.Reflection.Assembly.Load(byte[])
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAjfVuKcAf4Og71LT4.cs .Net Code: SAsiXBqbo5 System.Reflection.Assembly.Load(byte[])
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAjfVuKcAf4Og71LT4.cs .Net Code: SAsiXBqbo5 System.Reflection.Assembly.Load(byte[])
Source: 5.2.explorer.exe.1143f840.0.raw.unpack, OptionsWindow.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 6.2.msdt.exe.4f5f840.3.raw.unpack, OptionsWindow.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_07925F98 push eax; mov dword ptr [esp], ecx 0_2_07925F9C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_0794A468 pushad ; iretd 0_2_0794A475
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 0_2_0794BBC1 push esp; retf 0_2_0794BBCD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_00417884 push esp; iretd 4_2_0041788A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041E140 push ebx; ret 4_2_0041E2DC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_00416958 push ebx; retf 4_2_0041695A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041AAE6 push AD0710D7h; ret 4_2_0041AAED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0040E2AD push edi; ret 4_2_0040E2B6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_00416AB9 push 6DD8D03Bh; retf 4_2_00416ABF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041A3B2 push eax; ret 4_2_0041A3B4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041D4B5 push eax; ret 4_2_0041D508
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041D56C push eax; ret 4_2_0041D572
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041D502 push eax; ret 4_2_0041D508
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041D50B push eax; ret 4_2_0041D572
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_00417741 push 00000072h; retf 4_2_0041776D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0041771C push edx; ret 4_2_00417728
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_004077A4 pushfd ; retf 4_2_004077AE
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0116225F pushad ; ret 4_2_011627F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011627FA pushad ; ret 4_2_011627F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011909AD push ecx; mov dword ptr [esp], ecx 4_2_011909B6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0116283D push eax; iretd 4_2_01162858
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01161368 push eax; iretd 4_2_01161369
Source: C:\Windows\explorer.exe Code function: 5_2_0E8C6B02 push esp; retn 0000h 5_2_0E8C6B03
Source: C:\Windows\explorer.exe Code function: 5_2_0E8C6B1E push esp; retn 0000h 5_2_0E8C6B1F
Source: C:\Windows\explorer.exe Code function: 5_2_0E8C69B5 push esp; retn 0000h 5_2_0E8C6AE7
Source: C:\Windows\explorer.exe Code function: 5_2_0F6BBB02 push esp; retn 0000h 5_2_0F6BBB03
Source: C:\Windows\explorer.exe Code function: 5_2_0F6BBB1E push esp; retn 0000h 5_2_0F6BBB1F
Source: C:\Windows\explorer.exe Code function: 5_2_0F6BB9B5 push esp; retn 0000h 5_2_0F6BBAE7
Source: C:\Windows\explorer.exe Code function: 5_2_0FBBF9B5 push esp; retn 0000h 5_2_0FBBFAE7
Source: C:\Windows\explorer.exe Code function: 5_2_0FBBFB1E push esp; retn 0000h 5_2_0FBBFB1F
Source: C:\Windows\explorer.exe Code function: 5_2_0FBBFB02 push esp; retn 0000h 5_2_0FBBFB03
Source: mQY9ka5sW6hv2Ri.exe Static PE information: section name: .text entropy: 7.955074705738379
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, AcmBDkmm30oEvpwIly.cs High entropy of concatenated method names: 'rhOp8b8cbh', 'HJvpLip2Y1', 'dckpcnpuM4', 'R3Sp91ZPsJ', 'X0UpBMVKNw', 'dVIpukQPWg', 'xmCpee0gtd', 'dAMpVYZpwp', 'FYPpry6AZf', 'cTSp5oR7m9'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAjfVuKcAf4Og71LT4.cs High entropy of concatenated method names: 'hU1bwi4PvH', 'OklbNQp3Uu', 'ObNbWagt0V', 'ES1bM8t9jq', 'vTRbvkOvrg', 'pOYbKjSl6c', 'xAebf3BmDZ', 'I6jbxlX6MM', 'YQFbqkdY4y', 'vcHb7Sv5WH'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, eOKRCaoe3fhH3gYZFB.cs High entropy of concatenated method names: 'HyXKwI3iyo', 'IKcKW7pA3L', 'L0XKv7tSYB', 'mseKfTLj14', 'GcsKxSbVhx', 'metvZcKaKl', 'cPKv0MtKf8', 'FBevgZi9LQ', 'LnavDfgYPr', 'XDcvYLm0Os'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAZT7rRNi7CIxwkhSs.cs High entropy of concatenated method names: 'nVKfJJecJ5', 'lBqfRRrGYa', 'utSfXt2PoB', 'UyqfdcNgJf', 'wrIfPb16aZ', 'qMffoI9vS6', 'Os7fAJ4TSb', 'BI0fyGh842', 'yEOfkeWvpe', 'd7ofEiQdjW'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, PkyUxHhb0mm11LKqcJ.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'j8BGYBsa3D', 'WjpG6gc4e7', 'KgFGzibWF6', 'csYbTSOs50', 'JiwbSgKmux', 'tENbGo3v2Z', 'pnpbbfCxRD', 'uJbmmFhsFyEmOnMWQ31'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, CRgmFmrWJuwbjNi6aB.cs High entropy of concatenated method names: 'vFFfNYgyGQ', 'eFGfMKlN8K', 'yAPfK7TUok', 'QbTK6eVety', 'luxKz6nwmI', 'j8lfTcMTM2', 'MH8fSMDw37', 'NrOfGovrGH', 'oBdfbhnQ7p', 'FwqfibxeGA'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, En1UhvAG0Xg43a3j3af.cs High entropy of concatenated method names: 'o5GhJuqOv1', 'cDZhRF9cJf', 'JZZhXCbDTZ', 'Js4hdjIISW', 'u8ghP42nBF', 'nrahoFtvjj', 'BHBhAtgVfM', 'sEmhyhn40q', 'IV5hkiQPwB', 'tYRhEaKIqv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, GVRvFJpS4eaHdtKgN8.cs High entropy of concatenated method names: 'uAjvPDvuly', 'aJovAyYaCU', 'JIKMu5uaNE', 'NNGMeI7pk3', 'HGAMVEmeka', 'H2HMrkxdnk', 'LwfM5THrI1', 'inFMjW2Tfa', 'mcVMsHDUXU', 'myrM8CbApQ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, kZKWDRIFgoibh1hb2T.cs High entropy of concatenated method names: 'ToString', 'z8N4aeZC4f', 'sm54B0PkF1', 'Jau4uc1jOy', 'MEa4etyCDG', 'Q1F4VlCy56', 'VZP4rdcIu4', 'H5G45PqSR7', 'xnV4jyvSsD', 'P5w4sKOVHw'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, Ek4LhktCeUZ4vOf7Ua.cs High entropy of concatenated method names: 'hEXMdybeRd', 'TdjMo19niM', 'VnpMyvPWr9', 'r8WMk8fw89', 'vTTMpMUjh1', 'i0tM478XTt', 'H61MnWHv4R', 'K3fMmqfnxd', 'BDEMhwmJVf', 'b1FM2f9ZmF'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, pocZvdWaYcBDH0pnRC.cs High entropy of concatenated method names: 'e2WIyxLImo', 'wQtIkNaHH0', 'xkoItbKgxl', 'GyiIB6R5cf', 'kjvIeJvYjr', 'PYKIVIX4vU', 'piqI5a4yvv', 'u4AIjAdES3', 'vWyI882UV9', 'AnqIaxYNVf'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, i4UKlxTbGliEA9DbaS.cs High entropy of concatenated method names: 'QHchSwSjwi', 'skJhbk9wQp', 'nx8hih9ELx', 'HRYhNAOsGY', 'MwxhWoHpmC', 'bfehv3MNqx', 'lw9hKfyhmg', 'miWmgAl2U9', 'KInmDmGLsu', 'zfkmY2tplv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, QWExWLAqoGuZC75pehx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gHQ2cDU1Mg', 'hdy29JQByg', 'liQ21Q157d', 'o7d2UHsmkO', 'Xk02ZcZjn5', 'iFf20V2dfw', 'HfI2gPvV6r'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs High entropy of concatenated method names: 'XGLWcmVP03', 'q1AW9O8PmB', 'n5lW17bxna', 'mNXWUSxLpE', 'lgHWZV0Nro', 'OkZW0ecwnx', 'HjBWgfP61l', 'PhNWDqX4rW', 'B0iWYp8Q3q', 'giwW6gFBfv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, ktsjOqgCZu1GFFowlH.cs High entropy of concatenated method names: 'MJnmtHT1Eq', 'FGRmBsLcdj', 'uQcmuD8ItA', 'KSamegy3V9', 'ztrmc0WvyS', 'fOGmVoLmTu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, WXrH4jVeKlucQK3169.cs High entropy of concatenated method names: 'SELXO9ywk', 'TiZdl4BXI', 'hvVoagmbT', 'JumAQmALo', 'ns7kAGc1w', 's89E6F5B5', 'h4ZvHTIxB0TlueTR65', 'sfTDkQXVfeHdYw1hVl', 'G6CmgMdXj', 'nhJ2Jk5DJ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, FBTy3x8mprisgqbcUr.cs High entropy of concatenated method names: 'bNCnDsop60', 'KHIn6lR7dR', 'uiWmTPrr1J', 'z6YmSceVt0', 'WKfnaeYlVx', 'D80nLVpJEC', 'A91nQIDkel', 'jWYncWn5Dt', 'LhFn9usQar', 'YvUn1XBmWC'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, YaIgQIyAUXnF75o8tN.cs High entropy of concatenated method names: 'Aw4mN4bEYN', 'd3NmWLfbwr', 'F8pmMyFJZS', 'w8EmvjXKvw', 'SxXmKCfb6p', 'YIdmfUsHPM', 'PVHmxCMiCs', 'Km2mqgBNkS', 'DMXm7shkCG', 'xfTmFE21gZ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, VBD99jHbNBN6seWpOy.cs High entropy of concatenated method names: 'Dispose', 'sEuSYB5Cf2', 's16GBKj9IJ', 'doMHHGdMq3', 'Qw9S6B4tWJ', 'f8ySzbBWGy', 'ProcessDialogKey', 'Hm5GTlqf2e', 'eoLGSlCGZe', 'J77GGe8KcY'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, P1L7kyMMcEp8en6UhP.cs High entropy of concatenated method names: 'zRiK1IGB9f', 'PA7KUCK26n', 'wVmKZ1APG3', 'ToString', 'XpxK0Robnm', 'vo4KgualDF', 'E27BHysRRy7McdrhL9I', 'CxShFWsrvV6YGvsAXbM'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, g2Zqnh36w0L7u7l6kJ.cs High entropy of concatenated method names: 'qk5SfQ5AqH', 'RGUSxirRrN', 'RVwS7HvruL', 'BnFSFWtEeK', 'bbmSprcDb2', 'uRuS49SRSO', 'bwyrDYplvcPytTLjoN', 'ARfBeN1UyL5mDnReuL', 'cNeSS4iFjJ', 'hCNSbkry63'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, bS4Vc8AV0HcgkuQItZG.cs High entropy of concatenated method names: 'Wkk2JDYcLU', 'tiB2RFUT8I', 'gSw2X2XGsZ', 'sDa9pB7ds4VmovDFeMM', 'KInGwJ7Fg4WQN3TCxOF', 'kvxq6f7p2tScaSYQ9oc', 'sl83bw71f25LExvBtxO'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xavLmCzdnYGj8CDZxw.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MuahIjLKFc', 'rDWhppcb4S', 'hv0h4RdxLN', 'nCyhnD3Djk', 'sI8hmiLiyk', 'UY5hh3NOVy', 'SI9h2aotwA'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, AcmBDkmm30oEvpwIly.cs High entropy of concatenated method names: 'rhOp8b8cbh', 'HJvpLip2Y1', 'dckpcnpuM4', 'R3Sp91ZPsJ', 'X0UpBMVKNw', 'dVIpukQPWg', 'xmCpee0gtd', 'dAMpVYZpwp', 'FYPpry6AZf', 'cTSp5oR7m9'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAjfVuKcAf4Og71LT4.cs High entropy of concatenated method names: 'hU1bwi4PvH', 'OklbNQp3Uu', 'ObNbWagt0V', 'ES1bM8t9jq', 'vTRbvkOvrg', 'pOYbKjSl6c', 'xAebf3BmDZ', 'I6jbxlX6MM', 'YQFbqkdY4y', 'vcHb7Sv5WH'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, eOKRCaoe3fhH3gYZFB.cs High entropy of concatenated method names: 'HyXKwI3iyo', 'IKcKW7pA3L', 'L0XKv7tSYB', 'mseKfTLj14', 'GcsKxSbVhx', 'metvZcKaKl', 'cPKv0MtKf8', 'FBevgZi9LQ', 'LnavDfgYPr', 'XDcvYLm0Os'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAZT7rRNi7CIxwkhSs.cs High entropy of concatenated method names: 'nVKfJJecJ5', 'lBqfRRrGYa', 'utSfXt2PoB', 'UyqfdcNgJf', 'wrIfPb16aZ', 'qMffoI9vS6', 'Os7fAJ4TSb', 'BI0fyGh842', 'yEOfkeWvpe', 'd7ofEiQdjW'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, PkyUxHhb0mm11LKqcJ.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'j8BGYBsa3D', 'WjpG6gc4e7', 'KgFGzibWF6', 'csYbTSOs50', 'JiwbSgKmux', 'tENbGo3v2Z', 'pnpbbfCxRD', 'uJbmmFhsFyEmOnMWQ31'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, CRgmFmrWJuwbjNi6aB.cs High entropy of concatenated method names: 'vFFfNYgyGQ', 'eFGfMKlN8K', 'yAPfK7TUok', 'QbTK6eVety', 'luxKz6nwmI', 'j8lfTcMTM2', 'MH8fSMDw37', 'NrOfGovrGH', 'oBdfbhnQ7p', 'FwqfibxeGA'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, En1UhvAG0Xg43a3j3af.cs High entropy of concatenated method names: 'o5GhJuqOv1', 'cDZhRF9cJf', 'JZZhXCbDTZ', 'Js4hdjIISW', 'u8ghP42nBF', 'nrahoFtvjj', 'BHBhAtgVfM', 'sEmhyhn40q', 'IV5hkiQPwB', 'tYRhEaKIqv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, GVRvFJpS4eaHdtKgN8.cs High entropy of concatenated method names: 'uAjvPDvuly', 'aJovAyYaCU', 'JIKMu5uaNE', 'NNGMeI7pk3', 'HGAMVEmeka', 'H2HMrkxdnk', 'LwfM5THrI1', 'inFMjW2Tfa', 'mcVMsHDUXU', 'myrM8CbApQ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, kZKWDRIFgoibh1hb2T.cs High entropy of concatenated method names: 'ToString', 'z8N4aeZC4f', 'sm54B0PkF1', 'Jau4uc1jOy', 'MEa4etyCDG', 'Q1F4VlCy56', 'VZP4rdcIu4', 'H5G45PqSR7', 'xnV4jyvSsD', 'P5w4sKOVHw'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, Ek4LhktCeUZ4vOf7Ua.cs High entropy of concatenated method names: 'hEXMdybeRd', 'TdjMo19niM', 'VnpMyvPWr9', 'r8WMk8fw89', 'vTTMpMUjh1', 'i0tM478XTt', 'H61MnWHv4R', 'K3fMmqfnxd', 'BDEMhwmJVf', 'b1FM2f9ZmF'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, pocZvdWaYcBDH0pnRC.cs High entropy of concatenated method names: 'e2WIyxLImo', 'wQtIkNaHH0', 'xkoItbKgxl', 'GyiIB6R5cf', 'kjvIeJvYjr', 'PYKIVIX4vU', 'piqI5a4yvv', 'u4AIjAdES3', 'vWyI882UV9', 'AnqIaxYNVf'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, i4UKlxTbGliEA9DbaS.cs High entropy of concatenated method names: 'QHchSwSjwi', 'skJhbk9wQp', 'nx8hih9ELx', 'HRYhNAOsGY', 'MwxhWoHpmC', 'bfehv3MNqx', 'lw9hKfyhmg', 'miWmgAl2U9', 'KInmDmGLsu', 'zfkmY2tplv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, QWExWLAqoGuZC75pehx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gHQ2cDU1Mg', 'hdy29JQByg', 'liQ21Q157d', 'o7d2UHsmkO', 'Xk02ZcZjn5', 'iFf20V2dfw', 'HfI2gPvV6r'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs High entropy of concatenated method names: 'XGLWcmVP03', 'q1AW9O8PmB', 'n5lW17bxna', 'mNXWUSxLpE', 'lgHWZV0Nro', 'OkZW0ecwnx', 'HjBWgfP61l', 'PhNWDqX4rW', 'B0iWYp8Q3q', 'giwW6gFBfv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, ktsjOqgCZu1GFFowlH.cs High entropy of concatenated method names: 'MJnmtHT1Eq', 'FGRmBsLcdj', 'uQcmuD8ItA', 'KSamegy3V9', 'ztrmc0WvyS', 'fOGmVoLmTu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, WXrH4jVeKlucQK3169.cs High entropy of concatenated method names: 'SELXO9ywk', 'TiZdl4BXI', 'hvVoagmbT', 'JumAQmALo', 'ns7kAGc1w', 's89E6F5B5', 'h4ZvHTIxB0TlueTR65', 'sfTDkQXVfeHdYw1hVl', 'G6CmgMdXj', 'nhJ2Jk5DJ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, FBTy3x8mprisgqbcUr.cs High entropy of concatenated method names: 'bNCnDsop60', 'KHIn6lR7dR', 'uiWmTPrr1J', 'z6YmSceVt0', 'WKfnaeYlVx', 'D80nLVpJEC', 'A91nQIDkel', 'jWYncWn5Dt', 'LhFn9usQar', 'YvUn1XBmWC'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, YaIgQIyAUXnF75o8tN.cs High entropy of concatenated method names: 'Aw4mN4bEYN', 'd3NmWLfbwr', 'F8pmMyFJZS', 'w8EmvjXKvw', 'SxXmKCfb6p', 'YIdmfUsHPM', 'PVHmxCMiCs', 'Km2mqgBNkS', 'DMXm7shkCG', 'xfTmFE21gZ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, VBD99jHbNBN6seWpOy.cs High entropy of concatenated method names: 'Dispose', 'sEuSYB5Cf2', 's16GBKj9IJ', 'doMHHGdMq3', 'Qw9S6B4tWJ', 'f8ySzbBWGy', 'ProcessDialogKey', 'Hm5GTlqf2e', 'eoLGSlCGZe', 'J77GGe8KcY'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, P1L7kyMMcEp8en6UhP.cs High entropy of concatenated method names: 'zRiK1IGB9f', 'PA7KUCK26n', 'wVmKZ1APG3', 'ToString', 'XpxK0Robnm', 'vo4KgualDF', 'E27BHysRRy7McdrhL9I', 'CxShFWsrvV6YGvsAXbM'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, g2Zqnh36w0L7u7l6kJ.cs High entropy of concatenated method names: 'qk5SfQ5AqH', 'RGUSxirRrN', 'RVwS7HvruL', 'BnFSFWtEeK', 'bbmSprcDb2', 'uRuS49SRSO', 'bwyrDYplvcPytTLjoN', 'ARfBeN1UyL5mDnReuL', 'cNeSS4iFjJ', 'hCNSbkry63'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, bS4Vc8AV0HcgkuQItZG.cs High entropy of concatenated method names: 'Wkk2JDYcLU', 'tiB2RFUT8I', 'gSw2X2XGsZ', 'sDa9pB7ds4VmovDFeMM', 'KInGwJ7Fg4WQN3TCxOF', 'kvxq6f7p2tScaSYQ9oc', 'sl83bw71f25LExvBtxO'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xavLmCzdnYGj8CDZxw.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MuahIjLKFc', 'rDWhppcb4S', 'hv0h4RdxLN', 'nCyhnD3Djk', 'sI8hmiLiyk', 'UY5hh3NOVy', 'SI9h2aotwA'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, AcmBDkmm30oEvpwIly.cs High entropy of concatenated method names: 'rhOp8b8cbh', 'HJvpLip2Y1', 'dckpcnpuM4', 'R3Sp91ZPsJ', 'X0UpBMVKNw', 'dVIpukQPWg', 'xmCpee0gtd', 'dAMpVYZpwp', 'FYPpry6AZf', 'cTSp5oR7m9'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAjfVuKcAf4Og71LT4.cs High entropy of concatenated method names: 'hU1bwi4PvH', 'OklbNQp3Uu', 'ObNbWagt0V', 'ES1bM8t9jq', 'vTRbvkOvrg', 'pOYbKjSl6c', 'xAebf3BmDZ', 'I6jbxlX6MM', 'YQFbqkdY4y', 'vcHb7Sv5WH'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, eOKRCaoe3fhH3gYZFB.cs High entropy of concatenated method names: 'HyXKwI3iyo', 'IKcKW7pA3L', 'L0XKv7tSYB', 'mseKfTLj14', 'GcsKxSbVhx', 'metvZcKaKl', 'cPKv0MtKf8', 'FBevgZi9LQ', 'LnavDfgYPr', 'XDcvYLm0Os'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAZT7rRNi7CIxwkhSs.cs High entropy of concatenated method names: 'nVKfJJecJ5', 'lBqfRRrGYa', 'utSfXt2PoB', 'UyqfdcNgJf', 'wrIfPb16aZ', 'qMffoI9vS6', 'Os7fAJ4TSb', 'BI0fyGh842', 'yEOfkeWvpe', 'd7ofEiQdjW'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, PkyUxHhb0mm11LKqcJ.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'j8BGYBsa3D', 'WjpG6gc4e7', 'KgFGzibWF6', 'csYbTSOs50', 'JiwbSgKmux', 'tENbGo3v2Z', 'pnpbbfCxRD', 'uJbmmFhsFyEmOnMWQ31'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, CRgmFmrWJuwbjNi6aB.cs High entropy of concatenated method names: 'vFFfNYgyGQ', 'eFGfMKlN8K', 'yAPfK7TUok', 'QbTK6eVety', 'luxKz6nwmI', 'j8lfTcMTM2', 'MH8fSMDw37', 'NrOfGovrGH', 'oBdfbhnQ7p', 'FwqfibxeGA'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, En1UhvAG0Xg43a3j3af.cs High entropy of concatenated method names: 'o5GhJuqOv1', 'cDZhRF9cJf', 'JZZhXCbDTZ', 'Js4hdjIISW', 'u8ghP42nBF', 'nrahoFtvjj', 'BHBhAtgVfM', 'sEmhyhn40q', 'IV5hkiQPwB', 'tYRhEaKIqv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, GVRvFJpS4eaHdtKgN8.cs High entropy of concatenated method names: 'uAjvPDvuly', 'aJovAyYaCU', 'JIKMu5uaNE', 'NNGMeI7pk3', 'HGAMVEmeka', 'H2HMrkxdnk', 'LwfM5THrI1', 'inFMjW2Tfa', 'mcVMsHDUXU', 'myrM8CbApQ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, kZKWDRIFgoibh1hb2T.cs High entropy of concatenated method names: 'ToString', 'z8N4aeZC4f', 'sm54B0PkF1', 'Jau4uc1jOy', 'MEa4etyCDG', 'Q1F4VlCy56', 'VZP4rdcIu4', 'H5G45PqSR7', 'xnV4jyvSsD', 'P5w4sKOVHw'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, Ek4LhktCeUZ4vOf7Ua.cs High entropy of concatenated method names: 'hEXMdybeRd', 'TdjMo19niM', 'VnpMyvPWr9', 'r8WMk8fw89', 'vTTMpMUjh1', 'i0tM478XTt', 'H61MnWHv4R', 'K3fMmqfnxd', 'BDEMhwmJVf', 'b1FM2f9ZmF'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, pocZvdWaYcBDH0pnRC.cs High entropy of concatenated method names: 'e2WIyxLImo', 'wQtIkNaHH0', 'xkoItbKgxl', 'GyiIB6R5cf', 'kjvIeJvYjr', 'PYKIVIX4vU', 'piqI5a4yvv', 'u4AIjAdES3', 'vWyI882UV9', 'AnqIaxYNVf'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, i4UKlxTbGliEA9DbaS.cs High entropy of concatenated method names: 'QHchSwSjwi', 'skJhbk9wQp', 'nx8hih9ELx', 'HRYhNAOsGY', 'MwxhWoHpmC', 'bfehv3MNqx', 'lw9hKfyhmg', 'miWmgAl2U9', 'KInmDmGLsu', 'zfkmY2tplv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, QWExWLAqoGuZC75pehx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gHQ2cDU1Mg', 'hdy29JQByg', 'liQ21Q157d', 'o7d2UHsmkO', 'Xk02ZcZjn5', 'iFf20V2dfw', 'HfI2gPvV6r'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs High entropy of concatenated method names: 'XGLWcmVP03', 'q1AW9O8PmB', 'n5lW17bxna', 'mNXWUSxLpE', 'lgHWZV0Nro', 'OkZW0ecwnx', 'HjBWgfP61l', 'PhNWDqX4rW', 'B0iWYp8Q3q', 'giwW6gFBfv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, ktsjOqgCZu1GFFowlH.cs High entropy of concatenated method names: 'MJnmtHT1Eq', 'FGRmBsLcdj', 'uQcmuD8ItA', 'KSamegy3V9', 'ztrmc0WvyS', 'fOGmVoLmTu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, WXrH4jVeKlucQK3169.cs High entropy of concatenated method names: 'SELXO9ywk', 'TiZdl4BXI', 'hvVoagmbT', 'JumAQmALo', 'ns7kAGc1w', 's89E6F5B5', 'h4ZvHTIxB0TlueTR65', 'sfTDkQXVfeHdYw1hVl', 'G6CmgMdXj', 'nhJ2Jk5DJ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, FBTy3x8mprisgqbcUr.cs High entropy of concatenated method names: 'bNCnDsop60', 'KHIn6lR7dR', 'uiWmTPrr1J', 'z6YmSceVt0', 'WKfnaeYlVx', 'D80nLVpJEC', 'A91nQIDkel', 'jWYncWn5Dt', 'LhFn9usQar', 'YvUn1XBmWC'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, YaIgQIyAUXnF75o8tN.cs High entropy of concatenated method names: 'Aw4mN4bEYN', 'd3NmWLfbwr', 'F8pmMyFJZS', 'w8EmvjXKvw', 'SxXmKCfb6p', 'YIdmfUsHPM', 'PVHmxCMiCs', 'Km2mqgBNkS', 'DMXm7shkCG', 'xfTmFE21gZ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, VBD99jHbNBN6seWpOy.cs High entropy of concatenated method names: 'Dispose', 'sEuSYB5Cf2', 's16GBKj9IJ', 'doMHHGdMq3', 'Qw9S6B4tWJ', 'f8ySzbBWGy', 'ProcessDialogKey', 'Hm5GTlqf2e', 'eoLGSlCGZe', 'J77GGe8KcY'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, P1L7kyMMcEp8en6UhP.cs High entropy of concatenated method names: 'zRiK1IGB9f', 'PA7KUCK26n', 'wVmKZ1APG3', 'ToString', 'XpxK0Robnm', 'vo4KgualDF', 'E27BHysRRy7McdrhL9I', 'CxShFWsrvV6YGvsAXbM'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, g2Zqnh36w0L7u7l6kJ.cs High entropy of concatenated method names: 'qk5SfQ5AqH', 'RGUSxirRrN', 'RVwS7HvruL', 'BnFSFWtEeK', 'bbmSprcDb2', 'uRuS49SRSO', 'bwyrDYplvcPytTLjoN', 'ARfBeN1UyL5mDnReuL', 'cNeSS4iFjJ', 'hCNSbkry63'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, bS4Vc8AV0HcgkuQItZG.cs High entropy of concatenated method names: 'Wkk2JDYcLU', 'tiB2RFUT8I', 'gSw2X2XGsZ', 'sDa9pB7ds4VmovDFeMM', 'KInGwJ7Fg4WQN3TCxOF', 'kvxq6f7p2tScaSYQ9oc', 'sl83bw71f25LExvBtxO'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xavLmCzdnYGj8CDZxw.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MuahIjLKFc', 'rDWhppcb4S', 'hv0h4RdxLN', 'nCyhnD3Djk', 'sI8hmiLiyk', 'UY5hh3NOVy', 'SI9h2aotwA'
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: mQY9ka5sW6hv2Ri.exe PID: 6912, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe API/Special instruction interceptor: Address: 7FFE2220D1E4
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 809904 second address: 80990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 809B7E second address: 809B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Memory allocated: 1000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Memory allocated: 2B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Memory allocated: 1000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Memory allocated: 7A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Memory allocated: 8A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Memory allocated: 8CF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Memory allocated: 9CF0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_00409AB0 rdtsc 4_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 6094 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 3839 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 868 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 886 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Window / User API: threadDelayed 9839 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe API coverage: 1.7 %
Source: C:\Windows\SysWOW64\msdt.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe TID: 6956 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7112 Thread sleep time: -12188000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7112 Thread sleep time: -7678000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008B60A8 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_008B60A8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree, 6_2_008A602D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A1B92 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 6_2_008A1B92
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A4CB6 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 6_2_008A4CB6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A5C20 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_008A5C20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008B743A memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_008B743A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A4EDC memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree, 6_2_008A4EDC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000005.00000000.1666578565.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000005.00000002.4093721221.00000000078A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000005.00000002.4095689522.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000005.00000003.3426649414.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000005.00000000.1666578565.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000005.00000002.4091496578.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000005.00000003.3426649414.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.1666578565.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000005.00000002.4095689522.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000005.00000000.1665871823.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1665871823.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000097D4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000000.1666578565.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000005.00000003.3106253540.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4093721221.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000005.00000002.4091496578.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000005.00000000.1665871823.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000005.00000002.4091496578.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_00409AB0 rdtsc 4_2_00409AB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0040ACF0 LdrLoadDll, 4_2_0040ACF0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_00890FA2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 6_2_00890FA2
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h] 4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h] 4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h] 4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h] 4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h] 4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h] 4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h] 4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h] 4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h] 4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h] 4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01250115 mov eax, dword ptr fs:[00000030h] 4_2_01250115
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C0124 mov eax, dword ptr fs:[00000030h] 4_2_011C0124
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123A118 mov ecx, dword ptr fs:[00000030h] 4_2_0123A118
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123A118 mov eax, dword ptr fs:[00000030h] 4_2_0123A118
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123A118 mov eax, dword ptr fs:[00000030h] 4_2_0123A118
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123A118 mov eax, dword ptr fs:[00000030h] 4_2_0123A118
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264164 mov eax, dword ptr fs:[00000030h] 4_2_01264164
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264164 mov eax, dword ptr fs:[00000030h] 4_2_01264164
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01196154 mov eax, dword ptr fs:[00000030h] 4_2_01196154
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01196154 mov eax, dword ptr fs:[00000030h] 4_2_01196154
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118C156 mov eax, dword ptr fs:[00000030h] 4_2_0118C156
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01224144 mov eax, dword ptr fs:[00000030h] 4_2_01224144
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01224144 mov eax, dword ptr fs:[00000030h] 4_2_01224144
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01224144 mov ecx, dword ptr fs:[00000030h] 4_2_01224144
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01224144 mov eax, dword ptr fs:[00000030h] 4_2_01224144
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01224144 mov eax, dword ptr fs:[00000030h] 4_2_01224144
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01228158 mov eax, dword ptr fs:[00000030h] 4_2_01228158
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118A197 mov eax, dword ptr fs:[00000030h] 4_2_0118A197
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118A197 mov eax, dword ptr fs:[00000030h] 4_2_0118A197
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118A197 mov eax, dword ptr fs:[00000030h] 4_2_0118A197
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D0185 mov eax, dword ptr fs:[00000030h] 4_2_011D0185
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01234180 mov eax, dword ptr fs:[00000030h] 4_2_01234180
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01234180 mov eax, dword ptr fs:[00000030h] 4_2_01234180
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0124C188 mov eax, dword ptr fs:[00000030h] 4_2_0124C188
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0124C188 mov eax, dword ptr fs:[00000030h] 4_2_0124C188
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121019F mov eax, dword ptr fs:[00000030h] 4_2_0121019F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121019F mov eax, dword ptr fs:[00000030h] 4_2_0121019F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121019F mov eax, dword ptr fs:[00000030h] 4_2_0121019F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121019F mov eax, dword ptr fs:[00000030h] 4_2_0121019F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012661E5 mov eax, dword ptr fs:[00000030h] 4_2_012661E5
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C01F8 mov eax, dword ptr fs:[00000030h] 4_2_011C01F8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012561C3 mov eax, dword ptr fs:[00000030h] 4_2_012561C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012561C3 mov eax, dword ptr fs:[00000030h] 4_2_012561C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0120E1D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0120E1D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E1D0 mov ecx, dword ptr fs:[00000030h] 4_2_0120E1D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0120E1D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0120E1D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h] 4_2_011AE016
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h] 4_2_011AE016
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h] 4_2_011AE016
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h] 4_2_011AE016
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01226030 mov eax, dword ptr fs:[00000030h] 4_2_01226030
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01214000 mov ecx, dword ptr fs:[00000030h] 4_2_01214000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h] 4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h] 4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h] 4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h] 4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h] 4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h] 4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h] 4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h] 4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118A020 mov eax, dword ptr fs:[00000030h] 4_2_0118A020
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118C020 mov eax, dword ptr fs:[00000030h] 4_2_0118C020
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01192050 mov eax, dword ptr fs:[00000030h] 4_2_01192050
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BC073 mov eax, dword ptr fs:[00000030h] 4_2_011BC073
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01216050 mov eax, dword ptr fs:[00000030h] 4_2_01216050
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012280A8 mov eax, dword ptr fs:[00000030h] 4_2_012280A8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119208A mov eax, dword ptr fs:[00000030h] 4_2_0119208A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012560B8 mov eax, dword ptr fs:[00000030h] 4_2_012560B8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012560B8 mov ecx, dword ptr fs:[00000030h] 4_2_012560B8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011880A0 mov eax, dword ptr fs:[00000030h] 4_2_011880A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012160E0 mov eax, dword ptr fs:[00000030h] 4_2_012160E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118C0F0 mov eax, dword ptr fs:[00000030h] 4_2_0118C0F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D20F0 mov ecx, dword ptr fs:[00000030h] 4_2_011D20F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011980E9 mov eax, dword ptr fs:[00000030h] 4_2_011980E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118A0E3 mov ecx, dword ptr fs:[00000030h] 4_2_0118A0E3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012120DE mov eax, dword ptr fs:[00000030h] 4_2_012120DE
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01268324 mov eax, dword ptr fs:[00000030h] 4_2_01268324
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01268324 mov ecx, dword ptr fs:[00000030h] 4_2_01268324
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01268324 mov eax, dword ptr fs:[00000030h] 4_2_01268324
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01268324 mov eax, dword ptr fs:[00000030h] 4_2_01268324
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118C310 mov ecx, dword ptr fs:[00000030h] 4_2_0118C310
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B0310 mov ecx, dword ptr fs:[00000030h] 4_2_011B0310
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CA30B mov eax, dword ptr fs:[00000030h] 4_2_011CA30B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CA30B mov eax, dword ptr fs:[00000030h] 4_2_011CA30B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CA30B mov eax, dword ptr fs:[00000030h] 4_2_011CA30B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123437C mov eax, dword ptr fs:[00000030h] 4_2_0123437C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h] 4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0126634F mov eax, dword ptr fs:[00000030h] 4_2_0126634F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01238350 mov ecx, dword ptr fs:[00000030h] 4_2_01238350
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125A352 mov eax, dword ptr fs:[00000030h] 4_2_0125A352
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121035C mov eax, dword ptr fs:[00000030h] 4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121035C mov eax, dword ptr fs:[00000030h] 4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121035C mov eax, dword ptr fs:[00000030h] 4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121035C mov ecx, dword ptr fs:[00000030h] 4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121035C mov eax, dword ptr fs:[00000030h] 4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121035C mov eax, dword ptr fs:[00000030h] 4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01188397 mov eax, dword ptr fs:[00000030h] 4_2_01188397
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01188397 mov eax, dword ptr fs:[00000030h] 4_2_01188397
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01188397 mov eax, dword ptr fs:[00000030h] 4_2_01188397
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118E388 mov eax, dword ptr fs:[00000030h] 4_2_0118E388
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118E388 mov eax, dword ptr fs:[00000030h] 4_2_0118E388
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118E388 mov eax, dword ptr fs:[00000030h] 4_2_0118E388
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B438F mov eax, dword ptr fs:[00000030h] 4_2_011B438F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B438F mov eax, dword ptr fs:[00000030h] 4_2_011B438F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h] 4_2_011983C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h] 4_2_011983C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h] 4_2_011983C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h] 4_2_011983C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012163C0 mov eax, dword ptr fs:[00000030h] 4_2_012163C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C63FF mov eax, dword ptr fs:[00000030h] 4_2_011C63FF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0124C3CD mov eax, dword ptr fs:[00000030h] 4_2_0124C3CD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AE3F0 mov eax, dword ptr fs:[00000030h] 4_2_011AE3F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AE3F0 mov eax, dword ptr fs:[00000030h] 4_2_011AE3F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AE3F0 mov eax, dword ptr fs:[00000030h] 4_2_011AE3F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h] 4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h] 4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h] 4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h] 4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h] 4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h] 4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h] 4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h] 4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012343D4 mov eax, dword ptr fs:[00000030h] 4_2_012343D4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012343D4 mov eax, dword ptr fs:[00000030h] 4_2_012343D4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E3DB mov eax, dword ptr fs:[00000030h] 4_2_0123E3DB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E3DB mov eax, dword ptr fs:[00000030h] 4_2_0123E3DB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E3DB mov ecx, dword ptr fs:[00000030h] 4_2_0123E3DB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123E3DB mov eax, dword ptr fs:[00000030h] 4_2_0123E3DB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118823B mov eax, dword ptr fs:[00000030h] 4_2_0118823B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01196259 mov eax, dword ptr fs:[00000030h] 4_2_01196259
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118A250 mov eax, dword ptr fs:[00000030h] 4_2_0118A250
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h] 4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01218243 mov eax, dword ptr fs:[00000030h] 4_2_01218243
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01218243 mov ecx, dword ptr fs:[00000030h] 4_2_01218243
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118826B mov eax, dword ptr fs:[00000030h] 4_2_0118826B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0124A250 mov eax, dword ptr fs:[00000030h] 4_2_0124A250
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0124A250 mov eax, dword ptr fs:[00000030h] 4_2_0124A250
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01194260 mov eax, dword ptr fs:[00000030h] 4_2_01194260
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01194260 mov eax, dword ptr fs:[00000030h] 4_2_01194260
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01194260 mov eax, dword ptr fs:[00000030h] 4_2_01194260
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0126625D mov eax, dword ptr fs:[00000030h] 4_2_0126625D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h] 4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012262A0 mov ecx, dword ptr fs:[00000030h] 4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h] 4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h] 4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h] 4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h] 4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE284 mov eax, dword ptr fs:[00000030h] 4_2_011CE284
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE284 mov eax, dword ptr fs:[00000030h] 4_2_011CE284
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01210283 mov eax, dword ptr fs:[00000030h] 4_2_01210283
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01210283 mov eax, dword ptr fs:[00000030h] 4_2_01210283
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01210283 mov eax, dword ptr fs:[00000030h] 4_2_01210283
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A02A0 mov eax, dword ptr fs:[00000030h] 4_2_011A02A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A02A0 mov eax, dword ptr fs:[00000030h] 4_2_011A02A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0119A2C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0119A2C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0119A2C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0119A2C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0119A2C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012662D6 mov eax, dword ptr fs:[00000030h] 4_2_012662D6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A02E1 mov eax, dword ptr fs:[00000030h] 4_2_011A02E1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A02E1 mov eax, dword ptr fs:[00000030h] 4_2_011A02E1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A02E1 mov eax, dword ptr fs:[00000030h] 4_2_011A02E1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01226500 mov eax, dword ptr fs:[00000030h] 4_2_01226500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h] 4_2_011BE53E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h] 4_2_011BE53E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h] 4_2_011BE53E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h] 4_2_011BE53E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h] 4_2_011BE53E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h] 4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h] 4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h] 4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h] 4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h] 4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h] 4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h] 4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h] 4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h] 4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h] 4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h] 4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h] 4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h] 4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01198550 mov eax, dword ptr fs:[00000030h] 4_2_01198550
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01198550 mov eax, dword ptr fs:[00000030h] 4_2_01198550
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C656A mov eax, dword ptr fs:[00000030h] 4_2_011C656A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C656A mov eax, dword ptr fs:[00000030h] 4_2_011C656A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C656A mov eax, dword ptr fs:[00000030h] 4_2_011C656A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE59C mov eax, dword ptr fs:[00000030h] 4_2_011CE59C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012105A7 mov eax, dword ptr fs:[00000030h] 4_2_012105A7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012105A7 mov eax, dword ptr fs:[00000030h] 4_2_012105A7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012105A7 mov eax, dword ptr fs:[00000030h] 4_2_012105A7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C4588 mov eax, dword ptr fs:[00000030h] 4_2_011C4588
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01192582 mov eax, dword ptr fs:[00000030h] 4_2_01192582
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01192582 mov ecx, dword ptr fs:[00000030h] 4_2_01192582
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B45B1 mov eax, dword ptr fs:[00000030h] 4_2_011B45B1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B45B1 mov eax, dword ptr fs:[00000030h] 4_2_011B45B1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011965D0 mov eax, dword ptr fs:[00000030h] 4_2_011965D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CA5D0 mov eax, dword ptr fs:[00000030h] 4_2_011CA5D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CA5D0 mov eax, dword ptr fs:[00000030h] 4_2_011CA5D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE5CF mov eax, dword ptr fs:[00000030h] 4_2_011CE5CF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE5CF mov eax, dword ptr fs:[00000030h] 4_2_011CE5CF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CC5ED mov eax, dword ptr fs:[00000030h] 4_2_011CC5ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CC5ED mov eax, dword ptr fs:[00000030h] 4_2_011CC5ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011925E0 mov eax, dword ptr fs:[00000030h] 4_2_011925E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h] 4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h] 4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h] 4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h] 4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h] 4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h] 4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h] 4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C8402 mov eax, dword ptr fs:[00000030h] 4_2_011C8402
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C8402 mov eax, dword ptr fs:[00000030h] 4_2_011C8402
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C8402 mov eax, dword ptr fs:[00000030h] 4_2_011C8402
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118E420 mov eax, dword ptr fs:[00000030h] 4_2_0118E420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118E420 mov eax, dword ptr fs:[00000030h] 4_2_0118E420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118E420 mov eax, dword ptr fs:[00000030h] 4_2_0118E420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118C427 mov eax, dword ptr fs:[00000030h] 4_2_0118C427
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B245A mov eax, dword ptr fs:[00000030h] 4_2_011B245A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121C460 mov ecx, dword ptr fs:[00000030h] 4_2_0121C460
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118645D mov eax, dword ptr fs:[00000030h] 4_2_0118645D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h] 4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h] 4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h] 4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h] 4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h] 4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h] 4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h] 4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h] 4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BA470 mov eax, dword ptr fs:[00000030h] 4_2_011BA470
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BA470 mov eax, dword ptr fs:[00000030h] 4_2_011BA470
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BA470 mov eax, dword ptr fs:[00000030h] 4_2_011BA470
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0124A456 mov eax, dword ptr fs:[00000030h] 4_2_0124A456
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121A4B0 mov eax, dword ptr fs:[00000030h] 4_2_0121A4B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C44B0 mov ecx, dword ptr fs:[00000030h] 4_2_011C44B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011964AB mov eax, dword ptr fs:[00000030h] 4_2_011964AB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0124A49A mov eax, dword ptr fs:[00000030h] 4_2_0124A49A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011904E5 mov ecx, dword ptr fs:[00000030h] 4_2_011904E5
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01190710 mov eax, dword ptr fs:[00000030h] 4_2_01190710
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C0710 mov eax, dword ptr fs:[00000030h] 4_2_011C0710
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120C730 mov eax, dword ptr fs:[00000030h] 4_2_0120C730
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CC700 mov eax, dword ptr fs:[00000030h] 4_2_011CC700
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C273C mov eax, dword ptr fs:[00000030h] 4_2_011C273C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C273C mov ecx, dword ptr fs:[00000030h] 4_2_011C273C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C273C mov eax, dword ptr fs:[00000030h] 4_2_011C273C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CC720 mov eax, dword ptr fs:[00000030h] 4_2_011CC720
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CC720 mov eax, dword ptr fs:[00000030h] 4_2_011CC720
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01190750 mov eax, dword ptr fs:[00000030h] 4_2_01190750
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2750 mov eax, dword ptr fs:[00000030h] 4_2_011D2750
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2750 mov eax, dword ptr fs:[00000030h] 4_2_011D2750
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C674D mov esi, dword ptr fs:[00000030h] 4_2_011C674D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C674D mov eax, dword ptr fs:[00000030h] 4_2_011C674D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C674D mov eax, dword ptr fs:[00000030h] 4_2_011C674D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01198770 mov eax, dword ptr fs:[00000030h] 4_2_01198770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h] 4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01214755 mov eax, dword ptr fs:[00000030h] 4_2_01214755
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121E75D mov eax, dword ptr fs:[00000030h] 4_2_0121E75D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012447A0 mov eax, dword ptr fs:[00000030h] 4_2_012447A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123678E mov eax, dword ptr fs:[00000030h] 4_2_0123678E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011907AF mov eax, dword ptr fs:[00000030h] 4_2_011907AF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121E7E1 mov eax, dword ptr fs:[00000030h] 4_2_0121E7E1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119C7C0 mov eax, dword ptr fs:[00000030h] 4_2_0119C7C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012107C3 mov eax, dword ptr fs:[00000030h] 4_2_012107C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011947FB mov eax, dword ptr fs:[00000030h] 4_2_011947FB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011947FB mov eax, dword ptr fs:[00000030h] 4_2_011947FB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B27ED mov eax, dword ptr fs:[00000030h] 4_2_011B27ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B27ED mov eax, dword ptr fs:[00000030h] 4_2_011B27ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B27ED mov eax, dword ptr fs:[00000030h] 4_2_011B27ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D2619 mov eax, dword ptr fs:[00000030h] 4_2_011D2619
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h] 4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h] 4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h] 4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h] 4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h] 4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h] 4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h] 4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E609 mov eax, dword ptr fs:[00000030h] 4_2_0120E609
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119262C mov eax, dword ptr fs:[00000030h] 4_2_0119262C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C6620 mov eax, dword ptr fs:[00000030h] 4_2_011C6620
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C8620 mov eax, dword ptr fs:[00000030h] 4_2_011C8620
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AE627 mov eax, dword ptr fs:[00000030h] 4_2_011AE627
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125866E mov eax, dword ptr fs:[00000030h] 4_2_0125866E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125866E mov eax, dword ptr fs:[00000030h] 4_2_0125866E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011AC640 mov eax, dword ptr fs:[00000030h] 4_2_011AC640
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C2674 mov eax, dword ptr fs:[00000030h] 4_2_011C2674
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CA660 mov eax, dword ptr fs:[00000030h] 4_2_011CA660
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CA660 mov eax, dword ptr fs:[00000030h] 4_2_011CA660
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01194690 mov eax, dword ptr fs:[00000030h] 4_2_01194690
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01194690 mov eax, dword ptr fs:[00000030h] 4_2_01194690
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C66B0 mov eax, dword ptr fs:[00000030h] 4_2_011C66B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CC6A6 mov eax, dword ptr fs:[00000030h] 4_2_011CC6A6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012106F1 mov eax, dword ptr fs:[00000030h] 4_2_012106F1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012106F1 mov eax, dword ptr fs:[00000030h] 4_2_012106F1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0120E6F2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0120E6F2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0120E6F2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0120E6F2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CA6C7 mov ebx, dword ptr fs:[00000030h] 4_2_011CA6C7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CA6C7 mov eax, dword ptr fs:[00000030h] 4_2_011CA6C7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01188918 mov eax, dword ptr fs:[00000030h] 4_2_01188918
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01188918 mov eax, dword ptr fs:[00000030h] 4_2_01188918
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0122892B mov eax, dword ptr fs:[00000030h] 4_2_0122892B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121892A mov eax, dword ptr fs:[00000030h] 4_2_0121892A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E908 mov eax, dword ptr fs:[00000030h] 4_2_0120E908
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120E908 mov eax, dword ptr fs:[00000030h] 4_2_0120E908
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121C912 mov eax, dword ptr fs:[00000030h] 4_2_0121C912
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01234978 mov eax, dword ptr fs:[00000030h] 4_2_01234978
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01234978 mov eax, dword ptr fs:[00000030h] 4_2_01234978
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121C97C mov eax, dword ptr fs:[00000030h] 4_2_0121C97C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264940 mov eax, dword ptr fs:[00000030h] 4_2_01264940
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01210946 mov eax, dword ptr fs:[00000030h] 4_2_01210946
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D096E mov eax, dword ptr fs:[00000030h] 4_2_011D096E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D096E mov edx, dword ptr fs:[00000030h] 4_2_011D096E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011D096E mov eax, dword ptr fs:[00000030h] 4_2_011D096E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B6962 mov eax, dword ptr fs:[00000030h] 4_2_011B6962
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B6962 mov eax, dword ptr fs:[00000030h] 4_2_011B6962
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B6962 mov eax, dword ptr fs:[00000030h] 4_2_011B6962
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012189B3 mov esi, dword ptr fs:[00000030h] 4_2_012189B3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012189B3 mov eax, dword ptr fs:[00000030h] 4_2_012189B3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012189B3 mov eax, dword ptr fs:[00000030h] 4_2_012189B3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011909AD mov eax, dword ptr fs:[00000030h] 4_2_011909AD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011909AD mov eax, dword ptr fs:[00000030h] 4_2_011909AD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h] 4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121E9E0 mov eax, dword ptr fs:[00000030h] 4_2_0121E9E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C49D0 mov eax, dword ptr fs:[00000030h] 4_2_011C49D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012269C0 mov eax, dword ptr fs:[00000030h] 4_2_012269C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C29F9 mov eax, dword ptr fs:[00000030h] 4_2_011C29F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C29F9 mov eax, dword ptr fs:[00000030h] 4_2_011C29F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125A9D3 mov eax, dword ptr fs:[00000030h] 4_2_0125A9D3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123483A mov eax, dword ptr fs:[00000030h] 4_2_0123483A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123483A mov eax, dword ptr fs:[00000030h] 4_2_0123483A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CA830 mov eax, dword ptr fs:[00000030h] 4_2_011CA830
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h] 4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h] 4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h] 4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B2835 mov ecx, dword ptr fs:[00000030h] 4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h] 4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h] 4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121C810 mov eax, dword ptr fs:[00000030h] 4_2_0121C810
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01194859 mov eax, dword ptr fs:[00000030h] 4_2_01194859
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01194859 mov eax, dword ptr fs:[00000030h] 4_2_01194859
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C0854 mov eax, dword ptr fs:[00000030h] 4_2_011C0854
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01226870 mov eax, dword ptr fs:[00000030h] 4_2_01226870
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01226870 mov eax, dword ptr fs:[00000030h] 4_2_01226870
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121E872 mov eax, dword ptr fs:[00000030h] 4_2_0121E872
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121E872 mov eax, dword ptr fs:[00000030h] 4_2_0121E872
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A2840 mov ecx, dword ptr fs:[00000030h] 4_2_011A2840
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01190887 mov eax, dword ptr fs:[00000030h] 4_2_01190887
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121C89D mov eax, dword ptr fs:[00000030h] 4_2_0121C89D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125A8E4 mov eax, dword ptr fs:[00000030h] 4_2_0125A8E4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BE8C0 mov eax, dword ptr fs:[00000030h] 4_2_011BE8C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CC8F9 mov eax, dword ptr fs:[00000030h] 4_2_011CC8F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CC8F9 mov eax, dword ptr fs:[00000030h] 4_2_011CC8F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_012608C0 mov eax, dword ptr fs:[00000030h] 4_2_012608C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01258B28 mov eax, dword ptr fs:[00000030h] 4_2_01258B28
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01258B28 mov eax, dword ptr fs:[00000030h] 4_2_01258B28
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264B00 mov eax, dword ptr fs:[00000030h] 4_2_01264B00
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BEB20 mov eax, dword ptr fs:[00000030h] 4_2_011BEB20
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BEB20 mov eax, dword ptr fs:[00000030h] 4_2_011BEB20
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h] 4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h] 4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h] 4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h] 4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h] 4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h] 4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h] 4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h] 4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h] 4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01188B50 mov eax, dword ptr fs:[00000030h] 4_2_01188B50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01238B42 mov eax, dword ptr fs:[00000030h] 4_2_01238B42
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01226B40 mov eax, dword ptr fs:[00000030h] 4_2_01226B40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01226B40 mov eax, dword ptr fs:[00000030h] 4_2_01226B40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0125AB40 mov eax, dword ptr fs:[00000030h] 4_2_0125AB40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0118CB7E mov eax, dword ptr fs:[00000030h] 4_2_0118CB7E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01244B4B mov eax, dword ptr fs:[00000030h] 4_2_01244B4B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01244B4B mov eax, dword ptr fs:[00000030h] 4_2_01244B4B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01262B57 mov eax, dword ptr fs:[00000030h] 4_2_01262B57
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01262B57 mov eax, dword ptr fs:[00000030h] 4_2_01262B57
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01262B57 mov eax, dword ptr fs:[00000030h] 4_2_01262B57
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01262B57 mov eax, dword ptr fs:[00000030h] 4_2_01262B57
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123EB50 mov eax, dword ptr fs:[00000030h] 4_2_0123EB50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01244BB0 mov eax, dword ptr fs:[00000030h] 4_2_01244BB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01244BB0 mov eax, dword ptr fs:[00000030h] 4_2_01244BB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0BBE mov eax, dword ptr fs:[00000030h] 4_2_011A0BBE
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0BBE mov eax, dword ptr fs:[00000030h] 4_2_011A0BBE
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B0BCB mov eax, dword ptr fs:[00000030h] 4_2_011B0BCB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B0BCB mov eax, dword ptr fs:[00000030h] 4_2_011B0BCB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B0BCB mov eax, dword ptr fs:[00000030h] 4_2_011B0BCB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121CBF0 mov eax, dword ptr fs:[00000030h] 4_2_0121CBF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01190BCD mov eax, dword ptr fs:[00000030h] 4_2_01190BCD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01190BCD mov eax, dword ptr fs:[00000030h] 4_2_01190BCD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01190BCD mov eax, dword ptr fs:[00000030h] 4_2_01190BCD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BEBFC mov eax, dword ptr fs:[00000030h] 4_2_011BEBFC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01198BF0 mov eax, dword ptr fs:[00000030h] 4_2_01198BF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01198BF0 mov eax, dword ptr fs:[00000030h] 4_2_01198BF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01198BF0 mov eax, dword ptr fs:[00000030h] 4_2_01198BF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123EBD0 mov eax, dword ptr fs:[00000030h] 4_2_0123EBD0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B4A35 mov eax, dword ptr fs:[00000030h] 4_2_011B4A35
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011B4A35 mov eax, dword ptr fs:[00000030h] 4_2_011B4A35
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0121CA11 mov eax, dword ptr fs:[00000030h] 4_2_0121CA11
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011BEA2E mov eax, dword ptr fs:[00000030h] 4_2_011BEA2E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CCA24 mov eax, dword ptr fs:[00000030h] 4_2_011CCA24
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0A5B mov eax, dword ptr fs:[00000030h] 4_2_011A0A5B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011A0A5B mov eax, dword ptr fs:[00000030h] 4_2_011A0A5B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0123EA60 mov eax, dword ptr fs:[00000030h] 4_2_0123EA60
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h] 4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h] 4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h] 4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h] 4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h] 4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h] 4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h] 4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120CA72 mov eax, dword ptr fs:[00000030h] 4_2_0120CA72
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0120CA72 mov eax, dword ptr fs:[00000030h] 4_2_0120CA72
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CCA6F mov eax, dword ptr fs:[00000030h] 4_2_011CCA6F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CCA6F mov eax, dword ptr fs:[00000030h] 4_2_011CCA6F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011CCA6F mov eax, dword ptr fs:[00000030h] 4_2_011CCA6F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_011C8A90 mov edx, dword ptr fs:[00000030h] 4_2_011C8A90
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h] 4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h] 4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h] 4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h] 4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h] 4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h] 4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h] 4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h] 4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h] 4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01264A80 mov eax, dword ptr fs:[00000030h] 4_2_01264A80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01198AA0 mov eax, dword ptr fs:[00000030h] 4_2_01198AA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Code function: 4_2_01198AA0 mov eax, dword ptr fs:[00000030h] 4_2_01198AA0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A889E memset,WinSqmAddToStreamEx,SysFreeString,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_008A889E
Enables debug privileges
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008C0C80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_008C0C80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 3.226.182.14 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.53.179.90 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.151.30.212 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 147.92.43.172 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.33.130.190 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.74.89 80 Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe NtQueueApcThread: Indirect: 0xE8A4F2 Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe NtClose: Indirect: 0xE8A56C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe NtClose: Indirect: 0x10DA56C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe NtQueueApcThread: Indirect: 0x10DA4F2 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Memory written: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Thread register set: target process: 2580 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 870000 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_00892710 memset,GetModuleFileNameW,GetLastError,ShellExecuteExW,CreateThread,GetLastError,GetProcessHeap,HeapFree,GetLastError, 6_2_00892710
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe" Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe" Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe" Jump to behavior
Source: explorer.exe, 00000005.00000002.4093500056.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.4091961839.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1661857338.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.1661541002.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4091496578.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000005.00000002.4091961839.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1661857338.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000002.4091961839.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1661857338.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A7E50 GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateEventW,CreateNamedPipeW,ConnectNamedPipe,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,LocalFree, 6_2_008A7E50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_008A7A8E GetSystemTime, 6_2_008A7A8E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 6_2_00884764 GetProcessHeap,HeapAlloc,GetUserNameExW,GetLastError,SysFreeString,GetProcessHeap,HeapFree, 6_2_00884764
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465619 Sample: mQY9ka5sW6hv2Ri.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 35 www.b0ba138.xyz 2->35 37 www.umeshraja.com 2->37 39 14 other IPs or domains 2->39 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 55 8 other signatures 2->55 11 mQY9ka5sW6hv2Ri.exe 3 2->11         started        signatures3 53 Performs DNS queries to domains with low reputation 35->53 process4 file5 33 C:\Users\user\...\mQY9ka5sW6hv2Ri.exe.log, ASCII 11->33 dropped 65 Tries to detect virtualization through RDTSC time measurements 11->65 67 Injects a PE file into a foreign processes 11->67 69 Switches to a custom stack to bypass stack traces 11->69 15 mQY9ka5sW6hv2Ri.exe 11->15         started        18 mQY9ka5sW6hv2Ri.exe 11->18         started        20 mQY9ka5sW6hv2Ri.exe 11->20         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 77 2 other signatures 15->77 22 explorer.exe 65 1 15->22 injected process9 dnsIp10 41 www.cpuk-finance.com 185.151.30.212, 49746, 80 TWENTYIGB United Kingdom 22->41 43 www.real-estate-96841.bond 185.53.179.90, 49741, 80 TEAMINTERNET-ASDE Germany 22->43 45 4 other IPs or domains 22->45 57 System process connects to network (likely due to code injection or exploit) 22->57 26 msdt.exe 22->26         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 26->59 61 Maps a DLL or memory area into another process 26->61 63 Tries to detect virtualization through RDTSC time measurements 26->63 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.226.182.14
 reticulated-garbanzo-p6jx8r0u3hbz71yu1pcvzfk0.herokudns.com United States
14618 AMAZON-AESUS true
185.53.179.90
 www.real-estate-96841.bond Germany
61969 TEAMINTERNET-ASDE true
185.151.30.212
 www.cpuk-finance.com United Kingdom
48254 TWENTYIGB true
3.33.130.190
 umeshraja.com United States
8987 AMAZONEXPANSIONGB true
147.92.43.172
 2tduz67r.as66588.com Hong Kong
59371 DNC-ASDimensionNetworkCommunicationLimitedHK true
104.21.74.89
 www.b0ba138.xyz United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
www.real-estate-96841.bond 185.53.179.90 true
umeshraja.com 3.33.130.190 true
soloparentconnect.com 3.33.130.190 true
www.b0ba138.xyz 104.21.74.89 true
reticulated-garbanzo-p6jx8r0u3hbz71yu1pcvzfk0.herokudns.com 3.226.182.14 true
www.cpuk-finance.com 185.151.30.212 true
2tduz67r.as66588.com 147.92.43.172 true
www.soloparentconnect.com unknown unknown
www.imuschestvostorgov.online unknown unknown
www.883106.photos unknown unknown
www.484844.vip unknown unknown
www.acc-pay.top unknown unknown
www.sdplat.media unknown unknown
www.taini00.net unknown unknown
www.umeshraja.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.sdplat.media/dy13/?Cj9LK=8pm41D0p&0N=ZKZE34nO5+VJCQ7V97/Oxkx+yV2XZDJ4QNe5btj3ut8Iv1OZ3MT37vqx38H3jKbLJXyY true
  • Avira URL Cloud: safe
 unknown
http://www.real-estate-96841.bond/dy13/?Cj9LK=8pm41D0p&0N=QEHoM+aYI3hCf+czBdOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAifn9DzIiC0 true
  • Avira URL Cloud: safe
 unknown
http://www.umeshraja.com/dy13/?Cj9LK=8pm41D0p&0N=LqTJXJ5089mrTceMc0p83ZaAEN5I+KgWBnSPa3/fnIguC6SsnRdV26ZHA6opskXgqsBG true
  • Avira URL Cloud: safe
 unknown
http://www.883106.photos/dy13/?0N=AG4Ye1FrkmCiFPqbKlnZ1dM6YK/DoI/B/9McINMFJI+SypkU6UbY406xkx1Fqy5gp249&Cj9LK=8pm41D0p true
  • Avira URL Cloud: safe
 unknown
http://www.b0ba138.xyz/dy13/?Cj9LK=8pm41D0p&0N=LVVXn+3XMgScWvA+gustfxAGGBCnrJhvM+qFjqFs2KSrXwfcw3kbTxGlCeyN42Y88s8h true
  • Avira URL Cloud: safe
 unknown
http://www.cpuk-finance.com/dy13/?Cj9LK=8pm41D0p&0N=gDxxMnt83apdqDd0VF+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPHOMA9Jp0yBU true
  • Avira URL Cloud: safe
 unknown