Analysis Report i6VD44gIF9.exe

Overview

General Information

Sample Name: i6VD44gIF9.exe
Analysis ID: 351781
MD5: 0ccbb1e2f05975a67ba1cfd7404ef968
SHA1: 04587ab06c43e4cb01d9d21a15b9edb836d771db
SHA256: 2bde41794f3ec8ee0b4e4be924a18e9b55c9f61eed39f10d16bc0afd9e33ba48
Tags: exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection:

barindex
Found malware configuration
Source: 3.2.i6VD44gIF9.exe.400000.0.raw.unpack Malware Configuration Extractor: FormBook {"C2 list": ["www.aone223.com/67d/"], "decoy": ["initiationportal.com", "priority1fleet.com", "xn--c1abvlc0ba.xn--p1acf", "foto-golyh-devushek.com", "losangeles-nightlife.com", "mynewbandname.com", "iaiibhzsbw.net", "allwest-originals.com", "peakofgoodlife.com", "traeespana.com", "prizotinstagram.online", "powerd.net", "rutharroyo.com", "spreadtheaimee.com", "tomleefamily.com", "workingcompass.net", "quallateematerial.com", "davizion.com", "ashleeramdanfit.com", "gamers-evolution.com", "bohrabiz.com", "twigandbloomfloral.com", "nhdpartners.com", "wakedcma.com", "algulotomotiv.com", "kocaelikiralikvinc.com", "listenupfoundation.net", "studiozetamilano.com", "luckybluebird.net", "xigo100.com", "hattonpalacejewellery.com", "bolsasmariabonita.com", "didierjammet.com", "wndslve.com", "wiprideinc.com", "aktiv.plus", "americanseniorcarecorp.com", "calmbears.com", "gearsevenfitness.com", "naigves.com", "stremate.webcam", "awakenedbyowls.com", "pelican-foot.com", "t-c-o-t-c.com", "disinfectingcinci.com", "buyrealestatewithchris.com", "g-grid.net", "dodadungthongminh.asia", "prospect300.com", "rjutilities.com", "mylegalmavens.com", "talalmando.com", "localheroes.space", "writinglover.site", "brink100.com", "bim3dstudio.com", "absak-lab1.net", "torontodo.com", "repwebtools.com", "films4christians.com", "raptorroofingcompany.com", "lrrestoration.com", "zhongqinglvyou.com", "jangabeach.com"]}
Multi AV Scanner detection for submitted file
Source: i6VD44gIF9.exe Virustotal: Detection: 32% Perma Link
Source: i6VD44gIF9.exe ReversingLabs: Detection: 31%
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.302680659.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579484886.0000000000E80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.255536888.00000000048A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579024968.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.302948394.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.572103632.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.302477057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.254974295.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.i6VD44gIF9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.i6VD44gIF9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.i6VD44gIF9.exe.458bd18.1.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: i6VD44gIF9.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.i6VD44gIF9.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: i6VD44gIF9.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: i6VD44gIF9.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: wscript.pdbGCTL source: i6VD44gIF9.exe, 00000003.00000002.304648178.00000000035E0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: i6VD44gIF9.exe, 00000003.00000002.303278016.000000000195F000.00000040.00000001.sdmp, wscript.exe, 00000010.00000002.580663492.0000000000FF0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: i6VD44gIF9.exe, wscript.exe
Source: Binary string: wscript.pdb source: i6VD44gIF9.exe, 00000003.00000002.304648178.00000000035E0000.00000040.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 4x nop then pop esi 3_2_004172D3
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 4x nop then pop edi 3_2_00416C8C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop esi 16_2_004372D3
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop edi 16_2_00436C8C

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.aone223.com/67d/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /67d/?JfE=O9IR4YPjjbiQmHeNmUOcFuSmCcKiV53kMKt9knrkQ3zS2byQjzM16AmI+3SIBLcQHOV6&ojqP_B=RzulsJ HTTP/1.1Host: www.xn--c1abvlc0ba.xn--p1acfConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /67d/?ojqP_B=RzulsJ&JfE=NVd2BprTGgCTS+kRSzxe1MFE2dAnLNN4hfUOXzbXcyb3INnnj+6+VFnANDut37ZMBQSG HTTP/1.1Host: www.foto-golyh-devushek.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /67d/?JfE=oyc7CizTzO7ijjj/wWVzh0cRX4RS00Us7EuMxb4rLU1twRbhGDkyY+EzZT4WUSD89AqN&ojqP_B=RzulsJ HTTP/1.1Host: www.rutharroyo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VARITI-ASRU VARITI-ASRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: global traffic HTTP traffic detected: GET /67d/?JfE=O9IR4YPjjbiQmHeNmUOcFuSmCcKiV53kMKt9knrkQ3zS2byQjzM16AmI+3SIBLcQHOV6&ojqP_B=RzulsJ HTTP/1.1Host: www.xn--c1abvlc0ba.xn--p1acfConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /67d/?ojqP_B=RzulsJ&JfE=NVd2BprTGgCTS+kRSzxe1MFE2dAnLNN4hfUOXzbXcyb3INnnj+6+VFnANDut37ZMBQSG HTTP/1.1Host: www.foto-golyh-devushek.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /67d/?JfE=oyc7CizTzO7ijjj/wWVzh0cRX4RS00Us7EuMxb4rLU1twRbhGDkyY+EzZT4WUSD89AqN&ojqP_B=RzulsJ HTTP/1.1Host: www.rutharroyo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.absak-lab1.net
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Feb 2021 08:26:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 490Connection: closeVary: Accept-EncodingLast-Modified: Thu, 15 Mar 2018 10:00:32 GMTETag: "1ea-567708fe99000"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINX-VARITI-CCR: 305926325:1Set-Cookie: rerf=AAAAAGAk6lCr3SKhAwcpAg==; expires=Sat, 13-Mar-21 08:26:56 GMT; path=/P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 61 73 73 69 67 6e 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 62 72 3e 3c 62 72 3e 3c 62 72 3e 3c 62 72 3e 3c 62 3e 44 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 61 73 73 69 67 6e 65 64 2e 3c 2f 62 3e 3c 62 72 3e 50 6c 65 61 73 65 20 67 6f 20 74 6f 20 74 68 65 20 73 69 74 65 20 73 65 74 74 69 6e 67 73 20 61 6e 64 20 70 75 74 20 74 68 65 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 69 6e 20 74 68 65 20 44 6f 6d 61 69 6e 20 74 61 62 2e 3c 62 72 3e 3c 62 72 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Domain has been assigned</title></head><body><table style="width:100%; height:100%; font-family: sans-serif;"><tr><td style="vertical-align: middle; text-align: center;"><a href="http://tilda.cc"><img src="http://tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a><br><br><br><br><b>Domain has been assigned.</b><br>Please go to the site settings and put the domain name in the Domain tab.<br><br></td></tr></table></body></html>
Source: explorer.exe, 00000004.00000000.275965148.000000000F6C0000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.absak-lab1.net
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.absak-lab1.net/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.absak-lab1.net/67d/www.xn--c1abvlc0ba.xn--p1acf
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.absak-lab1.netReferer:
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.aone223.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.aone223.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.aone223.com/67d/www.rjutilities.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.aone223.comReferer:
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.ashleeramdanfit.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.ashleeramdanfit.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.ashleeramdanfit.com/67d/www.listenupfoundation.net
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.ashleeramdanfit.comReferer:
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.bim3dstudio.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.bim3dstudio.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.bim3dstudio.com/67d/www.buyrealestatewithchris.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.bim3dstudio.comReferer:
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.brink100.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.brink100.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.brink100.com/67d/www.traeespana.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.brink100.comReferer:
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.buyrealestatewithchris.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.buyrealestatewithchris.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.buyrealestatewithchris.com/67d/www.ashleeramdanfit.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.buyrealestatewithchris.comReferer:
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.foto-golyh-devushek.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.foto-golyh-devushek.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.foto-golyh-devushek.com/67d/www.rutharroyo.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.foto-golyh-devushek.comReferer:
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.listenupfoundation.net
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.listenupfoundation.net/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.listenupfoundation.net/67d/www.aone223.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.listenupfoundation.netReferer:
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.lrrestoration.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.lrrestoration.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.lrrestoration.com/67d/www.prospect300.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.lrrestoration.comReferer:
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.naigves.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.naigves.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.naigves.com/67d/www.bim3dstudio.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.naigves.comReferer:
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.prospect300.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.prospect300.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.prospect300.com/67d/www.wakedcma.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.prospect300.comReferer:
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.rjutilities.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.rjutilities.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.rjutilities.comReferer:
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.rutharroyo.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.rutharroyo.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.rutharroyo.com/67d/www.lrrestoration.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.rutharroyo.comReferer:
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.traeespana.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.traeespana.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.traeespana.com/67d/www.naigves.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.traeespana.comReferer:
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.wakedcma.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.wakedcma.com/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.wakedcma.com/67d/www.brink100.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.wakedcma.comReferer:
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.xn--c1abvlc0ba.xn--p1acf
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.xn--c1abvlc0ba.xn--p1acf/67d/
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.xn--c1abvlc0ba.xn--p1acf/67d/www.foto-golyh-devushek.com
Source: explorer.exe, 00000004.00000003.554702927.000000000F755000.00000004.00000001.sdmp String found in binary or memory: http://www.xn--c1abvlc0ba.xn--p1acfReferer:
Source: i6VD44gIF9.exe, 00000001.00000002.258282287.00000000063C0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.272173937.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: wscript.exe, 00000010.00000002.587724959.0000000004EBF000.00000004.00000001.sdmp String found in binary or memory: https://foto-golyh-devushek.com/index.php?do=cat&amp;category=67d/
Source: wscript.exe, 00000010.00000002.587724959.0000000004EBF000.00000004.00000001.sdmp String found in binary or memory: https://rutharroyo.com/67d/?JfE=oyc7CizTzO7ijjj/wWVzh0cRX4RS00Us7EuMxb4rLU1twRbhGDkyY

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.302680659.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579484886.0000000000E80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.255536888.00000000048A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579024968.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.302948394.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.572103632.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.302477057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.254974295.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.i6VD44gIF9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.i6VD44gIF9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.i6VD44gIF9.exe.458bd18.1.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.302680659.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.302680659.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.579484886.0000000000E80000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.579484886.0000000000E80000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.255536888.00000000048A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.255536888.00000000048A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.579024968.0000000000E50000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.579024968.0000000000E50000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.302948394.00000000013D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.302948394.00000000013D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.572103632.0000000000420000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.572103632.0000000000420000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.302477057.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.302477057.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.254974295.00000000043C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.254974295.00000000043C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.i6VD44gIF9.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.i6VD44gIF9.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.i6VD44gIF9.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.i6VD44gIF9.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.i6VD44gIF9.exe.458bd18.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.i6VD44gIF9.exe.458bd18.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00419D50 NtCreateFile, 3_2_00419D50
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00419E00 NtReadFile, 3_2_00419E00
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00419E80 NtClose, 3_2_00419E80
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00419F30 NtAllocateVirtualMemory, 3_2_00419F30
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00419D4A NtCreateFile, 3_2_00419D4A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00419DFA NtReadFile, 3_2_00419DFA
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00419E4B NtReadFile, 3_2_00419E4B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00419E7A NtClose, 3_2_00419E7A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00419F2B NtAllocateVirtualMemory, 3_2_00419F2B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A99A0 NtCreateSection,LdrInitializeThunk, 3_2_018A99A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_018A9910
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_018A98F0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9840 NtDelayExecution,LdrInitializeThunk, 3_2_018A9840
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_018A9860
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_018A9A00
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9A20 NtResumeThread,LdrInitializeThunk, 3_2_018A9A20
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9A50 NtCreateFile,LdrInitializeThunk, 3_2_018A9A50
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A95D0 NtClose,LdrInitializeThunk, 3_2_018A95D0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9540 NtReadFile,LdrInitializeThunk, 3_2_018A9540
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_018A9780
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_018A97A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_018A9710
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_018A96E0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_018A9660
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A99D0 NtCreateProcessEx, 3_2_018A99D0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9950 NtQueueApcThread, 3_2_018A9950
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A98A0 NtWriteVirtualMemory, 3_2_018A98A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9820 NtEnumerateKey, 3_2_018A9820
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018AB040 NtSuspendThread, 3_2_018AB040
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018AA3B0 NtGetContextThread, 3_2_018AA3B0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9B00 NtSetValueKey, 3_2_018A9B00
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9A80 NtOpenDirectoryObject, 3_2_018A9A80
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9A10 NtQuerySection, 3_2_018A9A10
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A95F0 NtQueryInformationFile, 3_2_018A95F0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9520 NtWaitForSingleObject, 3_2_018A9520
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018AAD30 NtSetContextThread, 3_2_018AAD30
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9560 NtWriteFile, 3_2_018A9560
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9FE0 NtCreateMutant, 3_2_018A9FE0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018AA710 NtOpenProcessToken, 3_2_018AA710
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9730 NtQueryVirtualMemory, 3_2_018A9730
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9760 NtOpenProcess, 3_2_018A9760
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018AA770 NtOpenThread, 3_2_018AA770
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9770 NtSetInformationFile, 3_2_018A9770
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A96D0 NtCreateKey, 3_2_018A96D0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9610 NtEnumerateValueKey, 3_2_018A9610
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9650 NtQueryValueKey, 3_2_018A9650
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A9670 NtQueryInformationProcess, 3_2_018A9670
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_01059910
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010599A0 NtCreateSection,LdrInitializeThunk, 16_2_010599A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059840 NtDelayExecution,LdrInitializeThunk, 16_2_01059840
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059860 NtQuerySystemInformation,LdrInitializeThunk, 16_2_01059860
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059A50 NtCreateFile,LdrInitializeThunk, 16_2_01059A50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059540 NtReadFile,LdrInitializeThunk, 16_2_01059540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010595D0 NtClose,LdrInitializeThunk, 16_2_010595D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059710 NtQueryInformationToken,LdrInitializeThunk, 16_2_01059710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059780 NtMapViewOfSection,LdrInitializeThunk, 16_2_01059780
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059FE0 NtCreateMutant,LdrInitializeThunk, 16_2_01059FE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059650 NtQueryValueKey,LdrInitializeThunk, 16_2_01059650
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059660 NtAllocateVirtualMemory,LdrInitializeThunk, 16_2_01059660
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010596D0 NtCreateKey,LdrInitializeThunk, 16_2_010596D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010596E0 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_010596E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059950 NtQueueApcThread, 16_2_01059950
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010599D0 NtCreateProcessEx, 16_2_010599D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059820 NtEnumerateKey, 16_2_01059820
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0105B040 NtSuspendThread, 16_2_0105B040
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010598A0 NtWriteVirtualMemory, 16_2_010598A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010598F0 NtReadVirtualMemory, 16_2_010598F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059B00 NtSetValueKey, 16_2_01059B00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0105A3B0 NtGetContextThread, 16_2_0105A3B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059A00 NtProtectVirtualMemory, 16_2_01059A00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059A10 NtQuerySection, 16_2_01059A10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059A20 NtResumeThread, 16_2_01059A20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059A80 NtOpenDirectoryObject, 16_2_01059A80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059520 NtWaitForSingleObject, 16_2_01059520
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0105AD30 NtSetContextThread, 16_2_0105AD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059560 NtWriteFile, 16_2_01059560
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010595F0 NtQueryInformationFile, 16_2_010595F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0105A710 NtOpenProcessToken, 16_2_0105A710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059730 NtQueryVirtualMemory, 16_2_01059730
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059760 NtOpenProcess, 16_2_01059760
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0105A770 NtOpenThread, 16_2_0105A770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059770 NtSetInformationFile, 16_2_01059770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010597A0 NtUnmapViewOfSection, 16_2_010597A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059610 NtEnumerateValueKey, 16_2_01059610
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01059670 NtQueryInformationProcess, 16_2_01059670
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00439D50 NtCreateFile, 16_2_00439D50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00439E00 NtReadFile, 16_2_00439E00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00439E80 NtClose, 16_2_00439E80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00439F30 NtAllocateVirtualMemory, 16_2_00439F30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00439D4A NtCreateFile, 16_2_00439D4A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00439DFA NtReadFile, 16_2_00439DFA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00439E4B NtReadFile, 16_2_00439E4B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00439E7A NtClose, 16_2_00439E7A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00439F2B NtAllocateVirtualMemory, 16_2_00439F2B
Detected potential crypto function
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_0197C2A4 1_2_0197C2A4
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_0197E670 1_2_0197E670
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_0197E66A 1_2_0197E66A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_059656B0 1_2_059656B0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_0596C678 1_2_0596C678
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_0596836B 1_2_0596836B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_05969210 1_2_05969210
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_05963BC8 1_2_05963BC8
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_0596A5F7 1_2_0596A5F7
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_0596C45B 1_2_0596C45B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_0596A608 1_2_0596A608
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_0596920A 1_2_0596920A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_07D641BB 1_2_07D641BB
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_07D61E68 1_2_07D61E68
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_07D622E5 1_2_07D622E5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0041E038 3_2_0041E038
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0041D1B2 3_2_0041D1B2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_004012FC 3_2_004012FC
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0041E2A2 3_2_0041E2A2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00409E2C 3_2_00409E2C
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00409E30 3_2_00409E30
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0041E7AC 3_2_0041E7AC
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186F900 3_2_0186F900
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01884120 3_2_01884120
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187B090 3_2_0187B090
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018920A0 3_2_018920A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019320A8 3_2_019320A8
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019328EC 3_2_019328EC
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921002 3_2_01921002
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0193E824 3_2_0193E824
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A830 3_2_0188A830
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189EBB0 3_2_0189EBB0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192DBD2 3_2_0192DBD2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019203DA 3_2_019203DA
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189ABD8 3_2_0189ABD8
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019123E3 3_2_019123E3
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01932B28 3_2_01932B28
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188AB40 3_2_0188AB40
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0190CB4F 3_2_0190CB4F
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019322AE 3_2_019322AE
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0191FA2B 3_2_0191FA2B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01892581 3_2_01892581
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01922D82 3_2_01922D82
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019325DD 3_2_019325DD
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187D5E0 3_2_0187D5E0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01932D07 3_2_01932D07
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01860D20 3_2_01860D20
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01931D55 3_2_01931D55
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187841F 3_2_0187841F
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192D466 3_2_0192D466
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0193DFCE 3_2_0193DFCE
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01931FF1 3_2_01931FF1
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01932EF7 3_2_01932EF7
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192D616 3_2_0192D616
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01886E30 3_2_01886E30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0101F900 16_2_0101F900
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01034120 16_2_01034120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010D1002 16_2_010D1002
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010EE824 16_2_010EE824
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A830 16_2_0103A830
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0102B090 16_2_0102B090
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010420A0 16_2_010420A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E20A8 16_2_010E20A8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E28EC 16_2_010E28EC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E2B28 16_2_010E2B28
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103AB40 16_2_0103AB40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010BCB4F 16_2_010BCB4F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104138B 16_2_0104138B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104EBB0 16_2_0104EBB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010D03DA 16_2_010D03DA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104ABD8 16_2_0104ABD8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010DDBD2 16_2_010DDBD2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010C23E3 16_2_010C23E3
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010CFA2B 16_2_010CFA2B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103B236 16_2_0103B236
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E22AE 16_2_010E22AE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010D4AEF 16_2_010D4AEF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E2D07 16_2_010E2D07
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01010D20 16_2_01010D20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E1D55 16_2_010E1D55
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01042581 16_2_01042581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010D2D82 16_2_010D2D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E25DD 16_2_010E25DD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0102D5E0 16_2_0102D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0102841F 16_2_0102841F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010DD466 16_2_010DD466
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103B477 16_2_0103B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010D4496 16_2_010D4496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010EDFCE 16_2_010EDFCE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E1FF1 16_2_010E1FF1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010DD616 16_2_010DD616
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01036E30 16_2_01036E30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E2EF7 16_2_010E2EF7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0043E038 16_2_0043E038
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0043D1B2 16_2_0043D1B2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0043E2A2 16_2_0043E2A2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00422D90 16_2_00422D90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00429E2C 16_2_00429E2C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00429E30 16_2_00429E30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0043E7AC 16_2_0043E7AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00422FB0 16_2_00422FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 0101B150 appears 136 times
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: String function: 0186B150 appears 136 times
Sample file is different than original file name gathered from version info
Source: i6VD44gIF9.exe, 00000001.00000000.213046421.0000000001018000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameVI vs i6VD44gIF9.exe
Source: i6VD44gIF9.exe, 00000003.00000002.303490204.0000000001AEF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs i6VD44gIF9.exe
Source: i6VD44gIF9.exe, 00000003.00000002.304648178.00000000035E0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs i6VD44gIF9.exe
Source: i6VD44gIF9.exe, 00000003.00000002.302603743.0000000000E38000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameVI vs i6VD44gIF9.exe
Source: i6VD44gIF9.exe Binary or memory string: OriginalFilenameVI vs i6VD44gIF9.exe
Uses 32bit PE files
Source: i6VD44gIF9.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000003.00000002.302680659.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.302680659.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.579484886.0000000000E80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.579484886.0000000000E80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.255536888.00000000048A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.255536888.00000000048A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.579024968.0000000000E50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.579024968.0000000000E50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.302948394.00000000013D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.302948394.00000000013D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.572103632.0000000000420000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.572103632.0000000000420000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.302477057.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.302477057.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.254974295.00000000043C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.254974295.00000000043C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.i6VD44gIF9.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.i6VD44gIF9.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.i6VD44gIF9.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.i6VD44gIF9.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.i6VD44gIF9.exe.458bd18.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.i6VD44gIF9.exe.458bd18.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: i6VD44gIF9.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@5/4
Source: C:\Users\user\Desktop\i6VD44gIF9.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\i6VD44gIF9.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_01
Source: i6VD44gIF9.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: i6VD44gIF9.exe Virustotal: Detection: 32%
Source: i6VD44gIF9.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\i6VD44gIF9.exe 'C:\Users\user\Desktop\i6VD44gIF9.exe'
Source: unknown Process created: C:\Users\user\Desktop\i6VD44gIF9.exe {path}
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\i6VD44gIF9.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process created: C:\Users\user\Desktop\i6VD44gIF9.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\i6VD44gIF9.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: i6VD44gIF9.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: i6VD44gIF9.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscript.pdbGCTL source: i6VD44gIF9.exe, 00000003.00000002.304648178.00000000035E0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: i6VD44gIF9.exe, 00000003.00000002.303278016.000000000195F000.00000040.00000001.sdmp, wscript.exe, 00000010.00000002.580663492.0000000000FF0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: i6VD44gIF9.exe, wscript.exe
Source: Binary string: wscript.pdb source: i6VD44gIF9.exe, 00000003.00000002.304648178.00000000035E0000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_05969022 push esp; ret 1_2_059690B9
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_0596C203 push E801005Eh; ret 1_2_0596C209
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_07D67B25 push FFFFFF8Bh; iretd 1_2_07D67B27
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 1_2_07D67A2B push dword ptr [ebx+ebp-75h]; iretd 1_2_07D67A35
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_004168C9 push edi; ret 3_2_00416941
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00416927 push edi; ret 3_2_00416941
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00413A69 push ecx; ret 3_2_00413A6D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0041CEF2 push eax; ret 3_2_0041CEF8
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0041CEFB push eax; ret 3_2_0041CF62
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0041CEA5 push eax; ret 3_2_0041CEF8
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0041CF5C push eax; ret 3_2_0041CF62
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00416786 push ecx; retf 3_2_00416798
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018BD0D1 push ecx; ret 3_2_018BD0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0106D0D1 push ecx; ret 16_2_0106D0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_004368C9 push edi; ret 16_2_00436941
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00436927 push edi; ret 16_2_00436941
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00433A69 push ecx; ret 16_2_00433A6D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0043CEF2 push eax; ret 16_2_0043CEF8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0043CEFB push eax; ret 16_2_0043CF62
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0043CEA5 push eax; ret 16_2_0043CEF8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0043CF5C push eax; ret 16_2_0043CF62
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_00436786 push ecx; retf 16_2_00436798
Source: initial sample Static PE information: section name: .text entropy: 7.97874998491

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE7
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\i6VD44gIF9.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i6VD44gIF9.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 00000000004298E4 second address: 00000000004298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 0000000000429B4E second address: 0000000000429B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00409A80 rdtsc 3_2_00409A80
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\i6VD44gIF9.exe TID: 2792 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6948 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6948 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 6444 Thread sleep time: -90000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: explorer.exe, 00000004.00000000.271659955.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.271659955.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000004.00000000.271504392.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.269217609.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.266857086.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000004.00000000.271659955.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000004.00000000.271659955.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.271748363.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000004.00000003.556541732.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000004.00000000.269217609.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000003.555388584.00000000056A1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllta\Local\Microsoft\Windows\Explorer\iconcache_exif.db
Source: explorer.exe, 00000004.00000000.269217609.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.269217609.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_00409A80 rdtsc 3_2_00409A80
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0040ACC0 LdrLoadDll, 3_2_0040ACC0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188C182 mov eax, dword ptr fs:[00000030h] 3_2_0188C182
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189A185 mov eax, dword ptr fs:[00000030h] 3_2_0189A185
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01892990 mov eax, dword ptr fs:[00000030h] 3_2_01892990
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E69A6 mov eax, dword ptr fs:[00000030h] 3_2_018E69A6
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018961A0 mov eax, dword ptr fs:[00000030h] 3_2_018961A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018961A0 mov eax, dword ptr fs:[00000030h] 3_2_018961A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E51BE mov eax, dword ptr fs:[00000030h] 3_2_018E51BE
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E51BE mov eax, dword ptr fs:[00000030h] 3_2_018E51BE
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E51BE mov eax, dword ptr fs:[00000030h] 3_2_018E51BE
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E51BE mov eax, dword ptr fs:[00000030h] 3_2_018E51BE
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019249A4 mov eax, dword ptr fs:[00000030h] 3_2_019249A4
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019249A4 mov eax, dword ptr fs:[00000030h] 3_2_019249A4
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019249A4 mov eax, dword ptr fs:[00000030h] 3_2_019249A4
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019249A4 mov eax, dword ptr fs:[00000030h] 3_2_019249A4
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov ecx, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov ecx, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov eax, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov ecx, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov ecx, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov eax, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov ecx, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov ecx, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov eax, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov ecx, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov ecx, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018899BF mov eax, dword ptr fs:[00000030h] 3_2_018899BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018F41E8 mov eax, dword ptr fs:[00000030h] 3_2_018F41E8
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0186B1E1
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0186B1E1
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0186B1E1
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01869100 mov eax, dword ptr fs:[00000030h] 3_2_01869100
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01869100 mov eax, dword ptr fs:[00000030h] 3_2_01869100
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01869100 mov eax, dword ptr fs:[00000030h] 3_2_01869100
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01884120 mov eax, dword ptr fs:[00000030h] 3_2_01884120
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01884120 mov eax, dword ptr fs:[00000030h] 3_2_01884120
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01884120 mov eax, dword ptr fs:[00000030h] 3_2_01884120
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01884120 mov eax, dword ptr fs:[00000030h] 3_2_01884120
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01884120 mov ecx, dword ptr fs:[00000030h] 3_2_01884120
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189513A mov eax, dword ptr fs:[00000030h] 3_2_0189513A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189513A mov eax, dword ptr fs:[00000030h] 3_2_0189513A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B944 mov eax, dword ptr fs:[00000030h] 3_2_0188B944
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B944 mov eax, dword ptr fs:[00000030h] 3_2_0188B944
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186C962 mov eax, dword ptr fs:[00000030h] 3_2_0186C962
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186B171 mov eax, dword ptr fs:[00000030h] 3_2_0186B171
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186B171 mov eax, dword ptr fs:[00000030h] 3_2_0186B171
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01869080 mov eax, dword ptr fs:[00000030h] 3_2_01869080
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E3884 mov eax, dword ptr fs:[00000030h] 3_2_018E3884
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E3884 mov eax, dword ptr fs:[00000030h] 3_2_018E3884
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A90AF mov eax, dword ptr fs:[00000030h] 3_2_018A90AF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018920A0 mov eax, dword ptr fs:[00000030h] 3_2_018920A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018920A0 mov eax, dword ptr fs:[00000030h] 3_2_018920A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018920A0 mov eax, dword ptr fs:[00000030h] 3_2_018920A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018920A0 mov eax, dword ptr fs:[00000030h] 3_2_018920A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018920A0 mov eax, dword ptr fs:[00000030h] 3_2_018920A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018920A0 mov eax, dword ptr fs:[00000030h] 3_2_018920A0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189F0BF mov ecx, dword ptr fs:[00000030h] 3_2_0189F0BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189F0BF mov eax, dword ptr fs:[00000030h] 3_2_0189F0BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189F0BF mov eax, dword ptr fs:[00000030h] 3_2_0189F0BF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018FB8D0 mov eax, dword ptr fs:[00000030h] 3_2_018FB8D0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018FB8D0 mov ecx, dword ptr fs:[00000030h] 3_2_018FB8D0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018FB8D0 mov eax, dword ptr fs:[00000030h] 3_2_018FB8D0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018FB8D0 mov eax, dword ptr fs:[00000030h] 3_2_018FB8D0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018FB8D0 mov eax, dword ptr fs:[00000030h] 3_2_018FB8D0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018FB8D0 mov eax, dword ptr fs:[00000030h] 3_2_018FB8D0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018640E1 mov eax, dword ptr fs:[00000030h] 3_2_018640E1
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018640E1 mov eax, dword ptr fs:[00000030h] 3_2_018640E1
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018640E1 mov eax, dword ptr fs:[00000030h] 3_2_018640E1
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018658EC mov eax, dword ptr fs:[00000030h] 3_2_018658EC
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B8E4 mov eax, dword ptr fs:[00000030h] 3_2_0188B8E4
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B8E4 mov eax, dword ptr fs:[00000030h] 3_2_0188B8E4
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01934015 mov eax, dword ptr fs:[00000030h] 3_2_01934015
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01934015 mov eax, dword ptr fs:[00000030h] 3_2_01934015
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E7016 mov eax, dword ptr fs:[00000030h] 3_2_018E7016
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E7016 mov eax, dword ptr fs:[00000030h] 3_2_018E7016
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E7016 mov eax, dword ptr fs:[00000030h] 3_2_018E7016
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189002D mov eax, dword ptr fs:[00000030h] 3_2_0189002D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189002D mov eax, dword ptr fs:[00000030h] 3_2_0189002D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189002D mov eax, dword ptr fs:[00000030h] 3_2_0189002D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189002D mov eax, dword ptr fs:[00000030h] 3_2_0189002D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189002D mov eax, dword ptr fs:[00000030h] 3_2_0189002D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187B02A mov eax, dword ptr fs:[00000030h] 3_2_0187B02A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187B02A mov eax, dword ptr fs:[00000030h] 3_2_0187B02A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187B02A mov eax, dword ptr fs:[00000030h] 3_2_0187B02A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187B02A mov eax, dword ptr fs:[00000030h] 3_2_0187B02A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A830 mov eax, dword ptr fs:[00000030h] 3_2_0188A830
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A830 mov eax, dword ptr fs:[00000030h] 3_2_0188A830
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A830 mov eax, dword ptr fs:[00000030h] 3_2_0188A830
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A830 mov eax, dword ptr fs:[00000030h] 3_2_0188A830
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01880050 mov eax, dword ptr fs:[00000030h] 3_2_01880050
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01880050 mov eax, dword ptr fs:[00000030h] 3_2_01880050
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01922073 mov eax, dword ptr fs:[00000030h] 3_2_01922073
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01931074 mov eax, dword ptr fs:[00000030h] 3_2_01931074
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01871B8F mov eax, dword ptr fs:[00000030h] 3_2_01871B8F
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01871B8F mov eax, dword ptr fs:[00000030h] 3_2_01871B8F
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0191D380 mov ecx, dword ptr fs:[00000030h] 3_2_0191D380
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192138A mov eax, dword ptr fs:[00000030h] 3_2_0192138A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189B390 mov eax, dword ptr fs:[00000030h] 3_2_0189B390
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01892397 mov eax, dword ptr fs:[00000030h] 3_2_01892397
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01894BAD mov eax, dword ptr fs:[00000030h] 3_2_01894BAD
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01894BAD mov eax, dword ptr fs:[00000030h] 3_2_01894BAD
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01894BAD mov eax, dword ptr fs:[00000030h] 3_2_01894BAD
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01935BA5 mov eax, dword ptr fs:[00000030h] 3_2_01935BA5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E53CA mov eax, dword ptr fs:[00000030h] 3_2_018E53CA
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E53CA mov eax, dword ptr fs:[00000030h] 3_2_018E53CA
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188DBE9 mov eax, dword ptr fs:[00000030h] 3_2_0188DBE9
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018903E2 mov eax, dword ptr fs:[00000030h] 3_2_018903E2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018903E2 mov eax, dword ptr fs:[00000030h] 3_2_018903E2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018903E2 mov eax, dword ptr fs:[00000030h] 3_2_018903E2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018903E2 mov eax, dword ptr fs:[00000030h] 3_2_018903E2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018903E2 mov eax, dword ptr fs:[00000030h] 3_2_018903E2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018903E2 mov eax, dword ptr fs:[00000030h] 3_2_018903E2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019123E3 mov ecx, dword ptr fs:[00000030h] 3_2_019123E3
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019123E3 mov ecx, dword ptr fs:[00000030h] 3_2_019123E3
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019123E3 mov eax, dword ptr fs:[00000030h] 3_2_019123E3
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A309 mov eax, dword ptr fs:[00000030h] 3_2_0188A309
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192131B mov eax, dword ptr fs:[00000030h] 3_2_0192131B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186DB40 mov eax, dword ptr fs:[00000030h] 3_2_0186DB40
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01938B58 mov eax, dword ptr fs:[00000030h] 3_2_01938B58
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186F358 mov eax, dword ptr fs:[00000030h] 3_2_0186F358
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186DB60 mov ecx, dword ptr fs:[00000030h] 3_2_0186DB60
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01893B7A mov eax, dword ptr fs:[00000030h] 3_2_01893B7A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01893B7A mov eax, dword ptr fs:[00000030h] 3_2_01893B7A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189D294 mov eax, dword ptr fs:[00000030h] 3_2_0189D294
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189D294 mov eax, dword ptr fs:[00000030h] 3_2_0189D294
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018652A5 mov eax, dword ptr fs:[00000030h] 3_2_018652A5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018652A5 mov eax, dword ptr fs:[00000030h] 3_2_018652A5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018652A5 mov eax, dword ptr fs:[00000030h] 3_2_018652A5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018652A5 mov eax, dword ptr fs:[00000030h] 3_2_018652A5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018652A5 mov eax, dword ptr fs:[00000030h] 3_2_018652A5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187AAB0 mov eax, dword ptr fs:[00000030h] 3_2_0187AAB0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187AAB0 mov eax, dword ptr fs:[00000030h] 3_2_0187AAB0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189FAB0 mov eax, dword ptr fs:[00000030h] 3_2_0189FAB0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01892ACB mov eax, dword ptr fs:[00000030h] 3_2_01892ACB
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01892AE4 mov eax, dword ptr fs:[00000030h] 3_2_01892AE4
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924AEF mov eax, dword ptr fs:[00000030h] 3_2_01924AEF
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192AA16 mov eax, dword ptr fs:[00000030h] 3_2_0192AA16
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192AA16 mov eax, dword ptr fs:[00000030h] 3_2_0192AA16
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01878A0A mov eax, dword ptr fs:[00000030h] 3_2_01878A0A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186AA16 mov eax, dword ptr fs:[00000030h] 3_2_0186AA16
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186AA16 mov eax, dword ptr fs:[00000030h] 3_2_0186AA16
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01883A1C mov eax, dword ptr fs:[00000030h] 3_2_01883A1C
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01865210 mov eax, dword ptr fs:[00000030h] 3_2_01865210
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01865210 mov ecx, dword ptr fs:[00000030h] 3_2_01865210
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01865210 mov eax, dword ptr fs:[00000030h] 3_2_01865210
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01865210 mov eax, dword ptr fs:[00000030h] 3_2_01865210
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A229 mov eax, dword ptr fs:[00000030h] 3_2_0188A229
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A229 mov eax, dword ptr fs:[00000030h] 3_2_0188A229
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A229 mov eax, dword ptr fs:[00000030h] 3_2_0188A229
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A229 mov eax, dword ptr fs:[00000030h] 3_2_0188A229
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A229 mov eax, dword ptr fs:[00000030h] 3_2_0188A229
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A229 mov eax, dword ptr fs:[00000030h] 3_2_0188A229
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A229 mov eax, dword ptr fs:[00000030h] 3_2_0188A229
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A229 mov eax, dword ptr fs:[00000030h] 3_2_0188A229
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188A229 mov eax, dword ptr fs:[00000030h] 3_2_0188A229
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A4A2C mov eax, dword ptr fs:[00000030h] 3_2_018A4A2C
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A4A2C mov eax, dword ptr fs:[00000030h] 3_2_018A4A2C
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01869240 mov eax, dword ptr fs:[00000030h] 3_2_01869240
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01869240 mov eax, dword ptr fs:[00000030h] 3_2_01869240
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01869240 mov eax, dword ptr fs:[00000030h] 3_2_01869240
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01869240 mov eax, dword ptr fs:[00000030h] 3_2_01869240
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192EA55 mov eax, dword ptr fs:[00000030h] 3_2_0192EA55
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018F4257 mov eax, dword ptr fs:[00000030h] 3_2_018F4257
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A927A mov eax, dword ptr fs:[00000030h] 3_2_018A927A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0191B260 mov eax, dword ptr fs:[00000030h] 3_2_0191B260
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0191B260 mov eax, dword ptr fs:[00000030h] 3_2_0191B260
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01938A62 mov eax, dword ptr fs:[00000030h] 3_2_01938A62
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01892581 mov eax, dword ptr fs:[00000030h] 3_2_01892581
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01892581 mov eax, dword ptr fs:[00000030h] 3_2_01892581
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01892581 mov eax, dword ptr fs:[00000030h] 3_2_01892581
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01892581 mov eax, dword ptr fs:[00000030h] 3_2_01892581
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01862D8A mov eax, dword ptr fs:[00000030h] 3_2_01862D8A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01862D8A mov eax, dword ptr fs:[00000030h] 3_2_01862D8A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01862D8A mov eax, dword ptr fs:[00000030h] 3_2_01862D8A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01862D8A mov eax, dword ptr fs:[00000030h] 3_2_01862D8A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01862D8A mov eax, dword ptr fs:[00000030h] 3_2_01862D8A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01922D82 mov eax, dword ptr fs:[00000030h] 3_2_01922D82
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01922D82 mov eax, dword ptr fs:[00000030h] 3_2_01922D82
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01922D82 mov eax, dword ptr fs:[00000030h] 3_2_01922D82
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01922D82 mov eax, dword ptr fs:[00000030h] 3_2_01922D82
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01922D82 mov eax, dword ptr fs:[00000030h] 3_2_01922D82
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01922D82 mov eax, dword ptr fs:[00000030h] 3_2_01922D82
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01922D82 mov eax, dword ptr fs:[00000030h] 3_2_01922D82
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189FD9B mov eax, dword ptr fs:[00000030h] 3_2_0189FD9B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189FD9B mov eax, dword ptr fs:[00000030h] 3_2_0189FD9B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018935A1 mov eax, dword ptr fs:[00000030h] 3_2_018935A1
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01891DB5 mov eax, dword ptr fs:[00000030h] 3_2_01891DB5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01891DB5 mov eax, dword ptr fs:[00000030h] 3_2_01891DB5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01891DB5 mov eax, dword ptr fs:[00000030h] 3_2_01891DB5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019305AC mov eax, dword ptr fs:[00000030h] 3_2_019305AC
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019305AC mov eax, dword ptr fs:[00000030h] 3_2_019305AC
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6DC9 mov eax, dword ptr fs:[00000030h] 3_2_018E6DC9
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6DC9 mov eax, dword ptr fs:[00000030h] 3_2_018E6DC9
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6DC9 mov eax, dword ptr fs:[00000030h] 3_2_018E6DC9
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6DC9 mov ecx, dword ptr fs:[00000030h] 3_2_018E6DC9
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6DC9 mov eax, dword ptr fs:[00000030h] 3_2_018E6DC9
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6DC9 mov eax, dword ptr fs:[00000030h] 3_2_018E6DC9
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01918DF1 mov eax, dword ptr fs:[00000030h] 3_2_01918DF1
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187D5E0 mov eax, dword ptr fs:[00000030h] 3_2_0187D5E0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187D5E0 mov eax, dword ptr fs:[00000030h] 3_2_0187D5E0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0192FDE2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0192FDE2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0192FDE2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0192FDE2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01938D34 mov eax, dword ptr fs:[00000030h] 3_2_01938D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192E539 mov eax, dword ptr fs:[00000030h] 3_2_0192E539
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01894D3B mov eax, dword ptr fs:[00000030h] 3_2_01894D3B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01894D3B mov eax, dword ptr fs:[00000030h] 3_2_01894D3B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01894D3B mov eax, dword ptr fs:[00000030h] 3_2_01894D3B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01873D34 mov eax, dword ptr fs:[00000030h] 3_2_01873D34
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186AD30 mov eax, dword ptr fs:[00000030h] 3_2_0186AD30
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018EA537 mov eax, dword ptr fs:[00000030h] 3_2_018EA537
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A3D43 mov eax, dword ptr fs:[00000030h] 3_2_018A3D43
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E3540 mov eax, dword ptr fs:[00000030h] 3_2_018E3540
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01913D40 mov eax, dword ptr fs:[00000030h] 3_2_01913D40
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01887D50 mov eax, dword ptr fs:[00000030h] 3_2_01887D50
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188C577 mov eax, dword ptr fs:[00000030h] 3_2_0188C577
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188C577 mov eax, dword ptr fs:[00000030h] 3_2_0188C577
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01924496 mov eax, dword ptr fs:[00000030h] 3_2_01924496
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187849B mov eax, dword ptr fs:[00000030h] 3_2_0187849B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01938CD6 mov eax, dword ptr fs:[00000030h] 3_2_01938CD6
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_019214FB mov eax, dword ptr fs:[00000030h] 3_2_019214FB
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6CF0 mov eax, dword ptr fs:[00000030h] 3_2_018E6CF0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6CF0 mov eax, dword ptr fs:[00000030h] 3_2_018E6CF0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6CF0 mov eax, dword ptr fs:[00000030h] 3_2_018E6CF0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6C0A mov eax, dword ptr fs:[00000030h] 3_2_018E6C0A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6C0A mov eax, dword ptr fs:[00000030h] 3_2_018E6C0A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6C0A mov eax, dword ptr fs:[00000030h] 3_2_018E6C0A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E6C0A mov eax, dword ptr fs:[00000030h] 3_2_018E6C0A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921C06 mov eax, dword ptr fs:[00000030h] 3_2_01921C06
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0193740D mov eax, dword ptr fs:[00000030h] 3_2_0193740D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0193740D mov eax, dword ptr fs:[00000030h] 3_2_0193740D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0193740D mov eax, dword ptr fs:[00000030h] 3_2_0193740D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189BC2C mov eax, dword ptr fs:[00000030h] 3_2_0189BC2C
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189A44B mov eax, dword ptr fs:[00000030h] 3_2_0189A44B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018FC450 mov eax, dword ptr fs:[00000030h] 3_2_018FC450
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018FC450 mov eax, dword ptr fs:[00000030h] 3_2_018FC450
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188746D mov eax, dword ptr fs:[00000030h] 3_2_0188746D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189AC7B mov eax, dword ptr fs:[00000030h] 3_2_0189AC7B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189AC7B mov eax, dword ptr fs:[00000030h] 3_2_0189AC7B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189AC7B mov eax, dword ptr fs:[00000030h] 3_2_0189AC7B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189AC7B mov eax, dword ptr fs:[00000030h] 3_2_0189AC7B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189AC7B mov eax, dword ptr fs:[00000030h] 3_2_0189AC7B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189AC7B mov eax, dword ptr fs:[00000030h] 3_2_0189AC7B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189AC7B mov eax, dword ptr fs:[00000030h] 3_2_0189AC7B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189AC7B mov eax, dword ptr fs:[00000030h] 3_2_0189AC7B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189AC7B mov eax, dword ptr fs:[00000030h] 3_2_0189AC7B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189AC7B mov eax, dword ptr fs:[00000030h] 3_2_0189AC7B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189AC7B mov eax, dword ptr fs:[00000030h] 3_2_0189AC7B
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B477 mov eax, dword ptr fs:[00000030h] 3_2_0188B477
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01878794 mov eax, dword ptr fs:[00000030h] 3_2_01878794
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E7794 mov eax, dword ptr fs:[00000030h] 3_2_018E7794
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E7794 mov eax, dword ptr fs:[00000030h] 3_2_018E7794
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E7794 mov eax, dword ptr fs:[00000030h] 3_2_018E7794
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A37F5 mov eax, dword ptr fs:[00000030h] 3_2_018A37F5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189A70E mov eax, dword ptr fs:[00000030h] 3_2_0189A70E
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189A70E mov eax, dword ptr fs:[00000030h] 3_2_0189A70E
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0193070D mov eax, dword ptr fs:[00000030h] 3_2_0193070D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0193070D mov eax, dword ptr fs:[00000030h] 3_2_0193070D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188F716 mov eax, dword ptr fs:[00000030h] 3_2_0188F716
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018FFF10 mov eax, dword ptr fs:[00000030h] 3_2_018FFF10
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018FFF10 mov eax, dword ptr fs:[00000030h] 3_2_018FFF10
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01864F2E mov eax, dword ptr fs:[00000030h] 3_2_01864F2E
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01864F2E mov eax, dword ptr fs:[00000030h] 3_2_01864F2E
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B73D mov eax, dword ptr fs:[00000030h] 3_2_0188B73D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188B73D mov eax, dword ptr fs:[00000030h] 3_2_0188B73D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189E730 mov eax, dword ptr fs:[00000030h] 3_2_0189E730
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187EF40 mov eax, dword ptr fs:[00000030h] 3_2_0187EF40
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187FF60 mov eax, dword ptr fs:[00000030h] 3_2_0187FF60
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01938F6A mov eax, dword ptr fs:[00000030h] 3_2_01938F6A
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018FFE87 mov eax, dword ptr fs:[00000030h] 3_2_018FFE87
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018E46A7 mov eax, dword ptr fs:[00000030h] 3_2_018E46A7
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01930EA5 mov eax, dword ptr fs:[00000030h] 3_2_01930EA5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01930EA5 mov eax, dword ptr fs:[00000030h] 3_2_01930EA5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01930EA5 mov eax, dword ptr fs:[00000030h] 3_2_01930EA5
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01938ED6 mov eax, dword ptr fs:[00000030h] 3_2_01938ED6
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018936CC mov eax, dword ptr fs:[00000030h] 3_2_018936CC
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018A8EC7 mov eax, dword ptr fs:[00000030h] 3_2_018A8EC7
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0191FEC0 mov eax, dword ptr fs:[00000030h] 3_2_0191FEC0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018776E2 mov eax, dword ptr fs:[00000030h] 3_2_018776E2
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_018916E0 mov ecx, dword ptr fs:[00000030h] 3_2_018916E0
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186C600 mov eax, dword ptr fs:[00000030h] 3_2_0186C600
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186C600 mov eax, dword ptr fs:[00000030h] 3_2_0186C600
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186C600 mov eax, dword ptr fs:[00000030h] 3_2_0186C600
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01898E00 mov eax, dword ptr fs:[00000030h] 3_2_01898E00
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189A61C mov eax, dword ptr fs:[00000030h] 3_2_0189A61C
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0189A61C mov eax, dword ptr fs:[00000030h] 3_2_0189A61C
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01921608 mov eax, dword ptr fs:[00000030h] 3_2_01921608
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0186E620 mov eax, dword ptr fs:[00000030h] 3_2_0186E620
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0191FE3F mov eax, dword ptr fs:[00000030h] 3_2_0191FE3F
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01877E41 mov eax, dword ptr fs:[00000030h] 3_2_01877E41
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01877E41 mov eax, dword ptr fs:[00000030h] 3_2_01877E41
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01877E41 mov eax, dword ptr fs:[00000030h] 3_2_01877E41
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01877E41 mov eax, dword ptr fs:[00000030h] 3_2_01877E41
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01877E41 mov eax, dword ptr fs:[00000030h] 3_2_01877E41
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_01877E41 mov eax, dword ptr fs:[00000030h] 3_2_01877E41
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192AE44 mov eax, dword ptr fs:[00000030h] 3_2_0192AE44
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0192AE44 mov eax, dword ptr fs:[00000030h] 3_2_0192AE44
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0187766D mov eax, dword ptr fs:[00000030h] 3_2_0187766D
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188AE73 mov eax, dword ptr fs:[00000030h] 3_2_0188AE73
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188AE73 mov eax, dword ptr fs:[00000030h] 3_2_0188AE73
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188AE73 mov eax, dword ptr fs:[00000030h] 3_2_0188AE73
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188AE73 mov eax, dword ptr fs:[00000030h] 3_2_0188AE73
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Code function: 3_2_0188AE73 mov eax, dword ptr fs:[00000030h] 3_2_0188AE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01019100 mov eax, dword ptr fs:[00000030h] 16_2_01019100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01019100 mov eax, dword ptr fs:[00000030h] 16_2_01019100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01019100 mov eax, dword ptr fs:[00000030h] 16_2_01019100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01034120 mov eax, dword ptr fs:[00000030h] 16_2_01034120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01034120 mov eax, dword ptr fs:[00000030h] 16_2_01034120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01034120 mov eax, dword ptr fs:[00000030h] 16_2_01034120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01034120 mov eax, dword ptr fs:[00000030h] 16_2_01034120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01034120 mov ecx, dword ptr fs:[00000030h] 16_2_01034120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104513A mov eax, dword ptr fs:[00000030h] 16_2_0104513A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104513A mov eax, dword ptr fs:[00000030h] 16_2_0104513A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103B944 mov eax, dword ptr fs:[00000030h] 16_2_0103B944
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103B944 mov eax, dword ptr fs:[00000030h] 16_2_0103B944
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0101C962 mov eax, dword ptr fs:[00000030h] 16_2_0101C962
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0101B171 mov eax, dword ptr fs:[00000030h] 16_2_0101B171
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0101B171 mov eax, dword ptr fs:[00000030h] 16_2_0101B171
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103C182 mov eax, dword ptr fs:[00000030h] 16_2_0103C182
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104A185 mov eax, dword ptr fs:[00000030h] 16_2_0104A185
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01042990 mov eax, dword ptr fs:[00000030h] 16_2_01042990
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010461A0 mov eax, dword ptr fs:[00000030h] 16_2_010461A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010461A0 mov eax, dword ptr fs:[00000030h] 16_2_010461A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010D49A4 mov eax, dword ptr fs:[00000030h] 16_2_010D49A4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010D49A4 mov eax, dword ptr fs:[00000030h] 16_2_010D49A4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010D49A4 mov eax, dword ptr fs:[00000030h] 16_2_010D49A4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010D49A4 mov eax, dword ptr fs:[00000030h] 16_2_010D49A4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010969A6 mov eax, dword ptr fs:[00000030h] 16_2_010969A6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010951BE mov eax, dword ptr fs:[00000030h] 16_2_010951BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010951BE mov eax, dword ptr fs:[00000030h] 16_2_010951BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010951BE mov eax, dword ptr fs:[00000030h] 16_2_010951BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010951BE mov eax, dword ptr fs:[00000030h] 16_2_010951BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov ecx, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov ecx, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov eax, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov ecx, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov ecx, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov eax, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov ecx, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov ecx, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov eax, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov ecx, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov ecx, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010399BF mov eax, dword ptr fs:[00000030h] 16_2_010399BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0101B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0101B1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0101B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0101B1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0101B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0101B1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010A41E8 mov eax, dword ptr fs:[00000030h] 16_2_010A41E8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E4015 mov eax, dword ptr fs:[00000030h] 16_2_010E4015
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E4015 mov eax, dword ptr fs:[00000030h] 16_2_010E4015
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01097016 mov eax, dword ptr fs:[00000030h] 16_2_01097016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01097016 mov eax, dword ptr fs:[00000030h] 16_2_01097016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01097016 mov eax, dword ptr fs:[00000030h] 16_2_01097016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0102B02A mov eax, dword ptr fs:[00000030h] 16_2_0102B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0102B02A mov eax, dword ptr fs:[00000030h] 16_2_0102B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0102B02A mov eax, dword ptr fs:[00000030h] 16_2_0102B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0102B02A mov eax, dword ptr fs:[00000030h] 16_2_0102B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104002D mov eax, dword ptr fs:[00000030h] 16_2_0104002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104002D mov eax, dword ptr fs:[00000030h] 16_2_0104002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104002D mov eax, dword ptr fs:[00000030h] 16_2_0104002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104002D mov eax, dword ptr fs:[00000030h] 16_2_0104002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104002D mov eax, dword ptr fs:[00000030h] 16_2_0104002D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A830 mov eax, dword ptr fs:[00000030h] 16_2_0103A830
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A830 mov eax, dword ptr fs:[00000030h] 16_2_0103A830
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A830 mov eax, dword ptr fs:[00000030h] 16_2_0103A830
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A830 mov eax, dword ptr fs:[00000030h] 16_2_0103A830
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01030050 mov eax, dword ptr fs:[00000030h] 16_2_01030050
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01030050 mov eax, dword ptr fs:[00000030h] 16_2_01030050
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E1074 mov eax, dword ptr fs:[00000030h] 16_2_010E1074
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010D2073 mov eax, dword ptr fs:[00000030h] 16_2_010D2073
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01019080 mov eax, dword ptr fs:[00000030h] 16_2_01019080
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01093884 mov eax, dword ptr fs:[00000030h] 16_2_01093884
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_01093884 mov eax, dword ptr fs:[00000030h] 16_2_01093884
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010420A0 mov eax, dword ptr fs:[00000030h] 16_2_010420A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010420A0 mov eax, dword ptr fs:[00000030h] 16_2_010420A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010420A0 mov eax, dword ptr fs:[00000030h] 16_2_010420A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010420A0 mov eax, dword ptr fs:[00000030h] 16_2_010420A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010420A0 mov eax, dword ptr fs:[00000030h] 16_2_010420A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010420A0 mov eax, dword ptr fs:[00000030h] 16_2_010420A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010590AF mov eax, dword ptr fs:[00000030h] 16_2_010590AF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104F0BF mov ecx, dword ptr fs:[00000030h] 16_2_0104F0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104F0BF mov eax, dword ptr fs:[00000030h] 16_2_0104F0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0104F0BF mov eax, dword ptr fs:[00000030h] 16_2_0104F0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010AB8D0 mov eax, dword ptr fs:[00000030h] 16_2_010AB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010AB8D0 mov ecx, dword ptr fs:[00000030h] 16_2_010AB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010AB8D0 mov eax, dword ptr fs:[00000030h] 16_2_010AB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010AB8D0 mov eax, dword ptr fs:[00000030h] 16_2_010AB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010AB8D0 mov eax, dword ptr fs:[00000030h] 16_2_010AB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010AB8D0 mov eax, dword ptr fs:[00000030h] 16_2_010AB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010140E1 mov eax, dword ptr fs:[00000030h] 16_2_010140E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010140E1 mov eax, dword ptr fs:[00000030h] 16_2_010140E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010140E1 mov eax, dword ptr fs:[00000030h] 16_2_010140E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103B8E4 mov eax, dword ptr fs:[00000030h] 16_2_0103B8E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103B8E4 mov eax, dword ptr fs:[00000030h] 16_2_0103B8E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010158EC mov eax, dword ptr fs:[00000030h] 16_2_010158EC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0103A309 mov eax, dword ptr fs:[00000030h] 16_2_0103A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010D131B mov eax, dword ptr fs:[00000030h] 16_2_010D131B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_0101DB40 mov eax, dword ptr fs:[00000030h] 16_2_0101DB40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 16_2_010E8B58 mov eax, dword ptr fs:[00000030h] 16_2_010E8B58
Enables debug privileges
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 74.208.236.34 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.165.123.36 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.92.184 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Memory written: C:\Users\user\Desktop\i6VD44gIF9.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 1390000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Process created: C:\Users\user\Desktop\i6VD44gIF9.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\i6VD44gIF9.exe' Jump to behavior
Source: explorer.exe, 00000004.00000002.576779829.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000004.00000002.581396366.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000010.00000002.586451872.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.581396366.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000010.00000002.586451872.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.581396366.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000010.00000002.586451872.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.581396366.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000010.00000002.586451872.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Users\user\Desktop\i6VD44gIF9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\i6VD44gIF9.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.302680659.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579484886.0000000000E80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.255536888.00000000048A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579024968.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.302948394.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.572103632.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.302477057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.254974295.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.i6VD44gIF9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.i6VD44gIF9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.i6VD44gIF9.exe.458bd18.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.302680659.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579484886.0000000000E80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.255536888.00000000048A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.579024968.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.302948394.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.572103632.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.302477057.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.254974295.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.i6VD44gIF9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.i6VD44gIF9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.i6VD44gIF9.exe.458bd18.1.raw.unpack, type: UNPACKEDPE
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 351781 Sample: i6VD44gIF9.exe Startdate: 11/02/2021 Architecture: WINDOWS Score: 100 31 www.lrrestoration.com 2->31 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 4 other signatures 2->45 11 i6VD44gIF9.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\i6VD44gIF9.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 i6VD44gIF9.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.xn--c1abvlc0ba.xn--p1acf 185.165.123.36, 49739, 80 VARITI-ASRU Russian Federation 18->33 35 www.rutharroyo.com 74.208.236.34, 49741, 80 ONEANDONE-ASBrauerstrasse48DE United States 18->35 37 3 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 wscript.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.165.123.36
 unknown Russian Federation
64432 VARITI-ASRU true
104.21.92.184
 unknown United States
13335 CLOUDFLARENETUS true
74.208.236.34
 unknown United States
8560 ONEANDONE-ASBrauerstrasse48DE true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.foto-golyh-devushek.com 104.21.92.184 true
www.rutharroyo.com 74.208.236.34 true
www.xn--c1abvlc0ba.xn--p1acf 185.165.123.36 true
www.lrrestoration.com 172.106.250.6 true
www.absak-lab1.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.rutharroyo.com/67d/?JfE=oyc7CizTzO7ijjj/wWVzh0cRX4RS00Us7EuMxb4rLU1twRbhGDkyY+EzZT4WUSD89AqN&ojqP_B=RzulsJ true
  • Avira URL Cloud: safe
 unknown
www.aone223.com/67d/ true
  • Avira URL Cloud: safe
 low
http://www.foto-golyh-devushek.com/67d/?ojqP_B=RzulsJ&JfE=NVd2BprTGgCTS+kRSzxe1MFE2dAnLNN4hfUOXzbXcyb3INnnj+6+VFnANDut37ZMBQSG true
  • Avira URL Cloud: safe
 unknown
http://www.xn--c1abvlc0ba.xn--p1acf/67d/?JfE=O9IR4YPjjbiQmHeNmUOcFuSmCcKiV53kMKt9knrkQ3zS2byQjzM16AmI+3SIBLcQHOV6&ojqP_B=RzulsJ true
  • Avira URL Cloud: safe
 unknown