Windows Analysis Report
PO#RSB-8927393_2324.exe

Overview

General Information

Sample name: PO#RSB-8927393_2324.exe
Analysis ID: 1467840
MD5: f3e870a226b8911bc58ce3055c3121bd
SHA1: bc452691d870e2a66a8d6eb31df6b8104f8ab83d
SHA256: c40673c9dabf11cb8247c5eefe2bf42d425bde40dd560679f82ba4599fb6d180
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: PO#RSB-8927393_2324.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: PO#RSB-8927393_2324.exe ReversingLabs: Detection: 39%
Yara detected FormBook
Source: Yara match File source: 6.2.PO#RSB-8927393_2324.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.PO#RSB-8927393_2324.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1807194946.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2644606484.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1807336062.00000000028D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2643723707.0000000000890000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2644723552.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1805462543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2644778118.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2642727855.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: PO#RSB-8927393_2324.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PO#RSB-8927393_2324.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: w32tm.pdb source: PO#RSB-8927393_2324.exe, 00000006.00000002.1805694095.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, TVuzjGWylRcD.exe, 00000009.00000003.1946112710.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TVuzjGWylRcD.exe, 00000009.00000002.2643526990.000000000067E000.00000002.00000001.01000000.0000000D.sdmp, TVuzjGWylRcD.exe, 0000000E.00000002.2643285181.000000000067E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: crwc.pdb source: PO#RSB-8927393_2324.exe
Source: Binary string: wntdll.pdbUGP source: PO#RSB-8927393_2324.exe, 00000006.00000002.1805947712.0000000001080000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000003.1806177611.0000000003678000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2645014803.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2645014803.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000003.1814565291.000000000382D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PO#RSB-8927393_2324.exe, PO#RSB-8927393_2324.exe, 00000006.00000002.1805947712.0000000001080000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, w32tm.exe, 0000000A.00000003.1806177611.0000000003678000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2645014803.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2645014803.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000003.1814565291.000000000382D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: crwc.pdbSHA256 source: PO#RSB-8927393_2324.exe
Source: Binary string: w32tm.pdbGCTL source: PO#RSB-8927393_2324.exe, 00000006.00000002.1805694095.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, TVuzjGWylRcD.exe, 00000009.00000003.1946112710.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F9C4E0 FindFirstFileW,FindNextFileW,FindClose, 10_2_02F9C4E0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 4x nop then jmp 028ABE6Ch 0_2_028AC140
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 4x nop then jmp 028ABE6Ch 0_2_028AC1F1
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 4x nop then xor eax, eax 10_2_02F89BB0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 4x nop then pop edi 10_2_02F926DC
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 4x nop then mov ebx, 00000004h 10_2_038804E8

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49716 -> 202.52.146.180:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49717 -> 202.52.146.180:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49720 -> 3.33.130.190:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49721 -> 3.33.130.190:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49724 -> 3.33.130.190:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49725 -> 3.33.130.190:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 3.33.130.190 3.33.130.190
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GMEDIA-AS-IDGlobalMediaTeknologiPTID GMEDIA-AS-IDGlobalMediaTeknologiPTID
Source: Joe Sandbox View ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /8kls/?GFi=c8EPf&ER9dVZR=2KGZ/3QNXi4ulTzvjIbSvnVIk+/410+IZnCrksCfUlhFzRQv5I69qDoixyW/nlEH6HekfEjhjWldx4T2xAX96nP+8g6Xqrd0P2gOkZ8UL+qLTVw01tpdU0aJtXq0SBQRvwi7Sr6O0xKY HTTP/1.1Host: www.artistcalculator.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Android; Linux armv7l; rv:5.0) Gecko/20110615 Firefox/5.0 Fennec/5.0
Source: global traffic HTTP traffic detected: GET /fwoh/?ER9dVZR=ZbVEb1rXXYkThJ6DDFPkGyiGyPxj6EXFB53D5lOokUu5Uai9KOKEaErJ7BZeup2/vXfgcK0FrSiKxctxJHZJW9qc0jnCHcFrJ+2htNomr/Ncl/KvGksNUWxPultyYIb09MtE+aRJfrVi&GFi=c8EPf HTTP/1.1Host: www.desakedungpeluk.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Android; Linux armv7l; rv:5.0) Gecko/20110615 Firefox/5.0 Fennec/5.0
Source: global traffic HTTP traffic detected: GET /f6cy/?GFi=c8EPf&ER9dVZR=ViKCibVXrLYIfGkUWUzEOaSlHvtpmYyv8mF5qjT/BPKazql6ii5kKGQHLaSbydSSoUBECJyqDvT8mzUSv37yKhNGp2B6IS3ZvB9wkFVTcG5y2IknMhFR9SC0mei2pox1qw6FBw9NsPmM HTTP/1.1Host: www.interoceptiv.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Android; Linux armv7l; rv:5.0) Gecko/20110615 Firefox/5.0 Fennec/5.0
Source: global traffic HTTP traffic detected: GET /g6p3/?ER9dVZR=ribLlrKo4+aNk92vcl6tJoF/Wx2bO83lSnYMoyHDTVlljCBLTbU97JTETYJyyGq3p6fcq731smqcseDbybcpYOuelIXZBxgBjMkzGiPSdnNvEa8E1B1rFKPXfL7Uhr2TtbaNlqUJmpII&GFi=c8EPf HTTP/1.1Host: www.stigaequity.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Android; Linux armv7l; rv:5.0) Gecko/20110615 Firefox/5.0 Fennec/5.0
Source: global traffic DNS traffic detected: DNS query: www.artistcalculator.com
Source: global traffic DNS traffic detected: DNS query: www.desakedungpeluk.com
Source: global traffic DNS traffic detected: DNS query: www.interoceptiv.com
Source: global traffic DNS traffic detected: DNS query: www.stigaequity.com
Source: unknown HTTP traffic detected: POST /fwoh/ HTTP/1.1Host: www.desakedungpeluk.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brOrigin: http://www.desakedungpeluk.comReferer: http://www.desakedungpeluk.com/fwoh/Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeContent-Length: 220User-Agent: Mozilla/5.0 (Android; Linux armv7l; rv:5.0) Gecko/20110615 Firefox/5.0 Fennec/5.0Data Raw: 45 52 39 64 56 5a 52 3d 55 5a 39 6b 59 43 2f 50 41 4b 42 2b 6e 72 75 74 45 56 7a 59 65 51 69 4c 6a 4d 4a 61 32 6c 79 75 4c 70 6e 57 78 6e 48 53 39 51 32 39 59 2f 47 62 48 4a 4f 6b 54 47 4c 33 39 68 46 46 33 59 48 2f 32 47 37 48 47 61 41 48 37 31 79 36 77 37 63 66 41 53 31 6e 42 4e 75 44 79 42 66 6d 45 50 6b 51 45 73 79 51 71 62 55 7a 6e 4f 56 49 69 50 66 59 45 6d 42 57 55 30 73 63 31 42 55 57 52 49 61 6c 70 4c 64 31 7a 49 34 42 53 49 41 52 31 39 65 51 72 31 47 64 63 58 61 65 36 69 58 6d 45 75 6c 6f 78 59 4d 75 4d 31 76 73 31 34 66 62 2f 61 55 6f 53 70 55 41 70 72 4e 34 38 46 68 44 56 37 35 62 58 34 30 79 70 75 7a 49 4b 63 31 63 65 76 74 57 45 77 3d 3d Data Ascii: ER9dVZR=UZ9kYC/PAKB+nrutEVzYeQiLjMJa2lyuLpnWxnHS9Q29Y/GbHJOkTGL39hFF3YH/2G7HGaAH71y6w7cfAS1nBNuDyBfmEPkQEsyQqbUznOVIiPfYEmBWU0sc1BUWRIalpLd1zI4BSIAR19eQr1GdcXae6iXmEuloxYMuM1vs14fb/aUoSpUAprN48FhDV75bX40ypuzIKc1cevtWEw==
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 04 Jul 2024 19:39:51 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 04 Jul 2024 19:39:53 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 04 Jul 2024 19:39:56 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 04 Jul 2024 19:39:58 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: w32tm.exe, 0000000A.00000002.2645751802.00000000043F4000.00000004.10000000.00040000.00000000.sdmp, TVuzjGWylRcD.exe, 0000000E.00000002.2645811741.0000000002C24000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2259089262.0000000029B74000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://artistcalculator.com/8kls/?GFi=c8EPf&ER9dVZR=2KGZ/3QNXi4ulTzvjIbSvnVIk
Source: PO#RSB-8927393_2324.exe, 00000000.00000002.1434331530.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TVuzjGWylRcD.exe, 0000000E.00000002.2643723707.00000000008F5000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.stigaequity.com
Source: TVuzjGWylRcD.exe, 0000000E.00000002.2643723707.00000000008F5000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.stigaequity.com/g6p3/
Source: w32tm.exe, 0000000A.00000002.2648467822.0000000008268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: w32tm.exe, 0000000A.00000002.2648467822.0000000008268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: w32tm.exe, 0000000A.00000002.2648467822.0000000008268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: w32tm.exe, 0000000A.00000002.2648467822.0000000008268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: w32tm.exe, 0000000A.00000002.2648467822.0000000008268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: w32tm.exe, 0000000A.00000002.2648467822.0000000008268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: w32tm.exe, 0000000A.00000002.2648467822.0000000008268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: w32tm.exe, 0000000A.00000002.2643149827.0000000003383000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2643149827.00000000033AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: w32tm.exe, 0000000A.00000002.2643149827.00000000033AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: w32tm.exe, 0000000A.00000002.2643149827.0000000003383000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: w32tm.exe, 0000000A.00000002.2643149827.00000000033AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: w32tm.exe, 0000000A.00000002.2643149827.00000000033AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srfLMEM
Source: w32tm.exe, 0000000A.00000002.2643149827.0000000003383000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: w32tm.exe, 0000000A.00000002.2643149827.0000000003383000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: w32tm.exe, 0000000A.00000002.2643149827.0000000003383000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: w32tm.exe, 0000000A.00000003.2118033231.0000000008247000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: w32tm.exe, 0000000A.00000002.2648467822.0000000008268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.PO#RSB-8927393_2324.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.PO#RSB-8927393_2324.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1807194946.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2644606484.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1807336062.00000000028D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2643723707.0000000000890000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2644723552.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1805462543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2644778118.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2642727855.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.PO#RSB-8927393_2324.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.PO#RSB-8927393_2324.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1807194946.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2644606484.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1807336062.00000000028D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.2643723707.0000000000890000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2644723552.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1805462543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2644778118.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2642727855.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
.NET source code contains very large array initializations
Source: 0.2.PO#RSB-8927393_2324.exe.5210000.5.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Source: 0.2.PO#RSB-8927393_2324.exe.2af4ae0.1.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO#RSB-8927393_2324.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0042C213 NtClose, 6_2_0042C213
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2B60 NtClose,LdrInitializeThunk, 6_2_010F2B60
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2DF0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_010F2DF0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2C70 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_010F2C70
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F35C0 NtCreateMutant,LdrInitializeThunk, 6_2_010F35C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F4340 NtSetContextThread, 6_2_010F4340
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F4650 NtSuspendThread, 6_2_010F4650
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2B80 NtQueryInformationFile, 6_2_010F2B80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2BA0 NtEnumerateValueKey, 6_2_010F2BA0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2BE0 NtQueryValueKey, 6_2_010F2BE0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2BF0 NtAllocateVirtualMemory, 6_2_010F2BF0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2AB0 NtWaitForSingleObject, 6_2_010F2AB0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2AD0 NtReadFile, 6_2_010F2AD0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2AF0 NtWriteFile, 6_2_010F2AF0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2D00 NtSetInformationFile, 6_2_010F2D00
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2D10 NtMapViewOfSection, 6_2_010F2D10
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2D30 NtUnmapViewOfSection, 6_2_010F2D30
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2DB0 NtEnumerateKey, 6_2_010F2DB0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2DD0 NtDelayExecution, 6_2_010F2DD0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2C00 NtQueryInformationProcess, 6_2_010F2C00
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2C60 NtCreateKey, 6_2_010F2C60
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2CA0 NtQueryInformationToken, 6_2_010F2CA0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2CC0 NtQueryVirtualMemory, 6_2_010F2CC0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2CF0 NtOpenProcess, 6_2_010F2CF0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2F30 NtCreateSection, 6_2_010F2F30
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2F60 NtCreateProcessEx, 6_2_010F2F60
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2F90 NtProtectVirtualMemory, 6_2_010F2F90
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2FA0 NtQuerySection, 6_2_010F2FA0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2FB0 NtResumeThread, 6_2_010F2FB0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2FE0 NtCreateFile, 6_2_010F2FE0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2E30 NtWriteVirtualMemory, 6_2_010F2E30
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2E80 NtReadVirtualMemory, 6_2_010F2E80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2EA0 NtAdjustPrivilegesToken, 6_2_010F2EA0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2EE0 NtQueueApcThread, 6_2_010F2EE0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F3010 NtOpenDirectoryObject, 6_2_010F3010
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F3090 NtSetValueKey, 6_2_010F3090
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F39B0 NtGetContextThread, 6_2_010F39B0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F3D10 NtOpenProcessToken, 6_2_010F3D10
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F3D70 NtOpenThread, 6_2_010F3D70
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A54340 NtSetContextThread,LdrInitializeThunk, 10_2_03A54340
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A54650 NtSuspendThread,LdrInitializeThunk, 10_2_03A54650
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52BA0 NtEnumerateValueKey,LdrInitializeThunk, 10_2_03A52BA0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52BE0 NtQueryValueKey,LdrInitializeThunk, 10_2_03A52BE0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 10_2_03A52BF0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52B60 NtClose,LdrInitializeThunk, 10_2_03A52B60
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52AF0 NtWriteFile,LdrInitializeThunk, 10_2_03A52AF0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52AD0 NtReadFile,LdrInitializeThunk, 10_2_03A52AD0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52FB0 NtResumeThread,LdrInitializeThunk, 10_2_03A52FB0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52FE0 NtCreateFile,LdrInitializeThunk, 10_2_03A52FE0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52F30 NtCreateSection,LdrInitializeThunk, 10_2_03A52F30
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52E80 NtReadVirtualMemory,LdrInitializeThunk, 10_2_03A52E80
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52EE0 NtQueueApcThread,LdrInitializeThunk, 10_2_03A52EE0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52DF0 NtQuerySystemInformation,LdrInitializeThunk, 10_2_03A52DF0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52DD0 NtDelayExecution,LdrInitializeThunk, 10_2_03A52DD0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52D30 NtUnmapViewOfSection,LdrInitializeThunk, 10_2_03A52D30
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52D10 NtMapViewOfSection,LdrInitializeThunk, 10_2_03A52D10
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52CA0 NtQueryInformationToken,LdrInitializeThunk, 10_2_03A52CA0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52C60 NtCreateKey,LdrInitializeThunk, 10_2_03A52C60
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52C70 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_03A52C70
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A535C0 NtCreateMutant,LdrInitializeThunk, 10_2_03A535C0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A539B0 NtGetContextThread,LdrInitializeThunk, 10_2_03A539B0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52B80 NtQueryInformationFile, 10_2_03A52B80
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52AB0 NtWaitForSingleObject, 10_2_03A52AB0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52FA0 NtQuerySection, 10_2_03A52FA0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52F90 NtProtectVirtualMemory, 10_2_03A52F90
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52F60 NtCreateProcessEx, 10_2_03A52F60
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52EA0 NtAdjustPrivilegesToken, 10_2_03A52EA0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52E30 NtWriteVirtualMemory, 10_2_03A52E30
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52DB0 NtEnumerateKey, 10_2_03A52DB0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52D00 NtSetInformationFile, 10_2_03A52D00
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52CF0 NtOpenProcess, 10_2_03A52CF0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52CC0 NtQueryVirtualMemory, 10_2_03A52CC0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A52C00 NtQueryInformationProcess, 10_2_03A52C00
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A53090 NtSetValueKey, 10_2_03A53090
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A53010 NtOpenDirectoryObject, 10_2_03A53010
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A53D10 NtOpenProcessToken, 10_2_03A53D10
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A53D70 NtOpenThread, 10_2_03A53D70
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02FA8AA0 NtReadFile, 10_2_02FA8AA0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02FA8B90 NtDeleteFile, 10_2_02FA8B90
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02FA8930 NtCreateFile, 10_2_02FA8930
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02FA8C30 NtClose, 10_2_02FA8C30
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02FA8D90 NtAllocateVirtualMemory, 10_2_02FA8D90
Detected potential crypto function
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0102D5BC 0_2_0102D5BC
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_028A8338 0_2_028A8338
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_028AE098 0_2_028AE098
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_028A9178 0_2_028A9178
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_028A66F0 0_2_028A66F0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_028A6700 0_2_028A6700
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_028A8770 0_2_028A8770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_028A6B2B 0_2_028A6B2B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_028A6B38 0_2_028A6B38
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509B148 0_2_0509B148
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05096020 0_2_05096020
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05097820 0_2_05097820
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509ED68 0_2_0509ED68
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509ED78 0_2_0509ED78
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095D8C 0_2_05095D8C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095DE5 0_2_05095DE5
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095C03 0_2_05095C03
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05098C12 0_2_05098C12
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05098C20 0_2_05098C20
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095CC8 0_2_05095CC8
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_050964DC 0_2_050964DC
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095F20 0_2_05095F20
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05097753 0_2_05097753
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095FEB 0_2_05095FEB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095E1C 0_2_05095E1C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095E80 0_2_05095E80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095EC1 0_2_05095EC1
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095EEB 0_2_05095EEB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509B139 0_2_0509B139
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509597D 0_2_0509597D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509781F 0_2_0509781F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_050958B4 0_2_050958B4
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_050980C8 0_2_050980C8
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_050980D8 0_2_050980D8
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_050958ED 0_2_050958ED
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509F31A 0_2_0509F31A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509F328 0_2_0509F328
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095B25 0_2_05095B25
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095B5C 0_2_05095B5C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509FB7A 0_2_0509FB7A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509FB88 0_2_0509FB88
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095B93 0_2_05095B93
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095BCA 0_2_05095BCA
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095A26 0_2_05095A26
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509B2DB 0_2_0509B2DB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05095AEE 0_2_05095AEE
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_00402810 6_2_00402810
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0041012A 6_2_0041012A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_00410133 6_2_00410133
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_004011D0 6_2_004011D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_00410353 6_2_00410353
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_00403360 6_2_00403360
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0040E3D3 6_2_0040E3D3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_00402530 6_2_00402530
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_00416E80 6_2_00416E80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_00416E83 6_2_00416E83
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0042E7D3 6_2_0042E7D3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B0100 6_2_010B0100
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115A118 6_2_0115A118
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01148158 6_2_01148158
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011801AA 6_2_011801AA
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011741A2 6_2_011741A2
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011781CC 6_2_011781CC
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01152000 6_2_01152000
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117A352 6_2_0117A352
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CE3F0 6_2_010CE3F0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011803E6 6_2_011803E6
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011402C0 6_2_011402C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0535 6_2_010C0535
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01180591 6_2_01180591
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01164420 6_2_01164420
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01172446 6_2_01172446
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0116E4F6 6_2_0116E4F6
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E4750 6_2_010E4750
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BC7C0 6_2_010BC7C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DC6E0 6_2_010DC6E0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D6962 6_2_010D6962
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0118A9A6 6_2_0118A9A6
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CA840 6_2_010CA840
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C2840 6_2_010C2840
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010A68B8 6_2_010A68B8
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE8F0 6_2_010EE8F0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117AB40 6_2_0117AB40
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01176BD7 6_2_01176BD7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BEA80 6_2_010BEA80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115CD1F 6_2_0115CD1F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CAD00 6_2_010CAD00
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D8DBF 6_2_010D8DBF
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BADE0 6_2_010BADE0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0C00 6_2_010C0C00
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160CB5 6_2_01160CB5
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B0CF2 6_2_010B0CF2
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01162F30 6_2_01162F30
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01102F28 6_2_01102F28
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E0F30 6_2_010E0F30
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01134F40 6_2_01134F40
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113EFA0 6_2_0113EFA0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B2FC8 6_2_010B2FC8
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CCFE0 6_2_010CCFE0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117EE26 6_2_0117EE26
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0E59 6_2_010C0E59
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117CE93 6_2_0117CE93
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D2E90 6_2_010D2E90
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117EEDB 6_2_0117EEDB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F516C 6_2_010F516C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0118B16B 6_2_0118B16B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AF172 6_2_010AF172
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CB1B0 6_2_010CB1B0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C70C0 6_2_010C70C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0116F0CC 6_2_0116F0CC
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117F0E0 6_2_0117F0E0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011770E9 6_2_011770E9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117132D 6_2_0117132D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AD34C 6_2_010AD34C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0110739A 6_2_0110739A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C52A0 6_2_010C52A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DB2C0 6_2_010DB2C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011612ED 6_2_011612ED
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01177571 6_2_01177571
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115D5B0 6_2_0115D5B0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011895C3 6_2_011895C3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117F43F 6_2_0117F43F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B1460 6_2_010B1460
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117F7B0 6_2_0117F7B0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01105630 6_2_01105630
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011716CC 6_2_011716CC
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01155910 6_2_01155910
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C9950 6_2_010C9950
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DB950 6_2_010DB950
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112D800 6_2_0112D800
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C38E0 6_2_010C38E0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117FB76 6_2_0117FB76
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DFB80 6_2_010DFB80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01135BF0 6_2_01135BF0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010FDBF9 6_2_010FDBF9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01177A46 6_2_01177A46
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117FA49 6_2_0117FA49
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01133A6C 6_2_01133A6C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01105AA0 6_2_01105AA0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01161AA3 6_2_01161AA3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115DAAC 6_2_0115DAAC
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0116DAC6 6_2_0116DAC6
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C3D40 6_2_010C3D40
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01171D5A 6_2_01171D5A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01177D73 6_2_01177D73
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DFDC0 6_2_010DFDC0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01139C32 6_2_01139C32
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117FCF2 6_2_0117FCF2
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117FF09 6_2_0117FF09
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C1F92 6_2_010C1F92
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117FFB1 6_2_0117FFB1
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01083FD2 6_2_01083FD2
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01083FD5 6_2_01083FD5
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C9EB0 6_2_010C9EB0
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C81B34 9_2_03C81B34
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C83AB4 9_2_03C83AB4
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C8388B 9_2_03C8388B
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C83894 9_2_03C83894
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03CA1F34 9_2_03CA1F34
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C8A5E1 9_2_03C8A5E1
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C8A5E4 9_2_03C8A5E4
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AE03E6 10_2_03AE03E6
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A2E3F0 10_2_03A2E3F0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADA352 10_2_03ADA352
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AA02C0 10_2_03AA02C0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AC0274 10_2_03AC0274
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AE01AA 10_2_03AE01AA
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AD41A2 10_2_03AD41A2
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AD81CC 10_2_03AD81CC
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A10100 10_2_03A10100
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ABA118 10_2_03ABA118
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AA8158 10_2_03AA8158
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AB2000 10_2_03AB2000
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A1C7C0 10_2_03A1C7C0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A20770 10_2_03A20770
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A44750 10_2_03A44750
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A3C6E0 10_2_03A3C6E0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AE0591 10_2_03AE0591
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A20535 10_2_03A20535
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ACE4F6 10_2_03ACE4F6
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AC4420 10_2_03AC4420
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AD2446 10_2_03AD2446
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AD6BD7 10_2_03AD6BD7
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADAB40 10_2_03ADAB40
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A1EA80 10_2_03A1EA80
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A229A0 10_2_03A229A0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AEA9A6 10_2_03AEA9A6
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A36962 10_2_03A36962
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A068B8 10_2_03A068B8
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A4E8F0 10_2_03A4E8F0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A22840 10_2_03A22840
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A2A840 10_2_03A2A840
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A9EFA0 10_2_03A9EFA0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A2CFE0 10_2_03A2CFE0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A12FC8 10_2_03A12FC8
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A62F28 10_2_03A62F28
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A40F30 10_2_03A40F30
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AC2F30 10_2_03AC2F30
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A94F40 10_2_03A94F40
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A32E90 10_2_03A32E90
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADCE93 10_2_03ADCE93
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADEEDB 10_2_03ADEEDB
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADEE26 10_2_03ADEE26
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A20E59 10_2_03A20E59
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A38DBF 10_2_03A38DBF
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A1ADE0 10_2_03A1ADE0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A2AD00 10_2_03A2AD00
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ABCD1F 10_2_03ABCD1F
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AC0CB5 10_2_03AC0CB5
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A10CF2 10_2_03A10CF2
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A20C00 10_2_03A20C00
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A6739A 10_2_03A6739A
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AD132D 10_2_03AD132D
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A0D34C 10_2_03A0D34C
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A252A0 10_2_03A252A0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AC12ED 10_2_03AC12ED
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A3B2C0 10_2_03A3B2C0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A2B1B0 10_2_03A2B1B0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AEB16B 10_2_03AEB16B
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A5516C 10_2_03A5516C
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A0F172 10_2_03A0F172
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AD70E9 10_2_03AD70E9
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADF0E0 10_2_03ADF0E0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ACF0CC 10_2_03ACF0CC
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A270C0 10_2_03A270C0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADF7B0 10_2_03ADF7B0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AD16CC 10_2_03AD16CC
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A65630 10_2_03A65630
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ABD5B0 10_2_03ABD5B0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AE95C3 10_2_03AE95C3
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AD7571 10_2_03AD7571
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADF43F 10_2_03ADF43F
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A11460 10_2_03A11460
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A3FB80 10_2_03A3FB80
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A95BF0 10_2_03A95BF0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A5DBF9 10_2_03A5DBF9
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADFB76 10_2_03ADFB76
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A65AA0 10_2_03A65AA0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ABDAAC 10_2_03ABDAAC
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AC1AA3 10_2_03AC1AA3
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ACDAC6 10_2_03ACDAC6
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A93A6C 10_2_03A93A6C
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADFA49 10_2_03ADFA49
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AD7A46 10_2_03AD7A46
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AB5910 10_2_03AB5910
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A29950 10_2_03A29950
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A3B950 10_2_03A3B950
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A238E0 10_2_03A238E0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A8D800 10_2_03A8D800
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADFFB1 10_2_03ADFFB1
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A21F92 10_2_03A21F92
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_039E3FD5 10_2_039E3FD5
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_039E3FD2 10_2_039E3FD2
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADFF09 10_2_03ADFF09
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A29EB0 10_2_03A29EB0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A3FDC0 10_2_03A3FDC0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AD7D73 10_2_03AD7D73
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A23D40 10_2_03A23D40
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03AD1D5A 10_2_03AD1D5A
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03ADFCF2 10_2_03ADFCF2
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A99C32 10_2_03A99C32
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F91BF0 10_2_02F91BF0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F8CB50 10_2_02F8CB50
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F8CB47 10_2_02F8CB47
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F9EEC0 10_2_02F9EEC0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F8ADF0 10_2_02F8ADF0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F8CD70 10_2_02F8CD70
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02FAB1F0 10_2_02FAB1F0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F938A0 10_2_02F938A0
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F9389D 10_2_02F9389D
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_0388E528 10_2_0388E528
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_038954AC 10_2_038954AC
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_0388E404 10_2_0388E404
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_0388CBB8 10_2_0388CBB8
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_0388D928 10_2_0388D928
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_0388E8BC 10_2_0388E8BC
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_0388E8C4 10_2_0388E8C4
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\w32tm.exe Code function: String function: 03A8EA12 appears 86 times
Source: C:\Windows\SysWOW64\w32tm.exe Code function: String function: 03A0B970 appears 277 times
Source: C:\Windows\SysWOW64\w32tm.exe Code function: String function: 03A67E54 appears 111 times
Source: C:\Windows\SysWOW64\w32tm.exe Code function: String function: 03A55130 appears 58 times
Source: C:\Windows\SysWOW64\w32tm.exe Code function: String function: 03A9F290 appears 105 times
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: String function: 01107E54 appears 111 times
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: String function: 0112EA12 appears 86 times
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: String function: 010F5130 appears 58 times
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: String function: 010AB970 appears 277 times
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: String function: 0113F290 appears 105 times
Sample file is different than original file name gathered from version info
Source: PO#RSB-8927393_2324.exe, 00000000.00000002.1435244061.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO#RSB-8927393_2324.exe
Source: PO#RSB-8927393_2324.exe, 00000000.00000002.1438644391.0000000005210000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs PO#RSB-8927393_2324.exe
Source: PO#RSB-8927393_2324.exe, 00000000.00000002.1434331530.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs PO#RSB-8927393_2324.exe
Source: PO#RSB-8927393_2324.exe, 00000000.00000002.1439411038.0000000006F20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO#RSB-8927393_2324.exe
Source: PO#RSB-8927393_2324.exe, 00000000.00000002.1431124072.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO#RSB-8927393_2324.exe
Source: PO#RSB-8927393_2324.exe, 00000006.00000002.1805947712.00000000011AD000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO#RSB-8927393_2324.exe
Source: PO#RSB-8927393_2324.exe, 00000006.00000002.1805694095.0000000000B48000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamew32time.dllj% vs PO#RSB-8927393_2324.exe
Source: PO#RSB-8927393_2324.exe Binary or memory string: OriginalFilenamecrwc.exeR vs PO#RSB-8927393_2324.exe
Uses 32bit PE files
Source: PO#RSB-8927393_2324.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 6.2.PO#RSB-8927393_2324.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.PO#RSB-8927393_2324.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1807194946.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2644606484.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1807336062.00000000028D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.2643723707.0000000000890000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2644723552.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1805462543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2644778118.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2642727855.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: PO#RSB-8927393_2324.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, bJHL30MetpTysbUnRK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, sJBJU4bkNgV8EMWFH5.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, sJBJU4bkNgV8EMWFH5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, sJBJU4bkNgV8EMWFH5.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, sJBJU4bkNgV8EMWFH5.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, sJBJU4bkNgV8EMWFH5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, sJBJU4bkNgV8EMWFH5.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, sJBJU4bkNgV8EMWFH5.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, sJBJU4bkNgV8EMWFH5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, sJBJU4bkNgV8EMWFH5.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, bJHL30MetpTysbUnRK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, bJHL30MetpTysbUnRK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: TVuzjGWylRcD.exe, 00000009.00000002.2643965990.0000000000B78000.00000004.00000020.00020000.00000000.sdmp, TVuzjGWylRcD.exe, 00000009.00000000.1724805924.0000000000B78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;.VBp
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@13/7@4/3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#RSB-8927393_2324.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Mutant created: \Sessions\1\BaseNamedObjects\yaLBaiPBfGzXsPrHgDEZPPno
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o5wuw5yz.rlu.ps1 Jump to behavior
Source: PO#RSB-8927393_2324.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO#RSB-8927393_2324.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: w32tm.exe, 0000000A.00000003.2121404942.00000000033EA000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2643149827.00000000033EA000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000003.2121272483.00000000033C9000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2643149827.0000000003416000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2643149827.00000000033F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: PO#RSB-8927393_2324.exe ReversingLabs: Detection: 39%
Source: unknown Process created: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe"
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe"
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process created: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process created: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Process created: C:\Windows\SysWOW64\w32tm.exe "C:\Windows\SysWOW64\w32tm.exe"
Source: C:\Windows\SysWOW64\w32tm.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process created: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process created: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe" Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Process created: C:\Windows\SysWOW64\w32tm.exe "C:\Windows\SysWOW64\w32tm.exe" Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: PO#RSB-8927393_2324.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO#RSB-8927393_2324.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PO#RSB-8927393_2324.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: w32tm.pdb source: PO#RSB-8927393_2324.exe, 00000006.00000002.1805694095.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, TVuzjGWylRcD.exe, 00000009.00000003.1946112710.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TVuzjGWylRcD.exe, 00000009.00000002.2643526990.000000000067E000.00000002.00000001.01000000.0000000D.sdmp, TVuzjGWylRcD.exe, 0000000E.00000002.2643285181.000000000067E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: crwc.pdb source: PO#RSB-8927393_2324.exe
Source: Binary string: wntdll.pdbUGP source: PO#RSB-8927393_2324.exe, 00000006.00000002.1805947712.0000000001080000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000003.1806177611.0000000003678000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2645014803.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2645014803.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000003.1814565291.000000000382D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PO#RSB-8927393_2324.exe, PO#RSB-8927393_2324.exe, 00000006.00000002.1805947712.0000000001080000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, w32tm.exe, 0000000A.00000003.1806177611.0000000003678000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2645014803.00000000039E0000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000002.2645014803.0000000003B7E000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 0000000A.00000003.1814565291.000000000382D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: crwc.pdbSHA256 source: PO#RSB-8927393_2324.exe
Source: Binary string: w32tm.pdbGCTL source: PO#RSB-8927393_2324.exe, 00000006.00000002.1805694095.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, TVuzjGWylRcD.exe, 00000009.00000003.1946112710.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: PO#RSB-8927393_2324.exe, StringListEditor.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#RSB-8927393_2324.exe.5210000.5.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#RSB-8927393_2324.exe.5210000.5.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, sJBJU4bkNgV8EMWFH5.cs .Net Code: viK4T6TBuC System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, sJBJU4bkNgV8EMWFH5.cs .Net Code: viK4T6TBuC System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, sJBJU4bkNgV8EMWFH5.cs .Net Code: viK4T6TBuC System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#RSB-8927393_2324.exe.2af4ae0.1.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#RSB-8927393_2324.exe.2af4ae0.1.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 10.2.w32tm.exe.400cd10.2.raw.unpack, StringListEditor.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 14.2.TVuzjGWylRcD.exe.283cd10.1.raw.unpack, StringListEditor.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 14.0.TVuzjGWylRcD.exe.283cd10.1.raw.unpack, StringListEditor.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 16.2.firefox.exe.2978cd10.0.raw.unpack, StringListEditor.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_028AC93A push edx; ret 0_2_028AC941
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_05098E29 push 8BBCEB50h; ret 0_2_05098E2F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 0_2_0509629A pushad ; iretd 0_2_0509629D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0040D3DD push ebp; ret 6_2_0040D3EE
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0041949D push ecx; iretd 6_2_004194A3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_00414D79 push ebp; ret 6_2_00414D9A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0041ED00 pushad ; iretd 6_2_0041ED02
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0041ED03 push ss; retf 6_2_0041ED23
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_004035E0 push eax; ret 6_2_004035E2
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0040AF00 push edx; ret 6_2_0040AF01
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0041EFA9 push cs; ret 6_2_0041EFB5
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0108225F pushad ; ret 6_2_010827F9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010827FA pushad ; ret 6_2_010827F9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B09AD push ecx; mov dword ptr [esp], ecx 6_2_010B09B6
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0108283D push eax; iretd 6_2_01082858
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C8CBFE push ecx; iretd 9_2_03C8CC04
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C80B3E push ebp; ret 9_2_03C80B4F
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C9270A push cs; ret 9_2_03C92716
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C884DA push ebp; ret 9_2_03C884FB
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C92461 pushad ; iretd 9_2_03C92463
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Code function: 9_2_03C92464 push ss; retf 9_2_03C92484
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_039E225F pushad ; ret 10_2_039E27F9
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_039E27FA pushad ; ret 10_2_039E27F9
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_03A109AD push ecx; mov dword ptr [esp], ecx 10_2_03A109B6
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_039E283D push eax; iretd 10_2_039E2858
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_039E1368 push eax; iretd 10_2_039E1369
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F9EEC0 pushfd ; iretd 10_2_02F9EFB2
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F91796 push ebp; ret 10_2_02F917B7
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F9B720 push ss; retf 10_2_02F9B740
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F9B71D pushad ; iretd 10_2_02F9B71F
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F9B9C6 push cs; ret 10_2_02F9B9D2
Source: PO#RSB-8927393_2324.exe Static PE information: section name: .text entropy: 7.950718976556402
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, V3QjIXIq5kOoYxMbOs.cs High entropy of concatenated method names: 'YAatXVulNA', 'UYyt8FNSu8', 'qtNKRLj26R', 'tm7KxDdB0d', 'nQcKlAIHt1', 'NTFK6GRvyy', 'KCJKDRK8QG', 'aHWKSB1lyf', 'vv5KUuayjy', 'STPK5anoDT'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, rw9GUwUdEWuuE3GWUO.cs High entropy of concatenated method names: 'L5aFN8hVpP', 'mViFYvcQHG', 'tgjFThmJwn', 'QI5FnU9kwV', 'UshFXPu78R', 'EekF97YEa5', 'jHQF8fljiI', 'JtgFMLLWq0', 'iTpFO3CLMv', 'rP0FIEvV8X'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, JrOGoqmeYTl6N4DFG6.cs High entropy of concatenated method names: 'RYAPiMsDtr', 'px6P3H3GwC', 'hgFPROa2la', 'b3lPxNCrgJ', 'LgnP0V08lr', 'poTPl7u9U2', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, s6fmqtyJU3YmKeDOmmh.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Chlw0l2T3Y', 'atLwkvjrPR', 'x4Dwcre1cI', 'U59wgvXL0R', 'fSawBoK0Fh', 'sBEwfh4lDC', 'aFCw7xfUfa'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, QhVPC2yskZZ1y6Hpaki.cs High entropy of concatenated method names: 'sGvuNAhtDj', 'xv0uYw4cq9', 'rNtuTwHUUN', 'U5WunBeblF', 'SEIuXvH3RG', 'h9wu9kgEac', 'Wffu8Wh3yM', 'LthuMftpDj', 'ohcuOookws', 'h73uICs5ia'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, MdtgxXo5Gq7I7BVIvo.cs High entropy of concatenated method names: 'VXVPCYflv2', 'l2YPrblTxP', 'ybhPKfqYZh', 'ymuPtlfvtn', 'YvNPGmFcIq', 'FRxPFYtAGD', 'kiVPbRjSer', 'VygPVWFUoY', 'DFEPHMDGsG', 'FHiPAKnVBi'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, lo06rTvsofDVK6Oyji.cs High entropy of concatenated method names: 'dG2dMmNdId', 'wxWdOjMkJr', 'AQpdi2LBp8', 'twKd38yWqL', 'UPfdxVdvVW', 'gGKdlDFt7T', 'kWsdDSixjq', 'ymadSuRavR', 'Ghcd54YZOU', 'VpydEWyiQW'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, G46V0hrQVmJaC7hRLj.cs High entropy of concatenated method names: 'Dispose', 'owWymKjnh0', 'omDe3mp4qJ', 'ssWLLcWIKB', 'jUdy1tgxX5', 'jq7yzI7BVI', 'ProcessDialogKey', 'QolesrOGoq', 'bYTeyl6N4D', 'jG6eeLrO9X'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, xL7UrvgtD9XFWu6Y1t.cs High entropy of concatenated method names: 'qJpjHSBmQA', 'vUwjAleIKO', 'ToString', 'CBojC9FGDD', 'aN5jrYdUsD', 'c8WjKfxBcr', 'le7jtG5NDB', 'IFCjGQBOyD', 'TgPjFRRMHC', 'nfXjb3wlc9'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, aYOoAfK625TDN0YVnB.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ydjem02Icv', 'eRHe1DgZ5c', 'Po1ez1Jc7j', 'S4PJsN6bSU', 'vARJyk87uy', 'Pi6Je02H7n', 'i3wJJ7tva1', 'JQbL3Xl7hJacQmYFUZZ'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, jTGm1lemnEXs2uwu6T.cs High entropy of concatenated method names: 'Fi9TjrQcn', 'Dx0nUXllH', 'DQG9rcBpo', 'Qt286eCiO', 'YtgOipfAN', 'QiXId9wDK', 'mpNE8yBJJwWrXERjvH', 'dX9KIZRNJkW3HGesBH', 'kydPZAo0v', 'pOGwinc7H'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, sJBJU4bkNgV8EMWFH5.cs High entropy of concatenated method names: 'jkdJQBeFiR', 'QutJCMG75K', 'sTUJrdk1Tx', 'dkfJKLpjhh', 'jeSJtAjOuv', 'hJ1JGK1Bqx', 'bTtJFHqgpN', 'VBhJbyHVij', 'VsCJV3Ivbi', 'obaJHHJJPb'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, CycuFhDVZ1InZQQp6D.cs High entropy of concatenated method names: 'L22FCFY88b', 'GVIFK7VQkq', 'RBRFGOROGQ', 'wBYG1WUb8d', 'QXCGzyTSsZ', 'MDBFs8eKaj', 'GWDFySlcgl', 'NtNFeOTnvp', 'QpIFJURGxW', 'B39F4NRnwk'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, trO9Xo1t1ZcgIQgHsv.cs High entropy of concatenated method names: 'tSsuydYQro', 'TB4uJAwiMe', 'RHAu4S7tPf', 'Af5uC8DT24', 'DyourjCO2J', 'tAqut0Cf7s', 'NH4uGIsWeU', 'goSP7mpljZ', 'Lg0PoujOpH', 'hHKPm1kJsd'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, QVcF8Q4cJkOZqsT6Rd.cs High entropy of concatenated method names: 'EneyFJHL30', 'ctpybTysbU', 'jJxyHRTYHu', 's0wyATf3Qj', 'IMby2OssO2', 'm6ayZJul3A', 'hk4EOpcmrf7VdSrdlN', 'GP1l7t2KdcgYB03uRS', 'Mt0JRAY4merl0CnyGm', 'i82yyJrVTL'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, bJHL30MetpTysbUnRK.cs High entropy of concatenated method names: 'Hrmr06D7WP', 'eZWrkBmrwp', 'C2Drcqx8EJ', 'FYVrgvwsTk', 'ehfrBVtHBU', 'z1MrfCebrU', 'zjgr7os7KN', 'BCQrol0T5d', 'VHBrmmedDp', 'aEhr1urLMB'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, db0nOHzKjEj4NKmt6R.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'guPudt5awL', 'zDru2XOZRS', 'aNEuZxSyf2', 'PfVujObu5A', 'EGauPBb8cV', 'wcnuuHpY7P', 'GjiuwKZsUq'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, AY0yVsyyfLEps6w19js.cs High entropy of concatenated method names: 'ToString', 'exOwJotRUA', 'uK5w4Wlu1f', 'kgawQTiyiV', 'wo6wCOWbsK', 'pVUwrVClXY', 'WhiwK90Vqs', 'gHJwt9HMaq', 'xqotSBZp9EUDNM2dumP', 'YPNQTXZli8VXWoeqPsf'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, hPlWqFOJxRTYHuw0wT.cs High entropy of concatenated method names: 'Rl2KnfYHle', 'QaFK9YFTxZ', 'nWSKMNI5Tf', 'eR7KOF4CsF', 'pc7K2EsdWy', 'F4SKZH4h4y', 'DWWKje3EGZ', 'VdZKP2xF0i', 'sC5KumiiTo', 'ht2KwlRcGs'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, aO2H6aiJul3Ao5Rk2e.cs High entropy of concatenated method names: 'B9IGQQarVA', 'jKVGrmtBWR', 'iDkGtJLAtG', 'kv6GFcBf8U', 'IUrGb84XY8', 'VLwtB6qll7', 'yBttfqpb2Q', 'B10t7oCfRt', 'ywotoisdR4', 'pYBtmhES1T'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, OSpWKmcQNpYEraiLro.cs High entropy of concatenated method names: 'ToString', 'DsKZEmwkMp', 'FRJZ3iwjSh', 'vWwZRks0X2', 'cguZxFa6Kp', 'mraZlu7m4v', 'DEsZ6vl1jq', 'YJEZDXrZfg', 'OsWZSpDGOZ', 'l3PZUXUXkH'
Source: 0.2.PO#RSB-8927393_2324.exe.3d0e4e0.3.raw.unpack, KPT0AIfQWNIAU3xYtB.cs High entropy of concatenated method names: 'pm3jo2DIOg', 'BHij1iDFdf', 'KpcPssswH8', 'qR9PydGPQm', 'JWrjEbL4qN', 'dStjhKvSZo', 'SFljvkZTZD', 'Bvij0sSDe4', 'SBajk6glTw', 'Qc1jcVRaw0'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, V3QjIXIq5kOoYxMbOs.cs High entropy of concatenated method names: 'YAatXVulNA', 'UYyt8FNSu8', 'qtNKRLj26R', 'tm7KxDdB0d', 'nQcKlAIHt1', 'NTFK6GRvyy', 'KCJKDRK8QG', 'aHWKSB1lyf', 'vv5KUuayjy', 'STPK5anoDT'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, rw9GUwUdEWuuE3GWUO.cs High entropy of concatenated method names: 'L5aFN8hVpP', 'mViFYvcQHG', 'tgjFThmJwn', 'QI5FnU9kwV', 'UshFXPu78R', 'EekF97YEa5', 'jHQF8fljiI', 'JtgFMLLWq0', 'iTpFO3CLMv', 'rP0FIEvV8X'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, JrOGoqmeYTl6N4DFG6.cs High entropy of concatenated method names: 'RYAPiMsDtr', 'px6P3H3GwC', 'hgFPROa2la', 'b3lPxNCrgJ', 'LgnP0V08lr', 'poTPl7u9U2', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, s6fmqtyJU3YmKeDOmmh.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Chlw0l2T3Y', 'atLwkvjrPR', 'x4Dwcre1cI', 'U59wgvXL0R', 'fSawBoK0Fh', 'sBEwfh4lDC', 'aFCw7xfUfa'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, QhVPC2yskZZ1y6Hpaki.cs High entropy of concatenated method names: 'sGvuNAhtDj', 'xv0uYw4cq9', 'rNtuTwHUUN', 'U5WunBeblF', 'SEIuXvH3RG', 'h9wu9kgEac', 'Wffu8Wh3yM', 'LthuMftpDj', 'ohcuOookws', 'h73uICs5ia'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, MdtgxXo5Gq7I7BVIvo.cs High entropy of concatenated method names: 'VXVPCYflv2', 'l2YPrblTxP', 'ybhPKfqYZh', 'ymuPtlfvtn', 'YvNPGmFcIq', 'FRxPFYtAGD', 'kiVPbRjSer', 'VygPVWFUoY', 'DFEPHMDGsG', 'FHiPAKnVBi'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, lo06rTvsofDVK6Oyji.cs High entropy of concatenated method names: 'dG2dMmNdId', 'wxWdOjMkJr', 'AQpdi2LBp8', 'twKd38yWqL', 'UPfdxVdvVW', 'gGKdlDFt7T', 'kWsdDSixjq', 'ymadSuRavR', 'Ghcd54YZOU', 'VpydEWyiQW'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, G46V0hrQVmJaC7hRLj.cs High entropy of concatenated method names: 'Dispose', 'owWymKjnh0', 'omDe3mp4qJ', 'ssWLLcWIKB', 'jUdy1tgxX5', 'jq7yzI7BVI', 'ProcessDialogKey', 'QolesrOGoq', 'bYTeyl6N4D', 'jG6eeLrO9X'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, xL7UrvgtD9XFWu6Y1t.cs High entropy of concatenated method names: 'qJpjHSBmQA', 'vUwjAleIKO', 'ToString', 'CBojC9FGDD', 'aN5jrYdUsD', 'c8WjKfxBcr', 'le7jtG5NDB', 'IFCjGQBOyD', 'TgPjFRRMHC', 'nfXjb3wlc9'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, aYOoAfK625TDN0YVnB.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ydjem02Icv', 'eRHe1DgZ5c', 'Po1ez1Jc7j', 'S4PJsN6bSU', 'vARJyk87uy', 'Pi6Je02H7n', 'i3wJJ7tva1', 'JQbL3Xl7hJacQmYFUZZ'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, jTGm1lemnEXs2uwu6T.cs High entropy of concatenated method names: 'Fi9TjrQcn', 'Dx0nUXllH', 'DQG9rcBpo', 'Qt286eCiO', 'YtgOipfAN', 'QiXId9wDK', 'mpNE8yBJJwWrXERjvH', 'dX9KIZRNJkW3HGesBH', 'kydPZAo0v', 'pOGwinc7H'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, sJBJU4bkNgV8EMWFH5.cs High entropy of concatenated method names: 'jkdJQBeFiR', 'QutJCMG75K', 'sTUJrdk1Tx', 'dkfJKLpjhh', 'jeSJtAjOuv', 'hJ1JGK1Bqx', 'bTtJFHqgpN', 'VBhJbyHVij', 'VsCJV3Ivbi', 'obaJHHJJPb'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, CycuFhDVZ1InZQQp6D.cs High entropy of concatenated method names: 'L22FCFY88b', 'GVIFK7VQkq', 'RBRFGOROGQ', 'wBYG1WUb8d', 'QXCGzyTSsZ', 'MDBFs8eKaj', 'GWDFySlcgl', 'NtNFeOTnvp', 'QpIFJURGxW', 'B39F4NRnwk'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, trO9Xo1t1ZcgIQgHsv.cs High entropy of concatenated method names: 'tSsuydYQro', 'TB4uJAwiMe', 'RHAu4S7tPf', 'Af5uC8DT24', 'DyourjCO2J', 'tAqut0Cf7s', 'NH4uGIsWeU', 'goSP7mpljZ', 'Lg0PoujOpH', 'hHKPm1kJsd'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, QVcF8Q4cJkOZqsT6Rd.cs High entropy of concatenated method names: 'EneyFJHL30', 'ctpybTysbU', 'jJxyHRTYHu', 's0wyATf3Qj', 'IMby2OssO2', 'm6ayZJul3A', 'hk4EOpcmrf7VdSrdlN', 'GP1l7t2KdcgYB03uRS', 'Mt0JRAY4merl0CnyGm', 'i82yyJrVTL'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, bJHL30MetpTysbUnRK.cs High entropy of concatenated method names: 'Hrmr06D7WP', 'eZWrkBmrwp', 'C2Drcqx8EJ', 'FYVrgvwsTk', 'ehfrBVtHBU', 'z1MrfCebrU', 'zjgr7os7KN', 'BCQrol0T5d', 'VHBrmmedDp', 'aEhr1urLMB'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, db0nOHzKjEj4NKmt6R.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'guPudt5awL', 'zDru2XOZRS', 'aNEuZxSyf2', 'PfVujObu5A', 'EGauPBb8cV', 'wcnuuHpY7P', 'GjiuwKZsUq'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, AY0yVsyyfLEps6w19js.cs High entropy of concatenated method names: 'ToString', 'exOwJotRUA', 'uK5w4Wlu1f', 'kgawQTiyiV', 'wo6wCOWbsK', 'pVUwrVClXY', 'WhiwK90Vqs', 'gHJwt9HMaq', 'xqotSBZp9EUDNM2dumP', 'YPNQTXZli8VXWoeqPsf'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, hPlWqFOJxRTYHuw0wT.cs High entropy of concatenated method names: 'Rl2KnfYHle', 'QaFK9YFTxZ', 'nWSKMNI5Tf', 'eR7KOF4CsF', 'pc7K2EsdWy', 'F4SKZH4h4y', 'DWWKje3EGZ', 'VdZKP2xF0i', 'sC5KumiiTo', 'ht2KwlRcGs'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, aO2H6aiJul3Ao5Rk2e.cs High entropy of concatenated method names: 'B9IGQQarVA', 'jKVGrmtBWR', 'iDkGtJLAtG', 'kv6GFcBf8U', 'IUrGb84XY8', 'VLwtB6qll7', 'yBttfqpb2Q', 'B10t7oCfRt', 'ywotoisdR4', 'pYBtmhES1T'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, OSpWKmcQNpYEraiLro.cs High entropy of concatenated method names: 'ToString', 'DsKZEmwkMp', 'FRJZ3iwjSh', 'vWwZRks0X2', 'cguZxFa6Kp', 'mraZlu7m4v', 'DEsZ6vl1jq', 'YJEZDXrZfg', 'OsWZSpDGOZ', 'l3PZUXUXkH'
Source: 0.2.PO#RSB-8927393_2324.exe.3d96100.4.raw.unpack, KPT0AIfQWNIAU3xYtB.cs High entropy of concatenated method names: 'pm3jo2DIOg', 'BHij1iDFdf', 'KpcPssswH8', 'qR9PydGPQm', 'JWrjEbL4qN', 'dStjhKvSZo', 'SFljvkZTZD', 'Bvij0sSDe4', 'SBajk6glTw', 'Qc1jcVRaw0'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, V3QjIXIq5kOoYxMbOs.cs High entropy of concatenated method names: 'YAatXVulNA', 'UYyt8FNSu8', 'qtNKRLj26R', 'tm7KxDdB0d', 'nQcKlAIHt1', 'NTFK6GRvyy', 'KCJKDRK8QG', 'aHWKSB1lyf', 'vv5KUuayjy', 'STPK5anoDT'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, rw9GUwUdEWuuE3GWUO.cs High entropy of concatenated method names: 'L5aFN8hVpP', 'mViFYvcQHG', 'tgjFThmJwn', 'QI5FnU9kwV', 'UshFXPu78R', 'EekF97YEa5', 'jHQF8fljiI', 'JtgFMLLWq0', 'iTpFO3CLMv', 'rP0FIEvV8X'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, JrOGoqmeYTl6N4DFG6.cs High entropy of concatenated method names: 'RYAPiMsDtr', 'px6P3H3GwC', 'hgFPROa2la', 'b3lPxNCrgJ', 'LgnP0V08lr', 'poTPl7u9U2', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, s6fmqtyJU3YmKeDOmmh.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Chlw0l2T3Y', 'atLwkvjrPR', 'x4Dwcre1cI', 'U59wgvXL0R', 'fSawBoK0Fh', 'sBEwfh4lDC', 'aFCw7xfUfa'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, QhVPC2yskZZ1y6Hpaki.cs High entropy of concatenated method names: 'sGvuNAhtDj', 'xv0uYw4cq9', 'rNtuTwHUUN', 'U5WunBeblF', 'SEIuXvH3RG', 'h9wu9kgEac', 'Wffu8Wh3yM', 'LthuMftpDj', 'ohcuOookws', 'h73uICs5ia'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, MdtgxXo5Gq7I7BVIvo.cs High entropy of concatenated method names: 'VXVPCYflv2', 'l2YPrblTxP', 'ybhPKfqYZh', 'ymuPtlfvtn', 'YvNPGmFcIq', 'FRxPFYtAGD', 'kiVPbRjSer', 'VygPVWFUoY', 'DFEPHMDGsG', 'FHiPAKnVBi'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, lo06rTvsofDVK6Oyji.cs High entropy of concatenated method names: 'dG2dMmNdId', 'wxWdOjMkJr', 'AQpdi2LBp8', 'twKd38yWqL', 'UPfdxVdvVW', 'gGKdlDFt7T', 'kWsdDSixjq', 'ymadSuRavR', 'Ghcd54YZOU', 'VpydEWyiQW'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, G46V0hrQVmJaC7hRLj.cs High entropy of concatenated method names: 'Dispose', 'owWymKjnh0', 'omDe3mp4qJ', 'ssWLLcWIKB', 'jUdy1tgxX5', 'jq7yzI7BVI', 'ProcessDialogKey', 'QolesrOGoq', 'bYTeyl6N4D', 'jG6eeLrO9X'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, xL7UrvgtD9XFWu6Y1t.cs High entropy of concatenated method names: 'qJpjHSBmQA', 'vUwjAleIKO', 'ToString', 'CBojC9FGDD', 'aN5jrYdUsD', 'c8WjKfxBcr', 'le7jtG5NDB', 'IFCjGQBOyD', 'TgPjFRRMHC', 'nfXjb3wlc9'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, aYOoAfK625TDN0YVnB.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ydjem02Icv', 'eRHe1DgZ5c', 'Po1ez1Jc7j', 'S4PJsN6bSU', 'vARJyk87uy', 'Pi6Je02H7n', 'i3wJJ7tva1', 'JQbL3Xl7hJacQmYFUZZ'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, jTGm1lemnEXs2uwu6T.cs High entropy of concatenated method names: 'Fi9TjrQcn', 'Dx0nUXllH', 'DQG9rcBpo', 'Qt286eCiO', 'YtgOipfAN', 'QiXId9wDK', 'mpNE8yBJJwWrXERjvH', 'dX9KIZRNJkW3HGesBH', 'kydPZAo0v', 'pOGwinc7H'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, sJBJU4bkNgV8EMWFH5.cs High entropy of concatenated method names: 'jkdJQBeFiR', 'QutJCMG75K', 'sTUJrdk1Tx', 'dkfJKLpjhh', 'jeSJtAjOuv', 'hJ1JGK1Bqx', 'bTtJFHqgpN', 'VBhJbyHVij', 'VsCJV3Ivbi', 'obaJHHJJPb'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, CycuFhDVZ1InZQQp6D.cs High entropy of concatenated method names: 'L22FCFY88b', 'GVIFK7VQkq', 'RBRFGOROGQ', 'wBYG1WUb8d', 'QXCGzyTSsZ', 'MDBFs8eKaj', 'GWDFySlcgl', 'NtNFeOTnvp', 'QpIFJURGxW', 'B39F4NRnwk'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, trO9Xo1t1ZcgIQgHsv.cs High entropy of concatenated method names: 'tSsuydYQro', 'TB4uJAwiMe', 'RHAu4S7tPf', 'Af5uC8DT24', 'DyourjCO2J', 'tAqut0Cf7s', 'NH4uGIsWeU', 'goSP7mpljZ', 'Lg0PoujOpH', 'hHKPm1kJsd'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, QVcF8Q4cJkOZqsT6Rd.cs High entropy of concatenated method names: 'EneyFJHL30', 'ctpybTysbU', 'jJxyHRTYHu', 's0wyATf3Qj', 'IMby2OssO2', 'm6ayZJul3A', 'hk4EOpcmrf7VdSrdlN', 'GP1l7t2KdcgYB03uRS', 'Mt0JRAY4merl0CnyGm', 'i82yyJrVTL'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, bJHL30MetpTysbUnRK.cs High entropy of concatenated method names: 'Hrmr06D7WP', 'eZWrkBmrwp', 'C2Drcqx8EJ', 'FYVrgvwsTk', 'ehfrBVtHBU', 'z1MrfCebrU', 'zjgr7os7KN', 'BCQrol0T5d', 'VHBrmmedDp', 'aEhr1urLMB'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, db0nOHzKjEj4NKmt6R.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'guPudt5awL', 'zDru2XOZRS', 'aNEuZxSyf2', 'PfVujObu5A', 'EGauPBb8cV', 'wcnuuHpY7P', 'GjiuwKZsUq'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, AY0yVsyyfLEps6w19js.cs High entropy of concatenated method names: 'ToString', 'exOwJotRUA', 'uK5w4Wlu1f', 'kgawQTiyiV', 'wo6wCOWbsK', 'pVUwrVClXY', 'WhiwK90Vqs', 'gHJwt9HMaq', 'xqotSBZp9EUDNM2dumP', 'YPNQTXZli8VXWoeqPsf'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, hPlWqFOJxRTYHuw0wT.cs High entropy of concatenated method names: 'Rl2KnfYHle', 'QaFK9YFTxZ', 'nWSKMNI5Tf', 'eR7KOF4CsF', 'pc7K2EsdWy', 'F4SKZH4h4y', 'DWWKje3EGZ', 'VdZKP2xF0i', 'sC5KumiiTo', 'ht2KwlRcGs'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, aO2H6aiJul3Ao5Rk2e.cs High entropy of concatenated method names: 'B9IGQQarVA', 'jKVGrmtBWR', 'iDkGtJLAtG', 'kv6GFcBf8U', 'IUrGb84XY8', 'VLwtB6qll7', 'yBttfqpb2Q', 'B10t7oCfRt', 'ywotoisdR4', 'pYBtmhES1T'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, OSpWKmcQNpYEraiLro.cs High entropy of concatenated method names: 'ToString', 'DsKZEmwkMp', 'FRJZ3iwjSh', 'vWwZRks0X2', 'cguZxFa6Kp', 'mraZlu7m4v', 'DEsZ6vl1jq', 'YJEZDXrZfg', 'OsWZSpDGOZ', 'l3PZUXUXkH'
Source: 0.2.PO#RSB-8927393_2324.exe.6f20000.7.raw.unpack, KPT0AIfQWNIAU3xYtB.cs High entropy of concatenated method names: 'pm3jo2DIOg', 'BHij1iDFdf', 'KpcPssswH8', 'qR9PydGPQm', 'JWrjEbL4qN', 'dStjhKvSZo', 'SFljvkZTZD', 'Bvij0sSDe4', 'SBajk6glTw', 'Qc1jcVRaw0'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PO#RSB-8927393_2324.exe PID: 6196, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\w32tm.exe API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\w32tm.exe API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\w32tm.exe API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\w32tm.exe API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\w32tm.exe API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\w32tm.exe API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\w32tm.exe API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\w32tm.exe API/Special instruction interceptor: Address: 7FFB2CECDA44
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: 1020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: 2AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: 2830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: 7480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: 8480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: 8620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: 9620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: 9950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: A950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: 7480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: 8620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: 9950000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F096E rdtsc 6_2_010F096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3734 Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Window / User API: threadDelayed 4815 Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Window / User API: threadDelayed 5156 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\w32tm.exe API coverage: 2.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe TID: 6168 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3672 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1252 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe TID: 5144 Thread sleep count: 4815 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe TID: 5144 Thread sleep time: -9630000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe TID: 5144 Thread sleep count: 5156 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe TID: 5144 Thread sleep time: -10312000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\w32tm.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\w32tm.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\w32tm.exe Code function: 10_2_02F9C4E0 FindFirstFileW,FindNextFileW,FindClose, 10_2_02F9C4E0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: KgHL37J7K.10.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: KgHL37J7K.10.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: KgHL37J7K.10.dr Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: KgHL37J7K.10.dr Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: KgHL37J7K.10.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: w32tm.exe, 0000000A.00000002.2648467822.00000000082CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,1
Source: KgHL37J7K.10.dr Binary or memory string: outlook.office.comVMware20,11696492231s
Source: w32tm.exe, 0000000A.00000002.2648467822.00000000082CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: KgHL37J7K.10.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: KgHL37J7K.10.dr Binary or memory string: AMC password management pageVMware20,11696492231
Source: KgHL37J7K.10.dr Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: w32tm.exe, 0000000A.00000002.2643149827.0000000003374000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx&^
Source: KgHL37J7K.10.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: PO#RSB-8927393_2324.exe, 00000000.00000002.1431124072.0000000000E19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: KgHL37J7K.10.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: KgHL37J7K.10.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: KgHL37J7K.10.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: KgHL37J7K.10.dr Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: TVuzjGWylRcD.exe, 0000000E.00000002.2644331206.0000000000A3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: KgHL37J7K.10.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: KgHL37J7K.10.dr Binary or memory string: discord.comVMware20,11696492231f
Source: KgHL37J7K.10.dr Binary or memory string: global block list test formVMware20,11696492231
Source: PO#RSB-8927393_2324.exe, 00000000.00000002.1431124072.0000000000E19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: KgHL37J7K.10.dr Binary or memory string: dev.azure.comVMware20,11696492231j
Source: KgHL37J7K.10.dr Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: KgHL37J7K.10.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: KgHL37J7K.10.dr Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: KgHL37J7K.10.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: KgHL37J7K.10.dr Binary or memory string: tasks.office.comVMware20,11696492231o
Source: KgHL37J7K.10.dr Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: KgHL37J7K.10.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: w32tm.exe, 0000000A.00000002.2648467822.00000000082CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: n PasswordVMware20,11696492231
Source: KgHL37J7K.10.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: KgHL37J7K.10.dr Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: w32tm.exe, 0000000A.00000002.2648467822.00000000082CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ropeVMware20,11696492231
Source: w32tm.exe, 0000000A.00000002.2648467822.00000000082CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,1
Source: KgHL37J7K.10.dr Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: KgHL37J7K.10.dr Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: w32tm.exe, 0000000A.00000002.2648467822.00000000082CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696
Source: KgHL37J7K.10.dr Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: KgHL37J7K.10.dr Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: firefox.exe, 00000010.00000002.2261227421.000001FEA96CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F096E rdtsc 6_2_010F096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_00417E33 LdrLoadDll, 6_2_00417E33
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01170115 mov eax, dword ptr fs:[00000030h] 6_2_01170115
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115A118 mov ecx, dword ptr fs:[00000030h] 6_2_0115A118
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115A118 mov eax, dword ptr fs:[00000030h] 6_2_0115A118
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115A118 mov eax, dword ptr fs:[00000030h] 6_2_0115A118
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115A118 mov eax, dword ptr fs:[00000030h] 6_2_0115A118
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E10E mov eax, dword ptr fs:[00000030h] 6_2_0115E10E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E10E mov ecx, dword ptr fs:[00000030h] 6_2_0115E10E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E10E mov eax, dword ptr fs:[00000030h] 6_2_0115E10E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E10E mov eax, dword ptr fs:[00000030h] 6_2_0115E10E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E10E mov ecx, dword ptr fs:[00000030h] 6_2_0115E10E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E10E mov eax, dword ptr fs:[00000030h] 6_2_0115E10E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E10E mov eax, dword ptr fs:[00000030h] 6_2_0115E10E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E10E mov ecx, dword ptr fs:[00000030h] 6_2_0115E10E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E10E mov eax, dword ptr fs:[00000030h] 6_2_0115E10E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E10E mov ecx, dword ptr fs:[00000030h] 6_2_0115E10E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E0124 mov eax, dword ptr fs:[00000030h] 6_2_010E0124
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01148158 mov eax, dword ptr fs:[00000030h] 6_2_01148158
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01144144 mov eax, dword ptr fs:[00000030h] 6_2_01144144
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01144144 mov eax, dword ptr fs:[00000030h] 6_2_01144144
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01144144 mov ecx, dword ptr fs:[00000030h] 6_2_01144144
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01144144 mov eax, dword ptr fs:[00000030h] 6_2_01144144
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01144144 mov eax, dword ptr fs:[00000030h] 6_2_01144144
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AC156 mov eax, dword ptr fs:[00000030h] 6_2_010AC156
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B6154 mov eax, dword ptr fs:[00000030h] 6_2_010B6154
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B6154 mov eax, dword ptr fs:[00000030h] 6_2_010B6154
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184164 mov eax, dword ptr fs:[00000030h] 6_2_01184164
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184164 mov eax, dword ptr fs:[00000030h] 6_2_01184164
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F0185 mov eax, dword ptr fs:[00000030h] 6_2_010F0185
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113019F mov eax, dword ptr fs:[00000030h] 6_2_0113019F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113019F mov eax, dword ptr fs:[00000030h] 6_2_0113019F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113019F mov eax, dword ptr fs:[00000030h] 6_2_0113019F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113019F mov eax, dword ptr fs:[00000030h] 6_2_0113019F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01154180 mov eax, dword ptr fs:[00000030h] 6_2_01154180
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01154180 mov eax, dword ptr fs:[00000030h] 6_2_01154180
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AA197 mov eax, dword ptr fs:[00000030h] 6_2_010AA197
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AA197 mov eax, dword ptr fs:[00000030h] 6_2_010AA197
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AA197 mov eax, dword ptr fs:[00000030h] 6_2_010AA197
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0116C188 mov eax, dword ptr fs:[00000030h] 6_2_0116C188
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0116C188 mov eax, dword ptr fs:[00000030h] 6_2_0116C188
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0112E1D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0112E1D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E1D0 mov ecx, dword ptr fs:[00000030h] 6_2_0112E1D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0112E1D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E1D0 mov eax, dword ptr fs:[00000030h] 6_2_0112E1D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011761C3 mov eax, dword ptr fs:[00000030h] 6_2_011761C3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011761C3 mov eax, dword ptr fs:[00000030h] 6_2_011761C3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E01F8 mov eax, dword ptr fs:[00000030h] 6_2_010E01F8
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011861E5 mov eax, dword ptr fs:[00000030h] 6_2_011861E5
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01134000 mov ecx, dword ptr fs:[00000030h] 6_2_01134000
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01152000 mov eax, dword ptr fs:[00000030h] 6_2_01152000
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01152000 mov eax, dword ptr fs:[00000030h] 6_2_01152000
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01152000 mov eax, dword ptr fs:[00000030h] 6_2_01152000
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01152000 mov eax, dword ptr fs:[00000030h] 6_2_01152000
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01152000 mov eax, dword ptr fs:[00000030h] 6_2_01152000
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01152000 mov eax, dword ptr fs:[00000030h] 6_2_01152000
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01152000 mov eax, dword ptr fs:[00000030h] 6_2_01152000
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01152000 mov eax, dword ptr fs:[00000030h] 6_2_01152000
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CE016 mov eax, dword ptr fs:[00000030h] 6_2_010CE016
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CE016 mov eax, dword ptr fs:[00000030h] 6_2_010CE016
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CE016 mov eax, dword ptr fs:[00000030h] 6_2_010CE016
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CE016 mov eax, dword ptr fs:[00000030h] 6_2_010CE016
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01146030 mov eax, dword ptr fs:[00000030h] 6_2_01146030
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AA020 mov eax, dword ptr fs:[00000030h] 6_2_010AA020
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AC020 mov eax, dword ptr fs:[00000030h] 6_2_010AC020
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01136050 mov eax, dword ptr fs:[00000030h] 6_2_01136050
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B2050 mov eax, dword ptr fs:[00000030h] 6_2_010B2050
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DC073 mov eax, dword ptr fs:[00000030h] 6_2_010DC073
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B208A mov eax, dword ptr fs:[00000030h] 6_2_010B208A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010A80A0 mov eax, dword ptr fs:[00000030h] 6_2_010A80A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011760B8 mov eax, dword ptr fs:[00000030h] 6_2_011760B8
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011760B8 mov ecx, dword ptr fs:[00000030h] 6_2_011760B8
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011480A8 mov eax, dword ptr fs:[00000030h] 6_2_011480A8
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011320DE mov eax, dword ptr fs:[00000030h] 6_2_011320DE
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B80E9 mov eax, dword ptr fs:[00000030h] 6_2_010B80E9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AA0E3 mov ecx, dword ptr fs:[00000030h] 6_2_010AA0E3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011360E0 mov eax, dword ptr fs:[00000030h] 6_2_011360E0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AC0F0 mov eax, dword ptr fs:[00000030h] 6_2_010AC0F0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F20F0 mov ecx, dword ptr fs:[00000030h] 6_2_010F20F0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EA30B mov eax, dword ptr fs:[00000030h] 6_2_010EA30B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EA30B mov eax, dword ptr fs:[00000030h] 6_2_010EA30B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EA30B mov eax, dword ptr fs:[00000030h] 6_2_010EA30B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AC310 mov ecx, dword ptr fs:[00000030h] 6_2_010AC310
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D0310 mov ecx, dword ptr fs:[00000030h] 6_2_010D0310
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01188324 mov eax, dword ptr fs:[00000030h] 6_2_01188324
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01188324 mov ecx, dword ptr fs:[00000030h] 6_2_01188324
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01188324 mov eax, dword ptr fs:[00000030h] 6_2_01188324
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01188324 mov eax, dword ptr fs:[00000030h] 6_2_01188324
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117A352 mov eax, dword ptr fs:[00000030h] 6_2_0117A352
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01158350 mov ecx, dword ptr fs:[00000030h] 6_2_01158350
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113035C mov eax, dword ptr fs:[00000030h] 6_2_0113035C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113035C mov eax, dword ptr fs:[00000030h] 6_2_0113035C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113035C mov eax, dword ptr fs:[00000030h] 6_2_0113035C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113035C mov ecx, dword ptr fs:[00000030h] 6_2_0113035C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113035C mov eax, dword ptr fs:[00000030h] 6_2_0113035C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113035C mov eax, dword ptr fs:[00000030h] 6_2_0113035C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0118634F mov eax, dword ptr fs:[00000030h] 6_2_0118634F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01132349 mov eax, dword ptr fs:[00000030h] 6_2_01132349
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115437C mov eax, dword ptr fs:[00000030h] 6_2_0115437C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AE388 mov eax, dword ptr fs:[00000030h] 6_2_010AE388
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AE388 mov eax, dword ptr fs:[00000030h] 6_2_010AE388
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AE388 mov eax, dword ptr fs:[00000030h] 6_2_010AE388
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D438F mov eax, dword ptr fs:[00000030h] 6_2_010D438F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D438F mov eax, dword ptr fs:[00000030h] 6_2_010D438F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010A8397 mov eax, dword ptr fs:[00000030h] 6_2_010A8397
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010A8397 mov eax, dword ptr fs:[00000030h] 6_2_010A8397
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010A8397 mov eax, dword ptr fs:[00000030h] 6_2_010A8397
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011543D4 mov eax, dword ptr fs:[00000030h] 6_2_011543D4
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011543D4 mov eax, dword ptr fs:[00000030h] 6_2_011543D4
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA3C0 mov eax, dword ptr fs:[00000030h] 6_2_010BA3C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA3C0 mov eax, dword ptr fs:[00000030h] 6_2_010BA3C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA3C0 mov eax, dword ptr fs:[00000030h] 6_2_010BA3C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA3C0 mov eax, dword ptr fs:[00000030h] 6_2_010BA3C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA3C0 mov eax, dword ptr fs:[00000030h] 6_2_010BA3C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA3C0 mov eax, dword ptr fs:[00000030h] 6_2_010BA3C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B83C0 mov eax, dword ptr fs:[00000030h] 6_2_010B83C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B83C0 mov eax, dword ptr fs:[00000030h] 6_2_010B83C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B83C0 mov eax, dword ptr fs:[00000030h] 6_2_010B83C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B83C0 mov eax, dword ptr fs:[00000030h] 6_2_010B83C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E3DB mov eax, dword ptr fs:[00000030h] 6_2_0115E3DB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E3DB mov eax, dword ptr fs:[00000030h] 6_2_0115E3DB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E3DB mov ecx, dword ptr fs:[00000030h] 6_2_0115E3DB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115E3DB mov eax, dword ptr fs:[00000030h] 6_2_0115E3DB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011363C0 mov eax, dword ptr fs:[00000030h] 6_2_011363C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0116C3CD mov eax, dword ptr fs:[00000030h] 6_2_0116C3CD
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C03E9 mov eax, dword ptr fs:[00000030h] 6_2_010C03E9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C03E9 mov eax, dword ptr fs:[00000030h] 6_2_010C03E9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C03E9 mov eax, dword ptr fs:[00000030h] 6_2_010C03E9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C03E9 mov eax, dword ptr fs:[00000030h] 6_2_010C03E9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C03E9 mov eax, dword ptr fs:[00000030h] 6_2_010C03E9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C03E9 mov eax, dword ptr fs:[00000030h] 6_2_010C03E9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C03E9 mov eax, dword ptr fs:[00000030h] 6_2_010C03E9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C03E9 mov eax, dword ptr fs:[00000030h] 6_2_010C03E9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E63FF mov eax, dword ptr fs:[00000030h] 6_2_010E63FF
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CE3F0 mov eax, dword ptr fs:[00000030h] 6_2_010CE3F0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CE3F0 mov eax, dword ptr fs:[00000030h] 6_2_010CE3F0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CE3F0 mov eax, dword ptr fs:[00000030h] 6_2_010CE3F0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010A823B mov eax, dword ptr fs:[00000030h] 6_2_010A823B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0118625D mov eax, dword ptr fs:[00000030h] 6_2_0118625D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0116A250 mov eax, dword ptr fs:[00000030h] 6_2_0116A250
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0116A250 mov eax, dword ptr fs:[00000030h] 6_2_0116A250
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01138243 mov eax, dword ptr fs:[00000030h] 6_2_01138243
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01138243 mov ecx, dword ptr fs:[00000030h] 6_2_01138243
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B6259 mov eax, dword ptr fs:[00000030h] 6_2_010B6259
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AA250 mov eax, dword ptr fs:[00000030h] 6_2_010AA250
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010A826B mov eax, dword ptr fs:[00000030h] 6_2_010A826B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01160274 mov eax, dword ptr fs:[00000030h] 6_2_01160274
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B4260 mov eax, dword ptr fs:[00000030h] 6_2_010B4260
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B4260 mov eax, dword ptr fs:[00000030h] 6_2_010B4260
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B4260 mov eax, dword ptr fs:[00000030h] 6_2_010B4260
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE284 mov eax, dword ptr fs:[00000030h] 6_2_010EE284
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE284 mov eax, dword ptr fs:[00000030h] 6_2_010EE284
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01130283 mov eax, dword ptr fs:[00000030h] 6_2_01130283
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01130283 mov eax, dword ptr fs:[00000030h] 6_2_01130283
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01130283 mov eax, dword ptr fs:[00000030h] 6_2_01130283
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C02A0 mov eax, dword ptr fs:[00000030h] 6_2_010C02A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C02A0 mov eax, dword ptr fs:[00000030h] 6_2_010C02A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011462A0 mov eax, dword ptr fs:[00000030h] 6_2_011462A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011462A0 mov ecx, dword ptr fs:[00000030h] 6_2_011462A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011462A0 mov eax, dword ptr fs:[00000030h] 6_2_011462A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011462A0 mov eax, dword ptr fs:[00000030h] 6_2_011462A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011462A0 mov eax, dword ptr fs:[00000030h] 6_2_011462A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011462A0 mov eax, dword ptr fs:[00000030h] 6_2_011462A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA2C3 mov eax, dword ptr fs:[00000030h] 6_2_010BA2C3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA2C3 mov eax, dword ptr fs:[00000030h] 6_2_010BA2C3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA2C3 mov eax, dword ptr fs:[00000030h] 6_2_010BA2C3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA2C3 mov eax, dword ptr fs:[00000030h] 6_2_010BA2C3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA2C3 mov eax, dword ptr fs:[00000030h] 6_2_010BA2C3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011862D6 mov eax, dword ptr fs:[00000030h] 6_2_011862D6
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C02E1 mov eax, dword ptr fs:[00000030h] 6_2_010C02E1
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C02E1 mov eax, dword ptr fs:[00000030h] 6_2_010C02E1
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C02E1 mov eax, dword ptr fs:[00000030h] 6_2_010C02E1
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01146500 mov eax, dword ptr fs:[00000030h] 6_2_01146500
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184500 mov eax, dword ptr fs:[00000030h] 6_2_01184500
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184500 mov eax, dword ptr fs:[00000030h] 6_2_01184500
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184500 mov eax, dword ptr fs:[00000030h] 6_2_01184500
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184500 mov eax, dword ptr fs:[00000030h] 6_2_01184500
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184500 mov eax, dword ptr fs:[00000030h] 6_2_01184500
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184500 mov eax, dword ptr fs:[00000030h] 6_2_01184500
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184500 mov eax, dword ptr fs:[00000030h] 6_2_01184500
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE53E mov eax, dword ptr fs:[00000030h] 6_2_010DE53E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE53E mov eax, dword ptr fs:[00000030h] 6_2_010DE53E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE53E mov eax, dword ptr fs:[00000030h] 6_2_010DE53E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE53E mov eax, dword ptr fs:[00000030h] 6_2_010DE53E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE53E mov eax, dword ptr fs:[00000030h] 6_2_010DE53E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0535 mov eax, dword ptr fs:[00000030h] 6_2_010C0535
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0535 mov eax, dword ptr fs:[00000030h] 6_2_010C0535
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0535 mov eax, dword ptr fs:[00000030h] 6_2_010C0535
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0535 mov eax, dword ptr fs:[00000030h] 6_2_010C0535
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0535 mov eax, dword ptr fs:[00000030h] 6_2_010C0535
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0535 mov eax, dword ptr fs:[00000030h] 6_2_010C0535
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B8550 mov eax, dword ptr fs:[00000030h] 6_2_010B8550
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B8550 mov eax, dword ptr fs:[00000030h] 6_2_010B8550
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E656A mov eax, dword ptr fs:[00000030h] 6_2_010E656A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E656A mov eax, dword ptr fs:[00000030h] 6_2_010E656A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E656A mov eax, dword ptr fs:[00000030h] 6_2_010E656A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E4588 mov eax, dword ptr fs:[00000030h] 6_2_010E4588
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B2582 mov eax, dword ptr fs:[00000030h] 6_2_010B2582
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B2582 mov ecx, dword ptr fs:[00000030h] 6_2_010B2582
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE59C mov eax, dword ptr fs:[00000030h] 6_2_010EE59C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011305A7 mov eax, dword ptr fs:[00000030h] 6_2_011305A7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011305A7 mov eax, dword ptr fs:[00000030h] 6_2_011305A7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011305A7 mov eax, dword ptr fs:[00000030h] 6_2_011305A7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D45B1 mov eax, dword ptr fs:[00000030h] 6_2_010D45B1
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D45B1 mov eax, dword ptr fs:[00000030h] 6_2_010D45B1
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE5CF mov eax, dword ptr fs:[00000030h] 6_2_010EE5CF
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE5CF mov eax, dword ptr fs:[00000030h] 6_2_010EE5CF
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B65D0 mov eax, dword ptr fs:[00000030h] 6_2_010B65D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EA5D0 mov eax, dword ptr fs:[00000030h] 6_2_010EA5D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EA5D0 mov eax, dword ptr fs:[00000030h] 6_2_010EA5D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EC5ED mov eax, dword ptr fs:[00000030h] 6_2_010EC5ED
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EC5ED mov eax, dword ptr fs:[00000030h] 6_2_010EC5ED
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE5E7 mov eax, dword ptr fs:[00000030h] 6_2_010DE5E7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE5E7 mov eax, dword ptr fs:[00000030h] 6_2_010DE5E7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE5E7 mov eax, dword ptr fs:[00000030h] 6_2_010DE5E7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE5E7 mov eax, dword ptr fs:[00000030h] 6_2_010DE5E7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE5E7 mov eax, dword ptr fs:[00000030h] 6_2_010DE5E7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE5E7 mov eax, dword ptr fs:[00000030h] 6_2_010DE5E7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE5E7 mov eax, dword ptr fs:[00000030h] 6_2_010DE5E7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE5E7 mov eax, dword ptr fs:[00000030h] 6_2_010DE5E7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B25E0 mov eax, dword ptr fs:[00000030h] 6_2_010B25E0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E8402 mov eax, dword ptr fs:[00000030h] 6_2_010E8402
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E8402 mov eax, dword ptr fs:[00000030h] 6_2_010E8402
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E8402 mov eax, dword ptr fs:[00000030h] 6_2_010E8402
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AE420 mov eax, dword ptr fs:[00000030h] 6_2_010AE420
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AE420 mov eax, dword ptr fs:[00000030h] 6_2_010AE420
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AE420 mov eax, dword ptr fs:[00000030h] 6_2_010AE420
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010AC427 mov eax, dword ptr fs:[00000030h] 6_2_010AC427
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01136420 mov eax, dword ptr fs:[00000030h] 6_2_01136420
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01136420 mov eax, dword ptr fs:[00000030h] 6_2_01136420
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01136420 mov eax, dword ptr fs:[00000030h] 6_2_01136420
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01136420 mov eax, dword ptr fs:[00000030h] 6_2_01136420
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01136420 mov eax, dword ptr fs:[00000030h] 6_2_01136420
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01136420 mov eax, dword ptr fs:[00000030h] 6_2_01136420
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01136420 mov eax, dword ptr fs:[00000030h] 6_2_01136420
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EA430 mov eax, dword ptr fs:[00000030h] 6_2_010EA430
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0116A456 mov eax, dword ptr fs:[00000030h] 6_2_0116A456
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE443 mov eax, dword ptr fs:[00000030h] 6_2_010EE443
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE443 mov eax, dword ptr fs:[00000030h] 6_2_010EE443
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE443 mov eax, dword ptr fs:[00000030h] 6_2_010EE443
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE443 mov eax, dword ptr fs:[00000030h] 6_2_010EE443
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE443 mov eax, dword ptr fs:[00000030h] 6_2_010EE443
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE443 mov eax, dword ptr fs:[00000030h] 6_2_010EE443
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE443 mov eax, dword ptr fs:[00000030h] 6_2_010EE443
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EE443 mov eax, dword ptr fs:[00000030h] 6_2_010EE443
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010A645D mov eax, dword ptr fs:[00000030h] 6_2_010A645D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D245A mov eax, dword ptr fs:[00000030h] 6_2_010D245A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113C460 mov ecx, dword ptr fs:[00000030h] 6_2_0113C460
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DA470 mov eax, dword ptr fs:[00000030h] 6_2_010DA470
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DA470 mov eax, dword ptr fs:[00000030h] 6_2_010DA470
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DA470 mov eax, dword ptr fs:[00000030h] 6_2_010DA470
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0116A49A mov eax, dword ptr fs:[00000030h] 6_2_0116A49A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B64AB mov eax, dword ptr fs:[00000030h] 6_2_010B64AB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113A4B0 mov eax, dword ptr fs:[00000030h] 6_2_0113A4B0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E44B0 mov ecx, dword ptr fs:[00000030h] 6_2_010E44B0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B04E5 mov ecx, dword ptr fs:[00000030h] 6_2_010B04E5
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EC700 mov eax, dword ptr fs:[00000030h] 6_2_010EC700
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B0710 mov eax, dword ptr fs:[00000030h] 6_2_010B0710
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E0710 mov eax, dword ptr fs:[00000030h] 6_2_010E0710
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112C730 mov eax, dword ptr fs:[00000030h] 6_2_0112C730
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EC720 mov eax, dword ptr fs:[00000030h] 6_2_010EC720
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EC720 mov eax, dword ptr fs:[00000030h] 6_2_010EC720
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E273C mov eax, dword ptr fs:[00000030h] 6_2_010E273C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E273C mov ecx, dword ptr fs:[00000030h] 6_2_010E273C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E273C mov eax, dword ptr fs:[00000030h] 6_2_010E273C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E674D mov esi, dword ptr fs:[00000030h] 6_2_010E674D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E674D mov eax, dword ptr fs:[00000030h] 6_2_010E674D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E674D mov eax, dword ptr fs:[00000030h] 6_2_010E674D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01134755 mov eax, dword ptr fs:[00000030h] 6_2_01134755
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113E75D mov eax, dword ptr fs:[00000030h] 6_2_0113E75D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B0750 mov eax, dword ptr fs:[00000030h] 6_2_010B0750
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2750 mov eax, dword ptr fs:[00000030h] 6_2_010F2750
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2750 mov eax, dword ptr fs:[00000030h] 6_2_010F2750
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B8770 mov eax, dword ptr fs:[00000030h] 6_2_010B8770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0770 mov eax, dword ptr fs:[00000030h] 6_2_010C0770
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115678E mov eax, dword ptr fs:[00000030h] 6_2_0115678E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B07AF mov eax, dword ptr fs:[00000030h] 6_2_010B07AF
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011647A0 mov eax, dword ptr fs:[00000030h] 6_2_011647A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BC7C0 mov eax, dword ptr fs:[00000030h] 6_2_010BC7C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011307C3 mov eax, dword ptr fs:[00000030h] 6_2_011307C3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D27ED mov eax, dword ptr fs:[00000030h] 6_2_010D27ED
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D27ED mov eax, dword ptr fs:[00000030h] 6_2_010D27ED
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D27ED mov eax, dword ptr fs:[00000030h] 6_2_010D27ED
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B47FB mov eax, dword ptr fs:[00000030h] 6_2_010B47FB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B47FB mov eax, dword ptr fs:[00000030h] 6_2_010B47FB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113E7E1 mov eax, dword ptr fs:[00000030h] 6_2_0113E7E1
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C260B mov eax, dword ptr fs:[00000030h] 6_2_010C260B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C260B mov eax, dword ptr fs:[00000030h] 6_2_010C260B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C260B mov eax, dword ptr fs:[00000030h] 6_2_010C260B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C260B mov eax, dword ptr fs:[00000030h] 6_2_010C260B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C260B mov eax, dword ptr fs:[00000030h] 6_2_010C260B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C260B mov eax, dword ptr fs:[00000030h] 6_2_010C260B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C260B mov eax, dword ptr fs:[00000030h] 6_2_010C260B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F2619 mov eax, dword ptr fs:[00000030h] 6_2_010F2619
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E609 mov eax, dword ptr fs:[00000030h] 6_2_0112E609
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B262C mov eax, dword ptr fs:[00000030h] 6_2_010B262C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CE627 mov eax, dword ptr fs:[00000030h] 6_2_010CE627
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E6620 mov eax, dword ptr fs:[00000030h] 6_2_010E6620
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E8620 mov eax, dword ptr fs:[00000030h] 6_2_010E8620
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010CC640 mov eax, dword ptr fs:[00000030h] 6_2_010CC640
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EA660 mov eax, dword ptr fs:[00000030h] 6_2_010EA660
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EA660 mov eax, dword ptr fs:[00000030h] 6_2_010EA660
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117866E mov eax, dword ptr fs:[00000030h] 6_2_0117866E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117866E mov eax, dword ptr fs:[00000030h] 6_2_0117866E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E2674 mov eax, dword ptr fs:[00000030h] 6_2_010E2674
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B4690 mov eax, dword ptr fs:[00000030h] 6_2_010B4690
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B4690 mov eax, dword ptr fs:[00000030h] 6_2_010B4690
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EC6A6 mov eax, dword ptr fs:[00000030h] 6_2_010EC6A6
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E66B0 mov eax, dword ptr fs:[00000030h] 6_2_010E66B0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EA6C7 mov ebx, dword ptr fs:[00000030h] 6_2_010EA6C7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EA6C7 mov eax, dword ptr fs:[00000030h] 6_2_010EA6C7
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0112E6F2
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0112E6F2
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0112E6F2
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E6F2 mov eax, dword ptr fs:[00000030h] 6_2_0112E6F2
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011306F1 mov eax, dword ptr fs:[00000030h] 6_2_011306F1
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011306F1 mov eax, dword ptr fs:[00000030h] 6_2_011306F1
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113C912 mov eax, dword ptr fs:[00000030h] 6_2_0113C912
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010A8918 mov eax, dword ptr fs:[00000030h] 6_2_010A8918
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010A8918 mov eax, dword ptr fs:[00000030h] 6_2_010A8918
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E908 mov eax, dword ptr fs:[00000030h] 6_2_0112E908
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112E908 mov eax, dword ptr fs:[00000030h] 6_2_0112E908
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113892A mov eax, dword ptr fs:[00000030h] 6_2_0113892A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0114892B mov eax, dword ptr fs:[00000030h] 6_2_0114892B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01130946 mov eax, dword ptr fs:[00000030h] 6_2_01130946
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184940 mov eax, dword ptr fs:[00000030h] 6_2_01184940
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F096E mov eax, dword ptr fs:[00000030h] 6_2_010F096E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F096E mov edx, dword ptr fs:[00000030h] 6_2_010F096E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010F096E mov eax, dword ptr fs:[00000030h] 6_2_010F096E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01154978 mov eax, dword ptr fs:[00000030h] 6_2_01154978
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01154978 mov eax, dword ptr fs:[00000030h] 6_2_01154978
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D6962 mov eax, dword ptr fs:[00000030h] 6_2_010D6962
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D6962 mov eax, dword ptr fs:[00000030h] 6_2_010D6962
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D6962 mov eax, dword ptr fs:[00000030h] 6_2_010D6962
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113C97C mov eax, dword ptr fs:[00000030h] 6_2_0113C97C
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011389B3 mov esi, dword ptr fs:[00000030h] 6_2_011389B3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011389B3 mov eax, dword ptr fs:[00000030h] 6_2_011389B3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011389B3 mov eax, dword ptr fs:[00000030h] 6_2_011389B3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B09AD mov eax, dword ptr fs:[00000030h] 6_2_010B09AD
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B09AD mov eax, dword ptr fs:[00000030h] 6_2_010B09AD
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C29A0 mov eax, dword ptr fs:[00000030h] 6_2_010C29A0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117A9D3 mov eax, dword ptr fs:[00000030h] 6_2_0117A9D3
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011469C0 mov eax, dword ptr fs:[00000030h] 6_2_011469C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA9D0 mov eax, dword ptr fs:[00000030h] 6_2_010BA9D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA9D0 mov eax, dword ptr fs:[00000030h] 6_2_010BA9D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA9D0 mov eax, dword ptr fs:[00000030h] 6_2_010BA9D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA9D0 mov eax, dword ptr fs:[00000030h] 6_2_010BA9D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA9D0 mov eax, dword ptr fs:[00000030h] 6_2_010BA9D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BA9D0 mov eax, dword ptr fs:[00000030h] 6_2_010BA9D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E49D0 mov eax, dword ptr fs:[00000030h] 6_2_010E49D0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113E9E0 mov eax, dword ptr fs:[00000030h] 6_2_0113E9E0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E29F9 mov eax, dword ptr fs:[00000030h] 6_2_010E29F9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E29F9 mov eax, dword ptr fs:[00000030h] 6_2_010E29F9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113C810 mov eax, dword ptr fs:[00000030h] 6_2_0113C810
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115483A mov eax, dword ptr fs:[00000030h] 6_2_0115483A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115483A mov eax, dword ptr fs:[00000030h] 6_2_0115483A
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D2835 mov eax, dword ptr fs:[00000030h] 6_2_010D2835
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D2835 mov eax, dword ptr fs:[00000030h] 6_2_010D2835
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D2835 mov eax, dword ptr fs:[00000030h] 6_2_010D2835
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D2835 mov ecx, dword ptr fs:[00000030h] 6_2_010D2835
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D2835 mov eax, dword ptr fs:[00000030h] 6_2_010D2835
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D2835 mov eax, dword ptr fs:[00000030h] 6_2_010D2835
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EA830 mov eax, dword ptr fs:[00000030h] 6_2_010EA830
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C2840 mov ecx, dword ptr fs:[00000030h] 6_2_010C2840
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B4859 mov eax, dword ptr fs:[00000030h] 6_2_010B4859
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B4859 mov eax, dword ptr fs:[00000030h] 6_2_010B4859
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E0854 mov eax, dword ptr fs:[00000030h] 6_2_010E0854
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113E872 mov eax, dword ptr fs:[00000030h] 6_2_0113E872
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113E872 mov eax, dword ptr fs:[00000030h] 6_2_0113E872
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01146870 mov eax, dword ptr fs:[00000030h] 6_2_01146870
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01146870 mov eax, dword ptr fs:[00000030h] 6_2_01146870
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B0887 mov eax, dword ptr fs:[00000030h] 6_2_010B0887
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113C89D mov eax, dword ptr fs:[00000030h] 6_2_0113C89D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DE8C0 mov eax, dword ptr fs:[00000030h] 6_2_010DE8C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_011808C0 mov eax, dword ptr fs:[00000030h] 6_2_011808C0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117A8E4 mov eax, dword ptr fs:[00000030h] 6_2_0117A8E4
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EC8F9 mov eax, dword ptr fs:[00000030h] 6_2_010EC8F9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010EC8F9 mov eax, dword ptr fs:[00000030h] 6_2_010EC8F9
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112EB1D mov eax, dword ptr fs:[00000030h] 6_2_0112EB1D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112EB1D mov eax, dword ptr fs:[00000030h] 6_2_0112EB1D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112EB1D mov eax, dword ptr fs:[00000030h] 6_2_0112EB1D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112EB1D mov eax, dword ptr fs:[00000030h] 6_2_0112EB1D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112EB1D mov eax, dword ptr fs:[00000030h] 6_2_0112EB1D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112EB1D mov eax, dword ptr fs:[00000030h] 6_2_0112EB1D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112EB1D mov eax, dword ptr fs:[00000030h] 6_2_0112EB1D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112EB1D mov eax, dword ptr fs:[00000030h] 6_2_0112EB1D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112EB1D mov eax, dword ptr fs:[00000030h] 6_2_0112EB1D
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184B00 mov eax, dword ptr fs:[00000030h] 6_2_01184B00
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DEB20 mov eax, dword ptr fs:[00000030h] 6_2_010DEB20
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DEB20 mov eax, dword ptr fs:[00000030h] 6_2_010DEB20
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01178B28 mov eax, dword ptr fs:[00000030h] 6_2_01178B28
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01178B28 mov eax, dword ptr fs:[00000030h] 6_2_01178B28
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115EB50 mov eax, dword ptr fs:[00000030h] 6_2_0115EB50
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01182B57 mov eax, dword ptr fs:[00000030h] 6_2_01182B57
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01182B57 mov eax, dword ptr fs:[00000030h] 6_2_01182B57
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01182B57 mov eax, dword ptr fs:[00000030h] 6_2_01182B57
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01182B57 mov eax, dword ptr fs:[00000030h] 6_2_01182B57
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01146B40 mov eax, dword ptr fs:[00000030h] 6_2_01146B40
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01146B40 mov eax, dword ptr fs:[00000030h] 6_2_01146B40
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0117AB40 mov eax, dword ptr fs:[00000030h] 6_2_0117AB40
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01158B42 mov eax, dword ptr fs:[00000030h] 6_2_01158B42
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010A8B50 mov eax, dword ptr fs:[00000030h] 6_2_010A8B50
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01164B4B mov eax, dword ptr fs:[00000030h] 6_2_01164B4B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01164B4B mov eax, dword ptr fs:[00000030h] 6_2_01164B4B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010ACB7E mov eax, dword ptr fs:[00000030h] 6_2_010ACB7E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01164BB0 mov eax, dword ptr fs:[00000030h] 6_2_01164BB0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01164BB0 mov eax, dword ptr fs:[00000030h] 6_2_01164BB0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0BBE mov eax, dword ptr fs:[00000030h] 6_2_010C0BBE
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0BBE mov eax, dword ptr fs:[00000030h] 6_2_010C0BBE
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115EBD0 mov eax, dword ptr fs:[00000030h] 6_2_0115EBD0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B0BCD mov eax, dword ptr fs:[00000030h] 6_2_010B0BCD
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B0BCD mov eax, dword ptr fs:[00000030h] 6_2_010B0BCD
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B0BCD mov eax, dword ptr fs:[00000030h] 6_2_010B0BCD
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D0BCB mov eax, dword ptr fs:[00000030h] 6_2_010D0BCB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D0BCB mov eax, dword ptr fs:[00000030h] 6_2_010D0BCB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D0BCB mov eax, dword ptr fs:[00000030h] 6_2_010D0BCB
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113CBF0 mov eax, dword ptr fs:[00000030h] 6_2_0113CBF0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DEBFC mov eax, dword ptr fs:[00000030h] 6_2_010DEBFC
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B8BF0 mov eax, dword ptr fs:[00000030h] 6_2_010B8BF0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B8BF0 mov eax, dword ptr fs:[00000030h] 6_2_010B8BF0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B8BF0 mov eax, dword ptr fs:[00000030h] 6_2_010B8BF0
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0113CA11 mov eax, dword ptr fs:[00000030h] 6_2_0113CA11
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010DEA2E mov eax, dword ptr fs:[00000030h] 6_2_010DEA2E
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010ECA24 mov eax, dword ptr fs:[00000030h] 6_2_010ECA24
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010ECA38 mov eax, dword ptr fs:[00000030h] 6_2_010ECA38
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D4A35 mov eax, dword ptr fs:[00000030h] 6_2_010D4A35
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010D4A35 mov eax, dword ptr fs:[00000030h] 6_2_010D4A35
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0A5B mov eax, dword ptr fs:[00000030h] 6_2_010C0A5B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010C0A5B mov eax, dword ptr fs:[00000030h] 6_2_010C0A5B
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B6A50 mov eax, dword ptr fs:[00000030h] 6_2_010B6A50
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B6A50 mov eax, dword ptr fs:[00000030h] 6_2_010B6A50
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B6A50 mov eax, dword ptr fs:[00000030h] 6_2_010B6A50
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B6A50 mov eax, dword ptr fs:[00000030h] 6_2_010B6A50
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B6A50 mov eax, dword ptr fs:[00000030h] 6_2_010B6A50
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B6A50 mov eax, dword ptr fs:[00000030h] 6_2_010B6A50
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010B6A50 mov eax, dword ptr fs:[00000030h] 6_2_010B6A50
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112CA72 mov eax, dword ptr fs:[00000030h] 6_2_0112CA72
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0112CA72 mov eax, dword ptr fs:[00000030h] 6_2_0112CA72
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010ECA6F mov eax, dword ptr fs:[00000030h] 6_2_010ECA6F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010ECA6F mov eax, dword ptr fs:[00000030h] 6_2_010ECA6F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010ECA6F mov eax, dword ptr fs:[00000030h] 6_2_010ECA6F
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_0115EA60 mov eax, dword ptr fs:[00000030h] 6_2_0115EA60
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BEA80 mov eax, dword ptr fs:[00000030h] 6_2_010BEA80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BEA80 mov eax, dword ptr fs:[00000030h] 6_2_010BEA80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BEA80 mov eax, dword ptr fs:[00000030h] 6_2_010BEA80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BEA80 mov eax, dword ptr fs:[00000030h] 6_2_010BEA80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BEA80 mov eax, dword ptr fs:[00000030h] 6_2_010BEA80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BEA80 mov eax, dword ptr fs:[00000030h] 6_2_010BEA80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BEA80 mov eax, dword ptr fs:[00000030h] 6_2_010BEA80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BEA80 mov eax, dword ptr fs:[00000030h] 6_2_010BEA80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010BEA80 mov eax, dword ptr fs:[00000030h] 6_2_010BEA80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_01184A80 mov eax, dword ptr fs:[00000030h] 6_2_01184A80
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Code function: 6_2_010E8A90 mov edx, dword ptr fs:[00000030h] 6_2_010E8A90
Enables debug privileges
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe"
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtWriteVirtualMemory: Direct from: 0x77762E3C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtMapViewOfSection: Direct from: 0x77762D1C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtNotifyChangeKey: Direct from: 0x77763C2C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtCreateMutant: Direct from: 0x777635CC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtResumeThread: Direct from: 0x777636AC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtProtectVirtualMemory: Direct from: 0x77757B2E Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtQuerySystemInformation: Direct from: 0x77762DFC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtAllocateVirtualMemory: Direct from: 0x77762BFC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtReadFile: Direct from: 0x77762ADC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtDelayExecution: Direct from: 0x77762DDC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtWriteVirtualMemory: Direct from: 0x7776490C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtQueryInformationProcess: Direct from: 0x77762C26 Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtResumeThread: Direct from: 0x77762FBC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtCreateUserProcess: Direct from: 0x7776371C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtSetInformationThread: Direct from: 0x777563F9 Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtAllocateVirtualMemory: Direct from: 0x77763C9C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtSetInformationThread: Direct from: 0x77762B4C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtQueryAttributesFile: Direct from: 0x77762E6C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtReadVirtualMemory: Direct from: 0x77762E8C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtCreateKey: Direct from: 0x77762C6C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtQuerySystemInformation: Direct from: 0x777648CC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtAllocateVirtualMemory: Direct from: 0x777648EC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtQueryVolumeInformationFile: Direct from: 0x77762F2C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtOpenSection: Direct from: 0x77762E0C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtDeviceIoControlFile: Direct from: 0x77762AEC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtAllocateVirtualMemory: Direct from: 0x77762BEC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtQueryInformationToken: Direct from: 0x77762CAC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtTerminateThread: Direct from: 0x77762FCC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtCreateFile: Direct from: 0x77762FEC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtOpenFile: Direct from: 0x77762DCC Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtOpenKeyEx: Direct from: 0x77762B9C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtSetInformationProcess: Direct from: 0x77762C5C Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe NtProtectVirtualMemory: Direct from: 0x77762F9C Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Memory written: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: NULL target: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: NULL target: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: NULL target: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\w32tm.exe Thread register set: target process: 3632 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\w32tm.exe Thread APC queued: target process: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process created: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Process created: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe "C:\Users\user\Desktop\PO#RSB-8927393_2324.exe" Jump to behavior
Source: C:\Program Files (x86)\SfIdDALnKPRkoCdjcmLxntTwRWgtRRLmJJNPrEOnuGlyOqQeANvDKbEGFktAZjookfnnyI\TVuzjGWylRcD.exe Process created: C:\Windows\SysWOW64\w32tm.exe "C:\Windows\SysWOW64\w32tm.exe" Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: TVuzjGWylRcD.exe, 00000009.00000002.2644153539.0000000001001000.00000002.00000001.00040000.00000000.sdmp, TVuzjGWylRcD.exe, 00000009.00000000.1724853660.0000000001000000.00000002.00000001.00040000.00000000.sdmp, TVuzjGWylRcD.exe, 0000000E.00000002.2644634543.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: TVuzjGWylRcD.exe, 00000009.00000002.2644153539.0000000001001000.00000002.00000001.00040000.00000000.sdmp, TVuzjGWylRcD.exe, 00000009.00000000.1724853660.0000000001000000.00000002.00000001.00040000.00000000.sdmp, TVuzjGWylRcD.exe, 0000000E.00000002.2644634543.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: TVuzjGWylRcD.exe, 00000009.00000002.2644153539.0000000001001000.00000002.00000001.00040000.00000000.sdmp, TVuzjGWylRcD.exe, 00000009.00000000.1724853660.0000000001000000.00000002.00000001.00040000.00000000.sdmp, TVuzjGWylRcD.exe, 0000000E.00000002.2644634543.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: ?Program Manager
Source: TVuzjGWylRcD.exe, 00000009.00000002.2644153539.0000000001001000.00000002.00000001.00040000.00000000.sdmp, TVuzjGWylRcD.exe, 00000009.00000000.1724853660.0000000001000000.00000002.00000001.00040000.00000000.sdmp, TVuzjGWylRcD.exe, 0000000E.00000002.2644634543.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Queries volume information: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#RSB-8927393_2324.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.PO#RSB-8927393_2324.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.PO#RSB-8927393_2324.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1807194946.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2644606484.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1807336062.00000000028D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2643723707.0000000000890000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2644723552.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1805462543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2644778118.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2642727855.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\w32tm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\w32tm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 6.2.PO#RSB-8927393_2324.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.PO#RSB-8927393_2324.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1807194946.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2644606484.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1807336062.00000000028D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2643723707.0000000000890000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2644723552.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1805462543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2644778118.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2642727855.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467840 Sample: PO#RSB-8927393_2324.exe Startdate: 04/07/2024 Architecture: WINDOWS Score: 100 39 www.stigaequity.com 2->39 41 www.interoceptiv.com 2->41 43 6 other IPs or domains 2->43 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 8 other signatures 2->59 10 PO#RSB-8927393_2324.exe 4 2->10         started        signatures3 process4 file5 37 C:\Users\user\...\PO#RSB-8927393_2324.exe.log, ASCII 10->37 dropped 63 Adds a directory exclusion to Windows Defender 10->63 65 Injects a PE file into a foreign processes 10->65 14 PO#RSB-8927393_2324.exe 10->14         started        17 powershell.exe 23 10->17         started        19 PO#RSB-8927393_2324.exe 10->19         started        signatures6 process7 signatures8 75 Maps a DLL or memory area into another process 14->75 21 TVuzjGWylRcD.exe 14->21 injected 77 Loading BitLocker PowerShell Module 17->77 24 conhost.exe 17->24         started        26 WmiPrvSE.exe 17->26         started        process9 signatures10 61 Found direct / indirect Syscall (likely to bypass EDR) 21->61 28 w32tm.exe 13 21->28         started        process11 signatures12 67 Tries to steal Mail credentials (via file / registry access) 28->67 69 Tries to harvest and steal browser information (history, passwords, etc) 28->69 71 Modifies the context of a thread in another process (thread injection) 28->71 73 3 other signatures 28->73 31 TVuzjGWylRcD.exe 28->31 injected 35 firefox.exe 28->35         started        process13 dnsIp14 45 desakedungpeluk.com 202.52.146.180, 49716, 49717, 49718 GMEDIA-AS-IDGlobalMediaTeknologiPTID Indonesia 31->45 47 stigaequity.com 3.33.130.190, 49720, 49721, 49722 AMAZONEXPANSIONGB United States 31->47 49 artistcalculator.com 162.241.216.26, 49715, 80 UNIFIEDLAYER-AS-1US United States 31->49 51 Found direct / indirect Syscall (likely to bypass EDR) 31->51 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
202.52.146.180
 desakedungpeluk.com Indonesia
45324 GMEDIA-AS-IDGlobalMediaTeknologiPTID true
162.241.216.26
 artistcalculator.com United States
46606 UNIFIEDLAYER-AS-1US false
3.33.130.190
 interoceptiv.com United States
8987 AMAZONEXPANSIONGB true

Contacted Domains

Name IP Active
interoceptiv.com 3.33.130.190 true
desakedungpeluk.com 202.52.146.180 true
stigaequity.com 3.33.130.190 true
artistcalculator.com 162.241.216.26 true
www.desakedungpeluk.com unknown unknown
www.artistcalculator.com unknown unknown
www.interoceptiv.com unknown unknown
www.stigaequity.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.desakedungpeluk.com/fwoh/ true
  • Avira URL Cloud: safe
 unknown
http://www.stigaequity.com/g6p3/?ER9dVZR=ribLlrKo4+aNk92vcl6tJoF/Wx2bO83lSnYMoyHDTVlljCBLTbU97JTETYJyyGq3p6fcq731smqcseDbybcpYOuelIXZBxgBjMkzGiPSdnNvEa8E1B1rFKPXfL7Uhr2TtbaNlqUJmpII&GFi=c8EPf true
  • Avira URL Cloud: safe
 unknown
http://www.stigaequity.com/g6p3/ true
  • Avira URL Cloud: safe
 unknown
http://www.interoceptiv.com/f6cy/?GFi=c8EPf&ER9dVZR=ViKCibVXrLYIfGkUWUzEOaSlHvtpmYyv8mF5qjT/BPKazql6ii5kKGQHLaSbydSSoUBECJyqDvT8mzUSv37yKhNGp2B6IS3ZvB9wkFVTcG5y2IknMhFR9SC0mei2pox1qw6FBw9NsPmM true
  • Avira URL Cloud: safe
 unknown
http://www.interoceptiv.com/f6cy/ true
  • Avira URL Cloud: safe
 unknown
http://www.artistcalculator.com/8kls/?GFi=c8EPf&ER9dVZR=2KGZ/3QNXi4ulTzvjIbSvnVIk+/410+IZnCrksCfUlhFzRQv5I69qDoixyW/nlEH6HekfEjhjWldx4T2xAX96nP+8g6Xqrd0P2gOkZ8UL+qLTVw01tpdU0aJtXq0SBQRvwi7Sr6O0xKY false
  • Avira URL Cloud: safe
 unknown