Windows Analysis Report
TaojCblZKXL9OpS.exe

Overview

General Information

Sample name: TaojCblZKXL9OpS.exe
Analysis ID: 1538502
MD5: 3ba3c27ef00f1a033b232e701cdb8ea0
SHA1: 589db22d12e2e2a27f309f4532405daa82e03f2f
SHA256: 077cd5cb67798a07fa0c12e910783027f4e336a763dbbb5a82de449aef58bb51
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection

barindex
Source: TaojCblZKXL9OpS.exe Avira: detected
Source: TaojCblZKXL9OpS.exe ReversingLabs: Detection: 54%
Source: Yara match File source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: TaojCblZKXL9OpS.exe Joe Sandbox ML: detected
Source: TaojCblZKXL9OpS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: TaojCblZKXL9OpS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: TaojCblZKXL9OpS.exe, 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360219761269.000000000488F000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360222722404.0000000004A3D000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: TaojCblZKXL9OpS.exe, TaojCblZKXL9OpS.exe, 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, cleanmgr.exe, 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360219761269.000000000488F000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360222722404.0000000004A3D000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 4x nop then mov ebx, 00000004h 9_2_049804E0
Source: explorer.exe, 0000000A.00000000.361700102779.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364928605143.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 0000000A.00000000.361700102779.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364928605143.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000A.00000000.361700102779.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364928605143.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000000.361696608667.0000000009194000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364920595492.0000000009194000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: explorer.exe, 0000000A.00000002.364918879320.0000000008EE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695961975.0000000008EE0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mic
Source: explorer.exe, 0000000A.00000000.361692090970.0000000002A60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364922834638.00000000096A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364924468408.000000000A0A0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 0000000A.00000000.361696252881.0000000009064000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364919638744.0000000009064000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 0000000A.00000002.364928605143.000000000CC57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700102779.000000000CC57000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000002.364928605143.000000000CC57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700102779.000000000CC57000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/e
Source: explorer.exe, 0000000A.00000000.361696608667.00000000090F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364920595492.00000000090F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?5u
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=3C188734586C431BAF5C248940644D08&timeOut=5000&oc
Source: explorer.exe, 0000000A.00000000.361700102779.000000000CC22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364928605143.000000000CC22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.361696608667.0000000009194000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364920595492.0000000009194000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehwh2.png
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W33_Clea
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D9BR
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D9BR-dark
Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m
Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m-dark
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu-dark
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK4J
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gK4J-dark
Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRyR
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRyR-dark
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvS
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyvS-dark
Source: explorer.exe, 0000000A.00000002.364932121312.000000000D04F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701846696.000000000D0CA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000002.364928605143.000000000CC57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700102779.000000000CC57000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.comeB
Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/am
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15YhMq.img
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1l1LqV.img
Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA36Tom.img
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAMzyrj.img
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAUzf9j.img
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10YNbC.img
Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1nPsFu.img
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB4kwAp.img
Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://imgized.net
Source: explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=278807d9-9673-45f6-bf59-da37
Source: explorer.exe, 0000000A.00000002.364918879320.0000000008EE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695961975.0000000008EE0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000A.00000002.364932121312.000000000D04F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701846696.000000000D0CA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.commber:Oct:Oct
Source: explorer.exe, 0000000A.00000002.364930107759.000000000CE56000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700866168.000000000CE56000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.come
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://stacker.com/
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://stacker.com/careers/top-10-most-common-jobs-hispanic-and-latino-scientists-and-engineers
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://stacker.com/food-drink/states-highest-concentration-restaurants
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://stacker.com/stories
Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://th.RMS.fae8%H
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000002.364932121312.000000000D04F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361701846696.000000000D0CA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comembe
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.bls.gov/news.release/cpi.t02.htm
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.cnn.com/2024/03/13/business/mcdonalds-inflation-low-income-consumers/index.html
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/autos/news/nhtsa-wants-pedestrians-protected-from-big-nose-trucks-and-suvs
Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/entertainment/news/james-earl-jones-dies-at-93-all-about-his-son-flynn/ar-
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/feed
Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E51000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/foodanddri0
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/health/other/bipolar-disorder-and-alcohol-here-s-how-to-embrace-sobriety/a
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/companies/the-1-fast-food-chain-in-the-us-isn-t-mcdonald-s-according
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/companies/the-solid-state-batteries-hype-is-fading-prompting-auto-gi
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/movies/news/the-31-best-halloween-movies-of-all-time/ss-AA1rIoyK
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/donald-trump-visits-pennsylvania-mcdonald-s-alleges-without-
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-repeats-enemy-from-within-comment-targeting-pelosi-and
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/hubble-telescope-sees-stellar-volcano-erupt-in-amazing-col
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/scatter-and-survive-inside-a-u-s-military-shift-to-deny-china-big-
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/israel-killed-sinwar-by-forcing-him-from-the-tunnels/ar-AA1sBXI
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/u-s-investigating-intelligence-leak-about-israel-s-plans-for-at
Source: explorer.exe, 0000000A.00000002.364918139355.0000000008E7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361695671183.0000000008E7B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/play/games/cubes2048/cg-9mvd9sprhm6x
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/nfl/donald-trump-stops-by-primetime-nfl-matchup-between-the-jets-an
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/nfl/jets-vs-steelers-live-updates-score-highlights-from-week-7-sund
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/news/a-trip-to-italy-s-dying-city-is-like-stepping-into-the-middle-
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/tripideas/the-global-origins-of-town-names-in-every-u-s-state-with-
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/groundbreaking-women-in-wrestling-25-pioneers-who-changed-the
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/news/10-facts-about-breaking-bad-you-probably-didn-t-know/ss-AA1rXbzF
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Modesto%2CCalifornia?loc=eyJsIjoiTW9kZXN0byIsInIiOiJDY
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.qsrmagazine.com/downloads/2022-qsr-50
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.theacsi.org/industries/restaurant/fast-food/
Source: explorer.exe, 0000000A.00000000.361701524354.000000000CF86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364932121312.000000000CF86000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.vox.com/the-goods/2019/6/26/18700762/fast-food-america-adam-chandler-drive-thru-dreams

E-Banking Fraud

barindex
Source: Yara match File source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0042C603 NtClose, 2_2_0042C603
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F34E0 NtCreateMutant,LdrInitializeThunk, 2_2_013F34E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2B90 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_013F2B90
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2BC0 NtQueryInformationToken,LdrInitializeThunk, 2_2_013F2BC0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2A80 NtClose,LdrInitializeThunk, 2_2_013F2A80
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2D10 NtQuerySystemInformation,LdrInitializeThunk, 2_2_013F2D10
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2EB0 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_013F2EB0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F4260 NtSetContextThread, 2_2_013F4260
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F4570 NtSuspendThread, 2_2_013F4570
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F29F0 NtReadFile, 2_2_013F29F0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F29D0 NtWaitForSingleObject, 2_2_013F29D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F38D0 NtGetContextThread, 2_2_013F38D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2B20 NtQueryInformationProcess, 2_2_013F2B20
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2B10 NtAllocateVirtualMemory, 2_2_013F2B10
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2B00 NtQueryValueKey, 2_2_013F2B00
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2B80 NtCreateKey, 2_2_013F2B80
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2BE0 NtQueryVirtualMemory, 2_2_013F2BE0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2A10 NtWriteFile, 2_2_013F2A10
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2AA0 NtQueryInformationFile, 2_2_013F2AA0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2AC0 NtEnumerateValueKey, 2_2_013F2AC0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2D50 NtWriteVirtualMemory, 2_2_013F2D50
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2DA0 NtReadVirtualMemory, 2_2_013F2DA0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2DC0 NtAdjustPrivilegesToken, 2_2_013F2DC0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2C30 NtMapViewOfSection, 2_2_013F2C30
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F3C30 NtOpenProcessToken, 2_2_013F3C30
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2C20 NtSetInformationFile, 2_2_013F2C20
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2C10 NtOpenProcess, 2_2_013F2C10
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2C50 NtUnmapViewOfSection, 2_2_013F2C50
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F3C90 NtOpenThread, 2_2_013F3C90
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2CF0 NtDelayExecution, 2_2_013F2CF0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2CD0 NtEnumerateKey, 2_2_013F2CD0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2F30 NtOpenDirectoryObject, 2_2_013F2F30
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2F00 NtCreateFile, 2_2_013F2F00
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2FB0 NtSetValueKey, 2_2_013F2FB0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2E00 NtQueueApcThread, 2_2_013F2E00
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2E50 NtCreateSection, 2_2_013F2E50
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2E80 NtCreateProcessEx, 2_2_013F2E80
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2ED0 NtResumeThread, 2_2_013F2ED0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2EC0 NtQuerySection, 2_2_013F2EC0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62CF0 NtDelayExecution,LdrInitializeThunk, 9_2_04C62CF0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62C30 NtMapViewOfSection,LdrInitializeThunk, 9_2_04C62C30
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62D10 NtQuerySystemInformation,LdrInitializeThunk, 9_2_04C62D10
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62E50 NtCreateSection,LdrInitializeThunk, 9_2_04C62E50
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62A80 NtClose,LdrInitializeThunk, 9_2_04C62A80
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62BC0 NtQueryInformationToken,LdrInitializeThunk, 9_2_04C62BC0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62B80 NtCreateKey,LdrInitializeThunk, 9_2_04C62B80
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62B90 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_04C62B90
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62B00 NtQueryValueKey,LdrInitializeThunk, 9_2_04C62B00
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62B10 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_04C62B10
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C634E0 NtCreateMutant,LdrInitializeThunk, 9_2_04C634E0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C64570 NtSuspendThread, 9_2_04C64570
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C64260 NtSetContextThread, 9_2_04C64260
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62CD0 NtEnumerateKey, 9_2_04C62CD0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62C50 NtUnmapViewOfSection, 9_2_04C62C50
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62C10 NtOpenProcess, 9_2_04C62C10
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62C20 NtSetInformationFile, 9_2_04C62C20
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62DC0 NtAdjustPrivilegesToken, 9_2_04C62DC0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62DA0 NtReadVirtualMemory, 9_2_04C62DA0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62D50 NtWriteVirtualMemory, 9_2_04C62D50
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62EC0 NtQuerySection, 9_2_04C62EC0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62ED0 NtResumeThread, 9_2_04C62ED0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62E80 NtCreateProcessEx, 9_2_04C62E80
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62EB0 NtProtectVirtualMemory, 9_2_04C62EB0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62E00 NtQueueApcThread, 9_2_04C62E00
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62FB0 NtSetValueKey, 9_2_04C62FB0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62F00 NtCreateFile, 9_2_04C62F00
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62F30 NtOpenDirectoryObject, 9_2_04C62F30
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C629D0 NtWaitForSingleObject, 9_2_04C629D0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C629F0 NtReadFile, 9_2_04C629F0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62AC0 NtEnumerateValueKey, 9_2_04C62AC0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62AA0 NtQueryInformationFile, 9_2_04C62AA0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62A10 NtWriteFile, 9_2_04C62A10
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62BE0 NtQueryVirtualMemory, 9_2_04C62BE0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C62B20 NtQueryInformationProcess, 9_2_04C62B20
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C63C90 NtOpenThread, 9_2_04C63C90
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C63C30 NtOpenProcessToken, 9_2_04C63C30
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C638D0 NtGetContextThread, 9_2_04C638D0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_0498F238 NtQueryInformationProcess, 9_2_0498F238
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_049936D8 NtSetContextThread, 9_2_049936D8
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_049946ED NtMapViewOfSection, 9_2_049946ED
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04994008 NtQueueApcThread, 9_2_04994008
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04993CF8 NtResumeThread, 9_2_04993CF8
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_049939E8 NtSuspendThread, 9_2_049939E8
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04994AB8 NtUnmapViewOfSection, 9_2_04994AB8
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_055185A0 0_2_055185A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_05512114 0_2_05512114
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_05518A20 0_2_05518A20
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_0551A3D0 0_2_0551A3D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_05510C88 0_2_05510C88
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_05518A11 0_2_05518A11
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_055135F1 0_2_055135F1
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_05511648 0_2_05511648
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_05511638 0_2_05511638
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_07222106 0_2_07222106
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_07226AC0 0_2_07226AC0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_07222C38 0_2_07222C38
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_07226AB0 0_2_07226AB0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_074CB400 0_2_074CB400
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_074CE488 0_2_074CE488
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_074CB3F0 0_2_074CB3F0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_074CE041 0_2_074CE041
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_074C4B48 0_2_074C4B48
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_074C4B58 0_2_074C4B58
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_074CFB60 0_2_074CFB60
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_074CE8C0 0_2_074CE8C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_075439A9 0_2_075439A9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_07544758 0_2_07544758
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_07540040 0_2_07540040
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_004185F3 2_2_004185F3
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_00410063 2_2_00410063
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0040E0E3 2_2_0040E0E3
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_00402380 2_2_00402380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0042ECA3 2_2_0042ECA3
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_00402640 2_2_00402640
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0040FE43 2_2_0040FE43
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_00402EB0 2_2_00402EB0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_004167CF 2_2_004167CF
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_004167D3 2_2_004167D3
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0140717A 2_2_0140717A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0148010E 2_2_0148010E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145D130 2_2_0145D130
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DB1E0 2_2_013DB1E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C51C0 2_2_013C51C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146E076 2_2_0146E076
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B00A0 2_2_013B00A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F508C 2_2_013F508C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014770F1 2_2_014770F1
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CB0D0 2_2_013CB0D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CE310 2_2_013CE310
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147F330 2_2_0147F330
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B1380 2_2_013B1380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147124C 2_2_0147124C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AD2EC 2_2_013AD2EC
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0148A526 2_2_0148A526
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014775C6 2_2_014775C6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147F5C9 2_2_0147F5C9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C0445 2_2_013C0445
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0142D480 2_2_0142D480
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01476757 2_2_01476757
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C2760 2_2_013C2760
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CA760 2_2_013CA760
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146D646 2_2_0146D646
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DC600 2_2_013DC600
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E4670 2_2_013E4670
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145D62C 2_2_0145D62C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147A6C0 2_2_0147A6C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014336EC 2_2_014336EC
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147F6F6 2_2_0147F6F6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C0680 2_2_013C0680
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BC6E0 2_2_013BC6E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014059C0 2_2_014059C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BE9A0 2_2_013BE9A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147E9A6 2_2_0147E9A6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE810 2_2_013EE810
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01435870 2_2_01435870
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147F872 2_2_0147F872
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C3800 2_2_013C3800
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C9870 2_2_013C9870
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DB870 2_2_013DB870
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A6868 2_2_013A6868
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01460835 2_2_01460835
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014718DA 2_2_014718DA
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014778F3 2_2_014778F3
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D6882 2_2_013D6882
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014398B2 2_2_014398B2
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C28C0 2_2_013C28C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013FDB19 2_2_013FDB19
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C0B10 2_2_013C0B10
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147FB2E 2_2_0147FB2E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01434BC0 2_2_01434BC0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147EA5B 2_2_0147EA5B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147CA13 2_2_0147CA13
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DFAA0 2_2_013DFAA0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147FA89 2_2_0147FA89
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01477D4C 2_2_01477D4C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BAD00 2_2_013BAD00
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C0D69 2_2_013C0D69
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147FD27 2_2_0147FD27
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D2DB0 2_2_013D2DB0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145FDF4 2_2_0145FDF4
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C9DD0 2_2_013C9DD0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146EC4C 2_2_0146EC4C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CAC20 2_2_013CAC20
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147EC60 2_2_0147EC60
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B0C12 2_2_013B0C12
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01476C69 2_2_01476C69
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C3C60 2_2_013C3C60
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0148ACEB 2_2_0148ACEB
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01447CE8 2_2_01447CE8
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DFCE0 2_2_013DFCE0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01459C98 2_2_01459C98
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D8CDF 2_2_013D8CDF
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147FF63 2_2_0147FF63
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CCF00 2_2_013CCF00
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01471FC6 2_2_01471FC6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C6FE0 2_2_013C6FE0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147EFBF 2_2_0147EFBF
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01402E48 2_2_01402E48
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01460E6D 2_2_01460E6D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E0E50 2_2_013E0E50
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C1EB2 2_2_013C1EB2
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01479ED2 2_2_01479ED2
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B2EE8 2_2_013B2EE8
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01470EAD 2_2_01470EAD
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C30445 9_2_04C30445
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CFA526 9_2_04CFA526
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEA6C0 9_2_04CEA6C0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C2C6E0 9_2_04C2C6E0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C30680 9_2_04C30680
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C54670 9_2_04C54670
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C4C600 9_2_04C4C600
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CE6757 9_2_04CE6757
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C3A760 9_2_04C3A760
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C32760 9_2_04C32760
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C200A0 9_2_04C200A0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CDE076 9_2_04CDE076
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CF010E 9_2_04CF010E
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C3E310 9_2_04C3E310
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C48CDF 9_2_04C48CDF
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CFACEB 9_2_04CFACEB
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CDEC4C 9_2_04CDEC4C
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CE6C69 9_2_04CE6C69
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEEC60 9_2_04CEEC60
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C20C12 9_2_04C20C12
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C3AC20 9_2_04C3AC20
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CAEC20 9_2_04CAEC20
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C42DB0 9_2_04C42DB0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C30D69 9_2_04C30D69
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C2AD00 9_2_04C2AD00
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C22EE8 9_2_04C22EE8
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CE0EAD 9_2_04CE0EAD
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C72E48 9_2_04C72E48
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C50E50 9_2_04C50E50
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CD0E6D 9_2_04CD0E6D
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C36FE0 9_2_04C36FE0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEEFBF 9_2_04CEEFBF
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C3CF00 9_2_04C3CF00
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C328C0 9_2_04C328C0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C46882 9_2_04C46882
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CCC89F 9_2_04CCC89F
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C16868 9_2_04C16868
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C5E810 9_2_04C5E810
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CD0835 9_2_04CD0835
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C2E9A0 9_2_04C2E9A0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEE9A6 9_2_04CEE9A6
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEEA5B 9_2_04CEEA5B
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CECA13 9_2_04CECA13
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CA4BC0 9_2_04CA4BC0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C30B10 9_2_04C30B10
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C9D480 9_2_04C9D480
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CC5490 9_2_04CC5490
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEF5C9 9_2_04CEF5C9
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CE75C6 9_2_04CE75C6
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CA36EC 9_2_04CA36EC
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEF6F6 9_2_04CEF6F6
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CDD646 9_2_04CDD646
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CCD62C 9_2_04CCD62C
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C3B0D0 9_2_04C3B0D0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CE70F1 9_2_04CE70F1
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C6508C 9_2_04C6508C
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C351C0 9_2_04C351C0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C4B1E0 9_2_04C4B1E0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C7717A 9_2_04C7717A
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C1F113 9_2_04C1F113
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CCD130 9_2_04CCD130
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C1D2EC 9_2_04C1D2EC
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CE124C 9_2_04CE124C
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C21380 9_2_04C21380
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEF330 9_2_04CEF330
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CB7CE8 9_2_04CB7CE8
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C4FCE0 9_2_04C4FCE0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CC9C98 9_2_04CC9C98
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C33C60 9_2_04C33C60
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C39DD0 9_2_04C39DD0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CCFDF4 9_2_04CCFDF4
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CE7D4C 9_2_04CE7D4C
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEFD27 9_2_04CEFD27
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CE9ED2 9_2_04CE9ED2
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C31EB2 9_2_04C31EB2
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CE1FC6 9_2_04CE1FC6
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CAFF40 9_2_04CAFF40
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEFF63 9_2_04CEFF63
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CE18DA 9_2_04CE18DA
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CE78F3 9_2_04CE78F3
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CA98B2 9_2_04CA98B2
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C39870 9_2_04C39870
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C4B870 9_2_04C4B870
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CA5870 9_2_04CA5870
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEF872 9_2_04CEF872
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C33800 9_2_04C33800
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C759C0 9_2_04C759C0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEFA89 9_2_04CEFA89
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C4FAA0 9_2_04C4FAA0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CC1B80 9_2_04CC1B80
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C6DB19 9_2_04C6DB19
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04CEFB2E 9_2_04CEFB2E
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_0498F238 9_2_0498F238
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_0498E503 9_2_0498E503
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_0498E3E8 9_2_0498E3E8
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_0498E3E4 9_2_0498E3E4
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_0498E8A0 9_2_0498E8A0
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_0498D908 9_2_0498D908
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_0498CBB3 9_2_0498CBB3
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: String function: 0143EF10 appears 105 times
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: String function: 013AB910 appears 268 times
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: String function: 01407BE4 appears 96 times
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: String function: 0142E692 appears 86 times
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: String function: 013F5050 appears 36 times
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: String function: 04C65050 appears 57 times
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: String function: 04C1B910 appears 275 times
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: String function: 04C9E692 appears 86 times
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: String function: 04C77BE4 appears 100 times
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: String function: 04CAEF10 appears 105 times
Source: TaojCblZKXL9OpS.exe, 00000000.00000002.359952196490.00000000077E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs TaojCblZKXL9OpS.exe
Source: TaojCblZKXL9OpS.exe, 00000000.00000002.359951569611.0000000007330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TaojCblZKXL9OpS.exe
Source: TaojCblZKXL9OpS.exe, 00000002.00000002.360211580329.00000000014AD000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TaojCblZKXL9OpS.exe
Source: TaojCblZKXL9OpS.exe Binary or memory string: OriginalFilenamebbR.exe4 vs TaojCblZKXL9OpS.exe
Source: TaojCblZKXL9OpS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: TaojCblZKXL9OpS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, G445XE2Cpp4eld2H4p.cs Security API names: _0020.SetAccessControl
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, G445XE2Cpp4eld2H4p.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, G445XE2Cpp4eld2H4p.cs Security API names: _0020.AddAccessRule
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, G445XE2Cpp4eld2H4p.cs Security API names: _0020.SetAccessControl
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, G445XE2Cpp4eld2H4p.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, G445XE2Cpp4eld2H4p.cs Security API names: _0020.AddAccessRule
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, FiHrKMZPWTbmUfdgVb.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, FiHrKMZPWTbmUfdgVb.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, FiHrKMZPWTbmUfdgVb.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, FiHrKMZPWTbmUfdgVb.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, G445XE2Cpp4eld2H4p.cs Security API names: _0020.SetAccessControl
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, G445XE2Cpp4eld2H4p.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, G445XE2Cpp4eld2H4p.cs Security API names: _0020.AddAccessRule
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, FiHrKMZPWTbmUfdgVb.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, FiHrKMZPWTbmUfdgVb.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/1@0/0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TaojCblZKXL9OpS.exe.log Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Mutant created: NULL
Source: TaojCblZKXL9OpS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TaojCblZKXL9OpS.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TaojCblZKXL9OpS.exe ReversingLabs: Detection: 54%
Source: unknown Process created: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe "C:\Users\user\Desktop\TaojCblZKXL9OpS.exe"
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process created: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe "C:\Users\user\Desktop\TaojCblZKXL9OpS.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\cleanmgr.exe "C:\Windows\SysWOW64\cleanmgr.exe"
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process created: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe "C:\Users\user\Desktop\TaojCblZKXL9OpS.exe" Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\cleanmgr.exe "C:\Windows\SysWOW64\cleanmgr.exe" Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: TaojCblZKXL9OpS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TaojCblZKXL9OpS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: TaojCblZKXL9OpS.exe, 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360219761269.000000000488F000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360222722404.0000000004A3D000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: TaojCblZKXL9OpS.exe, TaojCblZKXL9OpS.exe, 00000002.00000002.360211580329.0000000001380000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, cleanmgr.exe, 00000009.00000002.361767492332.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360219761269.000000000488F000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000003.360222722404.0000000004A3D000.00000004.00000020.00020000.00000000.sdmp, cleanmgr.exe, 00000009.00000002.361767492332.0000000004D1D000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, G445XE2Cpp4eld2H4p.cs .Net Code: vSC347HbJn System.Reflection.Assembly.Load(byte[])
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, G445XE2Cpp4eld2H4p.cs .Net Code: vSC347HbJn System.Reflection.Assembly.Load(byte[])
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, G445XE2Cpp4eld2H4p.cs .Net Code: vSC347HbJn System.Reflection.Assembly.Load(byte[])
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_074CDE61 pushad ; iretd 0_2_074CDE68
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 0_2_074CECEA push eax; ret 0_2_074CECF1
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_00401949 push esi; retf 2_2_004019A6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0040D109 push edi; iretd 2_2_0040D10B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_00403120 push eax; ret 2_2_00403122
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_004071A7 push esi; iretd 2_2_004071C6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0040D358 pushfd ; ret 2_2_0040D362
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0040B547 push ebp; retf 2_2_0040B54A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0040AE10 push eax; iretd 2_2_0040AE11
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0041E6EF push ds; ret 2_2_0041E831
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0041E6F3 push ds; ret 2_2_0041E831
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_00417E81 push esi; retf 2_2_00417E8C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0041E763 push ds; ret 2_2_0041E831
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0040AF00 push eax; retf 2_2_0040AF01
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_004157E7 push ebp; retf 2_2_004157EA
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0041E798 push ds; ret 2_2_0041E831
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0041E7BE push ds; ret 2_2_0041E831
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B08CD push ecx; mov dword ptr [esp], ecx 2_2_013B08D6
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04C208CD push ecx; mov dword ptr [esp], ecx 9_2_04C208D6
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_04986538 pushad ; retf 9_2_04986539
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_0498F738 push ecx; iretd 9_2_0498F792
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_049871E9 push edi; ret 9_2_049871EE
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_049952B2 push eax; ret 9_2_049952B4
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_049823C0 push es; iretd 9_2_049823C7
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_0498BE7B push edx; iretd 9_2_0498BE7C
Source: C:\Windows\SysWOW64\cleanmgr.exe Code function: 9_2_0498BF53 push cs; ret 9_2_0498BF59
Source: TaojCblZKXL9OpS.exe Static PE information: section name: .text entropy: 7.850867463772836
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, bhAWeazn3ALlNUYHuc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OOvYcVFFql', 'O4FYUUWxLN', 'ukKYfZXb6v', 'cOcYmvCula', 'AVAYC1cgBO', 'hfFYYtx0ps', 'mLMY1di1PC'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, t6CCgrdm3dbt5iT3PA.cs High entropy of concatenated method names: 'Dispose', 'qhU5xdQsFc', 'PJRpr3vBbj', 'wmdSStfGJx', 'KIq5FkX1sl', 'PWl5zVE9m8', 'ProcessDialogKey', 'VXupa12fsK', 'wU6p5lI8fg', 'eoXpp2bKY9'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, vP6ohjwE8WUbObHgQK.cs High entropy of concatenated method names: 'JoEGNhrrZE', 'LP0GdqolwO', 'lF5G6CPLxs', 'vO5GWci4rT', 'jl8G2rpocL', 'QPY6tEBFJd', 'BWI6gqn0Ao', 'pJT6I7vVDY', 'Tdt6Jh5SFh', 'bDu6xu8Hs8'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, v2qTaosC3k737o1gfJ.cs High entropy of concatenated method names: 'brs6ligovO', 'yM56R9PScY', 'dOByq6cUQa', 'OMjyjOSbhR', 'VF4y7wNFix', 'myMyP4UCPi', 'JTgynvxVT5', 'XPnyOSytVl', 'UawyilLKgU', 'dlyyEMXhhj'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, kbKY92FyC5Y7NYivQt.cs High entropy of concatenated method names: 'JXZY5jxWMQ', 'OZ9YVKdnNP', 'X68Y31WyhK', 'S8JYDDq9q4', 'KP7YdwA7hA', 'FS1Y6CrA8N', 'J2rYGNifun', 'boMCIxhrJN', 'avuCJkF9eR', 'dbuCxofj2C'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, FiHrKMZPWTbmUfdgVb.cs High entropy of concatenated method names: 'WjbdASGZyl', 'uGidM472JI', 'MuWdbpw6S9', 'UxAd0jEBAe', 'LJgdtZDsd3', 'o2fdgKbJRR', 'ACBdIn5r1D', 'YE5dJTwpLA', 'g0Ndx8Pv47', 'o8hdFpS3WT'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, VqkX1sJl9WlVE9m8IX.cs High entropy of concatenated method names: 'smuCDaf9NQ', 'myqCd0FSjh', 'NgBCyyZ0Kg', 'H1wC6grM3j', 'NNuCGJ1ZDp', 'Kd6CWURELb', 'ggXC2ZCLak', 'QtNCHIqKhy', 'bWNCLH7TTQ', 'MeCCXZOvq2'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, eHXW9y55FKAZ2Km2TDU.cs High entropy of concatenated method names: 'ToString', 'QbH1Vwka3S', 'I9h13Cy34s', 'UqL1NXeiZE', 'Eio1DYI9qm', 'U171d14o9p', 'Pvc1y8mxh0', 'N1E16IT9eU', 'zWLaFKV6eMWCj3jHOeA', 'MfIrvYVlyXkhYGbsMHY'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, G445XE2Cpp4eld2H4p.cs High entropy of concatenated method names: 'CigVNfVxhj', 'VswVDDNg14', 'pbNVdCxjZP', 'jX7VyqoDq4', 'FY6V6A60Sv', 'LwwVGQL00O', 'xvcVWae8Fx', 'b73V28hnP8', 'RUDVHAb9eE', 'cQxVLiLb3a'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, MAndKLnsL1hfl6ymD0.cs High entropy of concatenated method names: 'II4WD7ccHw', 'nRIWyUrxvn', 'WoEWGpBnGI', 'C5HGFMcX9l', 'KLkGztAKyT', 'NkQWawrLTt', 'MXlW5qpQuH', 'YkeWpyjnJ6', 'Eo0WV7ERdD', 'yflW3jP9kh'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, nmkmGZ3dkJjO3icYVt.cs High entropy of concatenated method names: 'Das5WiHrKM', 'JWT52bmUfd', 'YVk5L1Ujhu', 'cbt5XUQ2qT', 'O1g5UfJ8P6', 'Ohj5fE8WUb', 'WI7hA3hCBAllGJ45iY', 'feA04Biy2CxtqwylhJ', 'GEV55EKnUl', 'qw45VQy78o'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, UigQWaiVAvGlJdNupS.cs High entropy of concatenated method names: 'kFMWvSN2ml', 'olUWeFQoIV', 'G6MW4IVimt', 'OK7WKBMKAV', 'DW1Wl0uls4', 'bXdWuwXcWl', 'vefWRKB38P', 'Cy8WZS4M48', 'KOaWBdOgUG', 'qTlWsKXmig'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, UwANpE5VN125VG8b5Mq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'o5e1AkmsTE', 'gRK1MahZ2F', 'oLb1buBn8Z', 'zcM10aMrnW', 'htk1tiYnY5', 'v901gmYgKT', 'J7M1IIoXuW'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, FndM3Db6rwT30I7h0i.cs High entropy of concatenated method names: 'ToString', 'N0IfoYjqXm', 'D8PfrSTKsZ', 'qPOfqj7xa3', 'c5dfjTOL6w', 'lrhf7iSS07', 'pD2fP3Vw9g', 'ayffnMpB3C', 'OkdfOPPykG', 'm2NfiKAdl0'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, thUIdVAYQuaWYJ8FNB.cs High entropy of concatenated method names: 'RdHUENlIeQ', 'USrU9yBUME', 'atrUAKjonH', 'yJpUM4GeZM', 'ztbUrfqR03', 'BbXUqcn2ey', 'SFdUjDe0tR', 'wLOU7mYxWt', 'uaUUPfrsDO', 'Gp8UnPrGE7'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, jyuC4YyFoFSPS3lOxV.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'P8xpxkQjPQ', 'MVspFKmLfB', 'rnypzNGCOK', 'w1qVapIZje', 'UYeV54PrZq', 'uFCVpTvbEX', 'CAFVVSpd2r', 'rtJZgEPVrCOqUhtEHSp'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, xP3LUFBVk1UjhuVbtU.cs High entropy of concatenated method names: 'L9nyKjok43', 'OYuyumn9Kq', 'QlxyZgfgTJ', 'COsyBXpFBH', 'AyryUb1Gb5', 'Yk4yfra8gq', 'AErymYReFD', 'RK3yCHJSBH', 'aJkyYB0olr', 'wVuy1AiaYL'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, yv7OID5aJFqrTubkogZ.cs High entropy of concatenated method names: 'n7VYvVGjms', 'kT8YeZRY4Q', 'AACY40F2d6', 'xUiYKwyP8Z', 'SMrYltKCZe', 'HQ9YuYlX2U', 'YkFYR5sh5A', 'KJEYZouFKc', 'bsxYBjbIIS', 'UiBYsKgQo8'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, JsLsvykEfbYDv3nZjj.cs High entropy of concatenated method names: 'B4FcZvbRmL', 'oHHcBBblaH', 'XKOcw2s5gS', 'su5crEg810', 'M8KcjxBlwx', 'SyLc7lRkKN', 'HojcnjcKHB', 'MWscOqIWxo', 'E5DcEuZwI5', 'oQ1cojr26P'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, IfqTFtpmZGPO2mAHjL.cs High entropy of concatenated method names: 'KIZ4wuxKW', 'lBuKaf9xM', 'P2gu3LwTc', 'mlPRloT6E', 'BXIBryukF', 'V5Ys5vglO', 'PqQ4KZGjnBcplVfS9o', 'GVwOCYQuHSU6fSusAG', 'xCHCKFL5G', 'YNJ1dTlTu'
Source: 0.2.TaojCblZKXL9OpS.exe.4216e20.3.raw.unpack, B12fsKxQU6lI8fgNoX.cs High entropy of concatenated method names: 'rqhCw17Ilm', 'pTnCrL8m9g', 'IHpCq1MuNS', 't5cCj4ZDDO', 'sd8CA4iWH1', 'VXrC7yUqHo', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, bhAWeazn3ALlNUYHuc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OOvYcVFFql', 'O4FYUUWxLN', 'ukKYfZXb6v', 'cOcYmvCula', 'AVAYC1cgBO', 'hfFYYtx0ps', 'mLMY1di1PC'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, t6CCgrdm3dbt5iT3PA.cs High entropy of concatenated method names: 'Dispose', 'qhU5xdQsFc', 'PJRpr3vBbj', 'wmdSStfGJx', 'KIq5FkX1sl', 'PWl5zVE9m8', 'ProcessDialogKey', 'VXupa12fsK', 'wU6p5lI8fg', 'eoXpp2bKY9'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, vP6ohjwE8WUbObHgQK.cs High entropy of concatenated method names: 'JoEGNhrrZE', 'LP0GdqolwO', 'lF5G6CPLxs', 'vO5GWci4rT', 'jl8G2rpocL', 'QPY6tEBFJd', 'BWI6gqn0Ao', 'pJT6I7vVDY', 'Tdt6Jh5SFh', 'bDu6xu8Hs8'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, v2qTaosC3k737o1gfJ.cs High entropy of concatenated method names: 'brs6ligovO', 'yM56R9PScY', 'dOByq6cUQa', 'OMjyjOSbhR', 'VF4y7wNFix', 'myMyP4UCPi', 'JTgynvxVT5', 'XPnyOSytVl', 'UawyilLKgU', 'dlyyEMXhhj'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, kbKY92FyC5Y7NYivQt.cs High entropy of concatenated method names: 'JXZY5jxWMQ', 'OZ9YVKdnNP', 'X68Y31WyhK', 'S8JYDDq9q4', 'KP7YdwA7hA', 'FS1Y6CrA8N', 'J2rYGNifun', 'boMCIxhrJN', 'avuCJkF9eR', 'dbuCxofj2C'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, FiHrKMZPWTbmUfdgVb.cs High entropy of concatenated method names: 'WjbdASGZyl', 'uGidM472JI', 'MuWdbpw6S9', 'UxAd0jEBAe', 'LJgdtZDsd3', 'o2fdgKbJRR', 'ACBdIn5r1D', 'YE5dJTwpLA', 'g0Ndx8Pv47', 'o8hdFpS3WT'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, VqkX1sJl9WlVE9m8IX.cs High entropy of concatenated method names: 'smuCDaf9NQ', 'myqCd0FSjh', 'NgBCyyZ0Kg', 'H1wC6grM3j', 'NNuCGJ1ZDp', 'Kd6CWURELb', 'ggXC2ZCLak', 'QtNCHIqKhy', 'bWNCLH7TTQ', 'MeCCXZOvq2'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, eHXW9y55FKAZ2Km2TDU.cs High entropy of concatenated method names: 'ToString', 'QbH1Vwka3S', 'I9h13Cy34s', 'UqL1NXeiZE', 'Eio1DYI9qm', 'U171d14o9p', 'Pvc1y8mxh0', 'N1E16IT9eU', 'zWLaFKV6eMWCj3jHOeA', 'MfIrvYVlyXkhYGbsMHY'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, G445XE2Cpp4eld2H4p.cs High entropy of concatenated method names: 'CigVNfVxhj', 'VswVDDNg14', 'pbNVdCxjZP', 'jX7VyqoDq4', 'FY6V6A60Sv', 'LwwVGQL00O', 'xvcVWae8Fx', 'b73V28hnP8', 'RUDVHAb9eE', 'cQxVLiLb3a'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, MAndKLnsL1hfl6ymD0.cs High entropy of concatenated method names: 'II4WD7ccHw', 'nRIWyUrxvn', 'WoEWGpBnGI', 'C5HGFMcX9l', 'KLkGztAKyT', 'NkQWawrLTt', 'MXlW5qpQuH', 'YkeWpyjnJ6', 'Eo0WV7ERdD', 'yflW3jP9kh'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, nmkmGZ3dkJjO3icYVt.cs High entropy of concatenated method names: 'Das5WiHrKM', 'JWT52bmUfd', 'YVk5L1Ujhu', 'cbt5XUQ2qT', 'O1g5UfJ8P6', 'Ohj5fE8WUb', 'WI7hA3hCBAllGJ45iY', 'feA04Biy2CxtqwylhJ', 'GEV55EKnUl', 'qw45VQy78o'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, UigQWaiVAvGlJdNupS.cs High entropy of concatenated method names: 'kFMWvSN2ml', 'olUWeFQoIV', 'G6MW4IVimt', 'OK7WKBMKAV', 'DW1Wl0uls4', 'bXdWuwXcWl', 'vefWRKB38P', 'Cy8WZS4M48', 'KOaWBdOgUG', 'qTlWsKXmig'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, UwANpE5VN125VG8b5Mq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'o5e1AkmsTE', 'gRK1MahZ2F', 'oLb1buBn8Z', 'zcM10aMrnW', 'htk1tiYnY5', 'v901gmYgKT', 'J7M1IIoXuW'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, FndM3Db6rwT30I7h0i.cs High entropy of concatenated method names: 'ToString', 'N0IfoYjqXm', 'D8PfrSTKsZ', 'qPOfqj7xa3', 'c5dfjTOL6w', 'lrhf7iSS07', 'pD2fP3Vw9g', 'ayffnMpB3C', 'OkdfOPPykG', 'm2NfiKAdl0'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, thUIdVAYQuaWYJ8FNB.cs High entropy of concatenated method names: 'RdHUENlIeQ', 'USrU9yBUME', 'atrUAKjonH', 'yJpUM4GeZM', 'ztbUrfqR03', 'BbXUqcn2ey', 'SFdUjDe0tR', 'wLOU7mYxWt', 'uaUUPfrsDO', 'Gp8UnPrGE7'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, jyuC4YyFoFSPS3lOxV.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'P8xpxkQjPQ', 'MVspFKmLfB', 'rnypzNGCOK', 'w1qVapIZje', 'UYeV54PrZq', 'uFCVpTvbEX', 'CAFVVSpd2r', 'rtJZgEPVrCOqUhtEHSp'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, xP3LUFBVk1UjhuVbtU.cs High entropy of concatenated method names: 'L9nyKjok43', 'OYuyumn9Kq', 'QlxyZgfgTJ', 'COsyBXpFBH', 'AyryUb1Gb5', 'Yk4yfra8gq', 'AErymYReFD', 'RK3yCHJSBH', 'aJkyYB0olr', 'wVuy1AiaYL'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, yv7OID5aJFqrTubkogZ.cs High entropy of concatenated method names: 'n7VYvVGjms', 'kT8YeZRY4Q', 'AACY40F2d6', 'xUiYKwyP8Z', 'SMrYltKCZe', 'HQ9YuYlX2U', 'YkFYR5sh5A', 'KJEYZouFKc', 'bsxYBjbIIS', 'UiBYsKgQo8'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, JsLsvykEfbYDv3nZjj.cs High entropy of concatenated method names: 'B4FcZvbRmL', 'oHHcBBblaH', 'XKOcw2s5gS', 'su5crEg810', 'M8KcjxBlwx', 'SyLc7lRkKN', 'HojcnjcKHB', 'MWscOqIWxo', 'E5DcEuZwI5', 'oQ1cojr26P'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, IfqTFtpmZGPO2mAHjL.cs High entropy of concatenated method names: 'KIZ4wuxKW', 'lBuKaf9xM', 'P2gu3LwTc', 'mlPRloT6E', 'BXIBryukF', 'V5Ys5vglO', 'PqQ4KZGjnBcplVfS9o', 'GVwOCYQuHSU6fSusAG', 'xCHCKFL5G', 'YNJ1dTlTu'
Source: 0.2.TaojCblZKXL9OpS.exe.418f200.2.raw.unpack, B12fsKxQU6lI8fgNoX.cs High entropy of concatenated method names: 'rqhCw17Ilm', 'pTnCrL8m9g', 'IHpCq1MuNS', 't5cCj4ZDDO', 'sd8CA4iWH1', 'VXrC7yUqHo', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, bhAWeazn3ALlNUYHuc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OOvYcVFFql', 'O4FYUUWxLN', 'ukKYfZXb6v', 'cOcYmvCula', 'AVAYC1cgBO', 'hfFYYtx0ps', 'mLMY1di1PC'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, t6CCgrdm3dbt5iT3PA.cs High entropy of concatenated method names: 'Dispose', 'qhU5xdQsFc', 'PJRpr3vBbj', 'wmdSStfGJx', 'KIq5FkX1sl', 'PWl5zVE9m8', 'ProcessDialogKey', 'VXupa12fsK', 'wU6p5lI8fg', 'eoXpp2bKY9'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, vP6ohjwE8WUbObHgQK.cs High entropy of concatenated method names: 'JoEGNhrrZE', 'LP0GdqolwO', 'lF5G6CPLxs', 'vO5GWci4rT', 'jl8G2rpocL', 'QPY6tEBFJd', 'BWI6gqn0Ao', 'pJT6I7vVDY', 'Tdt6Jh5SFh', 'bDu6xu8Hs8'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, v2qTaosC3k737o1gfJ.cs High entropy of concatenated method names: 'brs6ligovO', 'yM56R9PScY', 'dOByq6cUQa', 'OMjyjOSbhR', 'VF4y7wNFix', 'myMyP4UCPi', 'JTgynvxVT5', 'XPnyOSytVl', 'UawyilLKgU', 'dlyyEMXhhj'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, kbKY92FyC5Y7NYivQt.cs High entropy of concatenated method names: 'JXZY5jxWMQ', 'OZ9YVKdnNP', 'X68Y31WyhK', 'S8JYDDq9q4', 'KP7YdwA7hA', 'FS1Y6CrA8N', 'J2rYGNifun', 'boMCIxhrJN', 'avuCJkF9eR', 'dbuCxofj2C'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, FiHrKMZPWTbmUfdgVb.cs High entropy of concatenated method names: 'WjbdASGZyl', 'uGidM472JI', 'MuWdbpw6S9', 'UxAd0jEBAe', 'LJgdtZDsd3', 'o2fdgKbJRR', 'ACBdIn5r1D', 'YE5dJTwpLA', 'g0Ndx8Pv47', 'o8hdFpS3WT'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, VqkX1sJl9WlVE9m8IX.cs High entropy of concatenated method names: 'smuCDaf9NQ', 'myqCd0FSjh', 'NgBCyyZ0Kg', 'H1wC6grM3j', 'NNuCGJ1ZDp', 'Kd6CWURELb', 'ggXC2ZCLak', 'QtNCHIqKhy', 'bWNCLH7TTQ', 'MeCCXZOvq2'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, eHXW9y55FKAZ2Km2TDU.cs High entropy of concatenated method names: 'ToString', 'QbH1Vwka3S', 'I9h13Cy34s', 'UqL1NXeiZE', 'Eio1DYI9qm', 'U171d14o9p', 'Pvc1y8mxh0', 'N1E16IT9eU', 'zWLaFKV6eMWCj3jHOeA', 'MfIrvYVlyXkhYGbsMHY'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, G445XE2Cpp4eld2H4p.cs High entropy of concatenated method names: 'CigVNfVxhj', 'VswVDDNg14', 'pbNVdCxjZP', 'jX7VyqoDq4', 'FY6V6A60Sv', 'LwwVGQL00O', 'xvcVWae8Fx', 'b73V28hnP8', 'RUDVHAb9eE', 'cQxVLiLb3a'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, MAndKLnsL1hfl6ymD0.cs High entropy of concatenated method names: 'II4WD7ccHw', 'nRIWyUrxvn', 'WoEWGpBnGI', 'C5HGFMcX9l', 'KLkGztAKyT', 'NkQWawrLTt', 'MXlW5qpQuH', 'YkeWpyjnJ6', 'Eo0WV7ERdD', 'yflW3jP9kh'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, nmkmGZ3dkJjO3icYVt.cs High entropy of concatenated method names: 'Das5WiHrKM', 'JWT52bmUfd', 'YVk5L1Ujhu', 'cbt5XUQ2qT', 'O1g5UfJ8P6', 'Ohj5fE8WUb', 'WI7hA3hCBAllGJ45iY', 'feA04Biy2CxtqwylhJ', 'GEV55EKnUl', 'qw45VQy78o'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, UigQWaiVAvGlJdNupS.cs High entropy of concatenated method names: 'kFMWvSN2ml', 'olUWeFQoIV', 'G6MW4IVimt', 'OK7WKBMKAV', 'DW1Wl0uls4', 'bXdWuwXcWl', 'vefWRKB38P', 'Cy8WZS4M48', 'KOaWBdOgUG', 'qTlWsKXmig'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, UwANpE5VN125VG8b5Mq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'o5e1AkmsTE', 'gRK1MahZ2F', 'oLb1buBn8Z', 'zcM10aMrnW', 'htk1tiYnY5', 'v901gmYgKT', 'J7M1IIoXuW'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, FndM3Db6rwT30I7h0i.cs High entropy of concatenated method names: 'ToString', 'N0IfoYjqXm', 'D8PfrSTKsZ', 'qPOfqj7xa3', 'c5dfjTOL6w', 'lrhf7iSS07', 'pD2fP3Vw9g', 'ayffnMpB3C', 'OkdfOPPykG', 'm2NfiKAdl0'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, thUIdVAYQuaWYJ8FNB.cs High entropy of concatenated method names: 'RdHUENlIeQ', 'USrU9yBUME', 'atrUAKjonH', 'yJpUM4GeZM', 'ztbUrfqR03', 'BbXUqcn2ey', 'SFdUjDe0tR', 'wLOU7mYxWt', 'uaUUPfrsDO', 'Gp8UnPrGE7'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, jyuC4YyFoFSPS3lOxV.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'P8xpxkQjPQ', 'MVspFKmLfB', 'rnypzNGCOK', 'w1qVapIZje', 'UYeV54PrZq', 'uFCVpTvbEX', 'CAFVVSpd2r', 'rtJZgEPVrCOqUhtEHSp'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, xP3LUFBVk1UjhuVbtU.cs High entropy of concatenated method names: 'L9nyKjok43', 'OYuyumn9Kq', 'QlxyZgfgTJ', 'COsyBXpFBH', 'AyryUb1Gb5', 'Yk4yfra8gq', 'AErymYReFD', 'RK3yCHJSBH', 'aJkyYB0olr', 'wVuy1AiaYL'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, yv7OID5aJFqrTubkogZ.cs High entropy of concatenated method names: 'n7VYvVGjms', 'kT8YeZRY4Q', 'AACY40F2d6', 'xUiYKwyP8Z', 'SMrYltKCZe', 'HQ9YuYlX2U', 'YkFYR5sh5A', 'KJEYZouFKc', 'bsxYBjbIIS', 'UiBYsKgQo8'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, JsLsvykEfbYDv3nZjj.cs High entropy of concatenated method names: 'B4FcZvbRmL', 'oHHcBBblaH', 'XKOcw2s5gS', 'su5crEg810', 'M8KcjxBlwx', 'SyLc7lRkKN', 'HojcnjcKHB', 'MWscOqIWxo', 'E5DcEuZwI5', 'oQ1cojr26P'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, IfqTFtpmZGPO2mAHjL.cs High entropy of concatenated method names: 'KIZ4wuxKW', 'lBuKaf9xM', 'P2gu3LwTc', 'mlPRloT6E', 'BXIBryukF', 'V5Ys5vglO', 'PqQ4KZGjnBcplVfS9o', 'GVwOCYQuHSU6fSusAG', 'xCHCKFL5G', 'YNJ1dTlTu'
Source: 0.2.TaojCblZKXL9OpS.exe.77e0000.5.raw.unpack, B12fsKxQU6lI8fgNoX.cs High entropy of concatenated method names: 'rqhCw17Ilm', 'pTnCrL8m9g', 'IHpCq1MuNS', 't5cCj4ZDDO', 'sd8CA4iWH1', 'VXrC7yUqHo', 'Next', 'Next', 'Next', 'NextBytes'
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: TaojCblZKXL9OpS.exe PID: 4776, type: MEMORYSTR
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe API/Special instruction interceptor: Address: 7FFA1486D144
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe API/Special instruction interceptor: Address: 7FFA14870594
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe API/Special instruction interceptor: Address: 7FFA1486FF74
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe API/Special instruction interceptor: Address: 7FFA1486D6C4
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe API/Special instruction interceptor: Address: 7FFA1486D864
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe API/Special instruction interceptor: Address: 7FFA1486D004
Source: C:\Windows\SysWOW64\cleanmgr.exe API/Special instruction interceptor: Address: 7FFA1486D144
Source: C:\Windows\SysWOW64\cleanmgr.exe API/Special instruction interceptor: Address: 7FFA14870594
Source: C:\Windows\SysWOW64\cleanmgr.exe API/Special instruction interceptor: Address: 7FFA1486D764
Source: C:\Windows\SysWOW64\cleanmgr.exe API/Special instruction interceptor: Address: 7FFA1486D324
Source: C:\Windows\SysWOW64\cleanmgr.exe API/Special instruction interceptor: Address: 7FFA1486D364
Source: C:\Windows\SysWOW64\cleanmgr.exe API/Special instruction interceptor: Address: 7FFA1486D004
Source: C:\Windows\SysWOW64\cleanmgr.exe API/Special instruction interceptor: Address: 7FFA1486FF74
Source: C:\Windows\SysWOW64\cleanmgr.exe API/Special instruction interceptor: Address: 7FFA1486D6C4
Source: C:\Windows\SysWOW64\cleanmgr.exe API/Special instruction interceptor: Address: 7FFA1486D864
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Memory allocated: 1300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Memory allocated: 2F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Memory allocated: 2D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Memory allocated: 9480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Memory allocated: 7A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Memory allocated: A480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Memory allocated: 7C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F1763 rdtsc 2_2_013F1763
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Window / User API: threadDelayed 9852 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 873 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 880 Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe API coverage: 0.9 %
Source: C:\Windows\SysWOW64\cleanmgr.exe API coverage: 0.9 %
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe TID: 1832 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe TID: 3260 Thread sleep count: 123 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe TID: 3260 Thread sleep time: -246000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe TID: 3260 Thread sleep count: 9852 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe TID: 3260 Thread sleep time: -19704000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cleanmgr.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000A.00000000.361696608667.00000000090F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364920595492.00000000090F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWar32ss Root Port #17 - A340
Source: explorer.exe, 0000000A.00000000.361696608667.0000000009194000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700102779.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364920595492.0000000009194000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364928605143.000000000CC8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: cleanmgr.exe, 00000009.00000002.361766512377.0000000002E4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F1763 rdtsc 2_2_013F1763
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_00417783 LdrLoadDll, 2_2_00417783
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01485149 mov eax, dword ptr fs:[00000030h] 2_2_01485149
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0144314A mov eax, dword ptr fs:[00000030h] 2_2_0144314A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0144314A mov eax, dword ptr fs:[00000030h] 2_2_0144314A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0144314A mov eax, dword ptr fs:[00000030h] 2_2_0144314A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0144314A mov eax, dword ptr fs:[00000030h] 2_2_0144314A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E7128 mov eax, dword ptr fs:[00000030h] 2_2_013E7128
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E7128 mov eax, dword ptr fs:[00000030h] 2_2_013E7128
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01483157 mov eax, dword ptr fs:[00000030h] 2_2_01483157
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01483157 mov eax, dword ptr fs:[00000030h] 2_2_01483157
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01483157 mov eax, dword ptr fs:[00000030h] 2_2_01483157
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E0118 mov eax, dword ptr fs:[00000030h] 2_2_013E0118
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF113 mov eax, dword ptr fs:[00000030h] 2_2_013AF113
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D510F mov eax, dword ptr fs:[00000030h] 2_2_013D510F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B510D mov eax, dword ptr fs:[00000030h] 2_2_013B510D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0140717A mov eax, dword ptr fs:[00000030h] 2_2_0140717A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0140717A mov eax, dword ptr fs:[00000030h] 2_2_0140717A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B6179 mov eax, dword ptr fs:[00000030h] 2_2_013B6179
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E716D mov eax, dword ptr fs:[00000030h] 2_2_013E716D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E415F mov eax, dword ptr fs:[00000030h] 2_2_013E415F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143A130 mov eax, dword ptr fs:[00000030h] 2_2_0143A130
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146F13E mov eax, dword ptr fs:[00000030h] 2_2_0146F13E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AA147 mov eax, dword ptr fs:[00000030h] 2_2_013AA147
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AA147 mov eax, dword ptr fs:[00000030h] 2_2_013AA147
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AA147 mov eax, dword ptr fs:[00000030h] 2_2_013AA147
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E31BE mov eax, dword ptr fs:[00000030h] 2_2_013E31BE
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E31BE mov eax, dword ptr fs:[00000030h] 2_2_013E31BE
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E41BB mov ecx, dword ptr fs:[00000030h] 2_2_013E41BB
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E41BB mov eax, dword ptr fs:[00000030h] 2_2_013E41BB
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E41BB mov eax, dword ptr fs:[00000030h] 2_2_013E41BB
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014781EE mov eax, dword ptr fs:[00000030h] 2_2_014781EE
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014781EE mov eax, dword ptr fs:[00000030h] 2_2_014781EE
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D9194 mov eax, dword ptr fs:[00000030h] 2_2_013D9194
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F1190 mov eax, dword ptr fs:[00000030h] 2_2_013F1190
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F1190 mov eax, dword ptr fs:[00000030h] 2_2_013F1190
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B4180 mov eax, dword ptr fs:[00000030h] 2_2_013B4180
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B4180 mov eax, dword ptr fs:[00000030h] 2_2_013B4180
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B4180 mov eax, dword ptr fs:[00000030h] 2_2_013B4180
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A91F0 mov eax, dword ptr fs:[00000030h] 2_2_013A91F0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A91F0 mov eax, dword ptr fs:[00000030h] 2_2_013A91F0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C01F1 mov eax, dword ptr fs:[00000030h] 2_2_013C01F1
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C01F1 mov eax, dword ptr fs:[00000030h] 2_2_013C01F1
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C01F1 mov eax, dword ptr fs:[00000030h] 2_2_013C01F1
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF1F0 mov eax, dword ptr fs:[00000030h] 2_2_013DF1F0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF1F0 mov eax, dword ptr fs:[00000030h] 2_2_013DF1F0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A81EB mov eax, dword ptr fs:[00000030h] 2_2_013A81EB
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BA1E3 mov eax, dword ptr fs:[00000030h] 2_2_013BA1E3
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BA1E3 mov eax, dword ptr fs:[00000030h] 2_2_013BA1E3
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BA1E3 mov eax, dword ptr fs:[00000030h] 2_2_013BA1E3
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BA1E3 mov eax, dword ptr fs:[00000030h] 2_2_013BA1E3
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BA1E3 mov eax, dword ptr fs:[00000030h] 2_2_013BA1E3
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h] 2_2_013DB1E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h] 2_2_013DB1E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h] 2_2_013DB1E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h] 2_2_013DB1E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h] 2_2_013DB1E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h] 2_2_013DB1E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DB1E0 mov eax, dword ptr fs:[00000030h] 2_2_013DB1E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B91E5 mov eax, dword ptr fs:[00000030h] 2_2_013B91E5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B91E5 mov eax, dword ptr fs:[00000030h] 2_2_013B91E5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C01C0 mov eax, dword ptr fs:[00000030h] 2_2_013C01C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C01C0 mov eax, dword ptr fs:[00000030h] 2_2_013C01C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C51C0 mov eax, dword ptr fs:[00000030h] 2_2_013C51C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C51C0 mov eax, dword ptr fs:[00000030h] 2_2_013C51C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C51C0 mov eax, dword ptr fs:[00000030h] 2_2_013C51C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C51C0 mov eax, dword ptr fs:[00000030h] 2_2_013C51C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014851B6 mov eax, dword ptr fs:[00000030h] 2_2_014851B6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01436040 mov eax, dword ptr fs:[00000030h] 2_2_01436040
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0148505B mov eax, dword ptr fs:[00000030h] 2_2_0148505B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AD02D mov eax, dword ptr fs:[00000030h] 2_2_013AD02D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01459060 mov eax, dword ptr fs:[00000030h] 2_2_01459060
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2010 mov ecx, dword ptr fs:[00000030h] 2_2_013F2010
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B8009 mov eax, dword ptr fs:[00000030h] 2_2_013B8009
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D5004 mov eax, dword ptr fs:[00000030h] 2_2_013D5004
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D5004 mov ecx, dword ptr fs:[00000030h] 2_2_013D5004
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B7072 mov eax, dword ptr fs:[00000030h] 2_2_013B7072
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B6074 mov eax, dword ptr fs:[00000030h] 2_2_013B6074
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B6074 mov eax, dword ptr fs:[00000030h] 2_2_013B6074
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B1051 mov eax, dword ptr fs:[00000030h] 2_2_013B1051
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B1051 mov eax, dword ptr fs:[00000030h] 2_2_013B1051
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E0044 mov eax, dword ptr fs:[00000030h] 2_2_013E0044
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F00A5 mov eax, dword ptr fs:[00000030h] 2_2_013F00A5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AA093 mov ecx, dword ptr fs:[00000030h] 2_2_013AA093
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AC090 mov eax, dword ptr fs:[00000030h] 2_2_013AC090
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A90F8 mov eax, dword ptr fs:[00000030h] 2_2_013A90F8
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A90F8 mov eax, dword ptr fs:[00000030h] 2_2_013A90F8
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A90F8 mov eax, dword ptr fs:[00000030h] 2_2_013A90F8
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A90F8 mov eax, dword ptr fs:[00000030h] 2_2_013A90F8
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01484080 mov eax, dword ptr fs:[00000030h] 2_2_01484080
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01484080 mov eax, dword ptr fs:[00000030h] 2_2_01484080
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01484080 mov eax, dword ptr fs:[00000030h] 2_2_01484080
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01484080 mov eax, dword ptr fs:[00000030h] 2_2_01484080
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01484080 mov eax, dword ptr fs:[00000030h] 2_2_01484080
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01484080 mov eax, dword ptr fs:[00000030h] 2_2_01484080
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01484080 mov eax, dword ptr fs:[00000030h] 2_2_01484080
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AC0F6 mov eax, dword ptr fs:[00000030h] 2_2_013AC0F6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013ED0F0 mov eax, dword ptr fs:[00000030h] 2_2_013ED0F0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013ED0F0 mov ecx, dword ptr fs:[00000030h] 2_2_013ED0F0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01437090 mov eax, dword ptr fs:[00000030h] 2_2_01437090
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0145F0A5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0145F0A5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0145F0A5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0145F0A5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0145F0A5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0145F0A5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F0A5 mov eax, dword ptr fs:[00000030h] 2_2_0145F0A5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h] 2_2_014360A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h] 2_2_014360A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h] 2_2_014360A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h] 2_2_014360A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h] 2_2_014360A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h] 2_2_014360A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014360A0 mov eax, dword ptr fs:[00000030h] 2_2_014360A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146B0AF mov eax, dword ptr fs:[00000030h] 2_2_0146B0AF
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CB0D0 mov eax, dword ptr fs:[00000030h] 2_2_013CB0D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB0D6 mov eax, dword ptr fs:[00000030h] 2_2_013AB0D6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB0D6 mov eax, dword ptr fs:[00000030h] 2_2_013AB0D6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB0D6 mov eax, dword ptr fs:[00000030h] 2_2_013AB0D6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB0D6 mov eax, dword ptr fs:[00000030h] 2_2_013AB0D6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014850B7 mov eax, dword ptr fs:[00000030h] 2_2_014850B7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D332D mov eax, dword ptr fs:[00000030h] 2_2_013D332D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AE328 mov eax, dword ptr fs:[00000030h] 2_2_013AE328
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AE328 mov eax, dword ptr fs:[00000030h] 2_2_013AE328
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AE328 mov eax, dword ptr fs:[00000030h] 2_2_013AE328
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E8322 mov eax, dword ptr fs:[00000030h] 2_2_013E8322
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E8322 mov eax, dword ptr fs:[00000030h] 2_2_013E8322
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E8322 mov eax, dword ptr fs:[00000030h] 2_2_013E8322
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E631F mov eax, dword ptr fs:[00000030h] 2_2_013E631F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CE310 mov eax, dword ptr fs:[00000030h] 2_2_013CE310
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CE310 mov eax, dword ptr fs:[00000030h] 2_2_013CE310
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CE310 mov eax, dword ptr fs:[00000030h] 2_2_013CE310
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0142E372 mov eax, dword ptr fs:[00000030h] 2_2_0142E372
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0142E372 mov eax, dword ptr fs:[00000030h] 2_2_0142E372
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0142E372 mov eax, dword ptr fs:[00000030h] 2_2_0142E372
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0142E372 mov eax, dword ptr fs:[00000030h] 2_2_0142E372
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01430371 mov eax, dword ptr fs:[00000030h] 2_2_01430371
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01430371 mov eax, dword ptr fs:[00000030h] 2_2_01430371
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A9303 mov eax, dword ptr fs:[00000030h] 2_2_013A9303
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A9303 mov eax, dword ptr fs:[00000030h] 2_2_013A9303
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D237A mov eax, dword ptr fs:[00000030h] 2_2_013D237A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146F30A mov eax, dword ptr fs:[00000030h] 2_2_0146F30A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143330C mov eax, dword ptr fs:[00000030h] 2_2_0143330C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143330C mov eax, dword ptr fs:[00000030h] 2_2_0143330C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143330C mov eax, dword ptr fs:[00000030h] 2_2_0143330C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143330C mov eax, dword ptr fs:[00000030h] 2_2_0143330C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h] 2_2_013BB360
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h] 2_2_013BB360
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h] 2_2_013BB360
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h] 2_2_013BB360
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h] 2_2_013BB360
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB360 mov eax, dword ptr fs:[00000030h] 2_2_013BB360
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h] 2_2_013EE363
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h] 2_2_013EE363
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h] 2_2_013EE363
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h] 2_2_013EE363
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h] 2_2_013EE363
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h] 2_2_013EE363
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h] 2_2_013EE363
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE363 mov eax, dword ptr fs:[00000030h] 2_2_013EE363
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EA350 mov eax, dword ptr fs:[00000030h] 2_2_013EA350
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A8347 mov eax, dword ptr fs:[00000030h] 2_2_013A8347
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A8347 mov eax, dword ptr fs:[00000030h] 2_2_013A8347
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A8347 mov eax, dword ptr fs:[00000030h] 2_2_013A8347
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01483336 mov eax, dword ptr fs:[00000030h] 2_2_01483336
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014343D5 mov eax, dword ptr fs:[00000030h] 2_2_014343D5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B93A6 mov eax, dword ptr fs:[00000030h] 2_2_013B93A6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B93A6 mov eax, dword ptr fs:[00000030h] 2_2_013B93A6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DA390 mov eax, dword ptr fs:[00000030h] 2_2_013DA390
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DA390 mov eax, dword ptr fs:[00000030h] 2_2_013DA390
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DA390 mov eax, dword ptr fs:[00000030h] 2_2_013DA390
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B1380 mov eax, dword ptr fs:[00000030h] 2_2_013B1380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B1380 mov eax, dword ptr fs:[00000030h] 2_2_013B1380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B1380 mov eax, dword ptr fs:[00000030h] 2_2_013B1380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B1380 mov eax, dword ptr fs:[00000030h] 2_2_013B1380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B1380 mov eax, dword ptr fs:[00000030h] 2_2_013B1380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h] 2_2_013CF380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h] 2_2_013CF380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h] 2_2_013CF380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h] 2_2_013CF380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h] 2_2_013CF380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CF380 mov eax, dword ptr fs:[00000030h] 2_2_013CF380
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146F38A mov eax, dword ptr fs:[00000030h] 2_2_0146F38A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E33D0 mov eax, dword ptr fs:[00000030h] 2_2_013E33D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E43D0 mov ecx, dword ptr fs:[00000030h] 2_2_013E43D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B63CB mov eax, dword ptr fs:[00000030h] 2_2_013B63CB
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0142C3B0 mov eax, dword ptr fs:[00000030h] 2_2_0142C3B0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AE3C0 mov eax, dword ptr fs:[00000030h] 2_2_013AE3C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AE3C0 mov eax, dword ptr fs:[00000030h] 2_2_013AE3C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AE3C0 mov eax, dword ptr fs:[00000030h] 2_2_013AE3C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AC3C7 mov eax, dword ptr fs:[00000030h] 2_2_013AC3C7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146F247 mov eax, dword ptr fs:[00000030h] 2_2_0146F247
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147124C mov eax, dword ptr fs:[00000030h] 2_2_0147124C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147124C mov eax, dword ptr fs:[00000030h] 2_2_0147124C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147124C mov eax, dword ptr fs:[00000030h] 2_2_0147124C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147124C mov eax, dword ptr fs:[00000030h] 2_2_0147124C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D0230 mov ecx, dword ptr fs:[00000030h] 2_2_013D0230
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0142D250 mov eax, dword ptr fs:[00000030h] 2_2_0142D250
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0142D250 mov ecx, dword ptr fs:[00000030h] 2_2_0142D250
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EA22B mov eax, dword ptr fs:[00000030h] 2_2_013EA22B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EA22B mov eax, dword ptr fs:[00000030h] 2_2_013EA22B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EA22B mov eax, dword ptr fs:[00000030h] 2_2_013EA22B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A821B mov eax, dword ptr fs:[00000030h] 2_2_013A821B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146D270 mov eax, dword ptr fs:[00000030h] 2_2_0146D270
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AA200 mov eax, dword ptr fs:[00000030h] 2_2_013AA200
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0144327E mov eax, dword ptr fs:[00000030h] 2_2_0144327E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0144327E mov eax, dword ptr fs:[00000030h] 2_2_0144327E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0144327E mov eax, dword ptr fs:[00000030h] 2_2_0144327E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0144327E mov eax, dword ptr fs:[00000030h] 2_2_0144327E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0144327E mov eax, dword ptr fs:[00000030h] 2_2_0144327E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0144327E mov eax, dword ptr fs:[00000030h] 2_2_0144327E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB273 mov eax, dword ptr fs:[00000030h] 2_2_013AB273
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB273 mov eax, dword ptr fs:[00000030h] 2_2_013AB273
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB273 mov eax, dword ptr fs:[00000030h] 2_2_013AB273
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143B214 mov eax, dword ptr fs:[00000030h] 2_2_0143B214
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143B214 mov eax, dword ptr fs:[00000030h] 2_2_0143B214
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01430227 mov eax, dword ptr fs:[00000030h] 2_2_01430227
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01430227 mov eax, dword ptr fs:[00000030h] 2_2_01430227
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01430227 mov eax, dword ptr fs:[00000030h] 2_2_01430227
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF24A mov eax, dword ptr fs:[00000030h] 2_2_013DF24A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014832C9 mov eax, dword ptr fs:[00000030h] 2_2_014832C9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AC2B0 mov ecx, dword ptr fs:[00000030h] 2_2_013AC2B0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D42AF mov eax, dword ptr fs:[00000030h] 2_2_013D42AF
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D42AF mov eax, dword ptr fs:[00000030h] 2_2_013D42AF
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A92AF mov eax, dword ptr fs:[00000030h] 2_2_013A92AF
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B7290 mov eax, dword ptr fs:[00000030h] 2_2_013B7290
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B7290 mov eax, dword ptr fs:[00000030h] 2_2_013B7290
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B7290 mov eax, dword ptr fs:[00000030h] 2_2_013B7290
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h] 2_2_013C02F9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h] 2_2_013C02F9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h] 2_2_013C02F9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h] 2_2_013C02F9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h] 2_2_013C02F9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h] 2_2_013C02F9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h] 2_2_013C02F9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C02F9 mov eax, dword ptr fs:[00000030h] 2_2_013C02F9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0142E289 mov eax, dword ptr fs:[00000030h] 2_2_0142E289
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AD2EC mov eax, dword ptr fs:[00000030h] 2_2_013AD2EC
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AD2EC mov eax, dword ptr fs:[00000030h] 2_2_013AD2EC
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A72E0 mov eax, dword ptr fs:[00000030h] 2_2_013A72E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h] 2_2_013BA2E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h] 2_2_013BA2E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h] 2_2_013BA2E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h] 2_2_013BA2E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h] 2_2_013BA2E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BA2E0 mov eax, dword ptr fs:[00000030h] 2_2_013BA2E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B82E0 mov eax, dword ptr fs:[00000030h] 2_2_013B82E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B82E0 mov eax, dword ptr fs:[00000030h] 2_2_013B82E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B82E0 mov eax, dword ptr fs:[00000030h] 2_2_013B82E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B82E0 mov eax, dword ptr fs:[00000030h] 2_2_013B82E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146F2AE mov eax, dword ptr fs:[00000030h] 2_2_0146F2AE
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014792AB mov eax, dword ptr fs:[00000030h] 2_2_014792AB
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0148B2BC mov eax, dword ptr fs:[00000030h] 2_2_0148B2BC
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0148B2BC mov eax, dword ptr fs:[00000030h] 2_2_0148B2BC
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0148B2BC mov eax, dword ptr fs:[00000030h] 2_2_0148B2BC
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0148B2BC mov eax, dword ptr fs:[00000030h] 2_2_0148B2BC
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D32C5 mov eax, dword ptr fs:[00000030h] 2_2_013D32C5
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E32C0 mov eax, dword ptr fs:[00000030h] 2_2_013E32C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E32C0 mov eax, dword ptr fs:[00000030h] 2_2_013E32C0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A753F mov eax, dword ptr fs:[00000030h] 2_2_013A753F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A753F mov eax, dword ptr fs:[00000030h] 2_2_013A753F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A753F mov eax, dword ptr fs:[00000030h] 2_2_013A753F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F2539 mov eax, dword ptr fs:[00000030h] 2_2_013F2539
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B3536 mov eax, dword ptr fs:[00000030h] 2_2_013B3536
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B3536 mov eax, dword ptr fs:[00000030h] 2_2_013B3536
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C252B mov eax, dword ptr fs:[00000030h] 2_2_013C252B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C252B mov eax, dword ptr fs:[00000030h] 2_2_013C252B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C252B mov eax, dword ptr fs:[00000030h] 2_2_013C252B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C252B mov eax, dword ptr fs:[00000030h] 2_2_013C252B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C252B mov eax, dword ptr fs:[00000030h] 2_2_013C252B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C252B mov eax, dword ptr fs:[00000030h] 2_2_013C252B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C252B mov eax, dword ptr fs:[00000030h] 2_2_013C252B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0148B55F mov eax, dword ptr fs:[00000030h] 2_2_0148B55F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0148B55F mov eax, dword ptr fs:[00000030h] 2_2_0148B55F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E1527 mov eax, dword ptr fs:[00000030h] 2_2_013E1527
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EF523 mov eax, dword ptr fs:[00000030h] 2_2_013EF523
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01439567 mov eax, dword ptr fs:[00000030h] 2_2_01439567
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h] 2_2_013D1514
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h] 2_2_013D1514
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h] 2_2_013D1514
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h] 2_2_013D1514
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h] 2_2_013D1514
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D1514 mov eax, dword ptr fs:[00000030h] 2_2_013D1514
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EC50D mov eax, dword ptr fs:[00000030h] 2_2_013EC50D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EC50D mov eax, dword ptr fs:[00000030h] 2_2_013EC50D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB502 mov eax, dword ptr fs:[00000030h] 2_2_013AB502
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h] 2_2_013DE507
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h] 2_2_013DE507
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h] 2_2_013DE507
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h] 2_2_013DE507
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h] 2_2_013DE507
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h] 2_2_013DE507
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h] 2_2_013DE507
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE507 mov eax, dword ptr fs:[00000030h] 2_2_013DE507
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B2500 mov eax, dword ptr fs:[00000030h] 2_2_013B2500
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CC560 mov eax, dword ptr fs:[00000030h] 2_2_013CC560
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143C51D mov eax, dword ptr fs:[00000030h] 2_2_0143C51D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov ecx, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov ecx, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145F51B mov eax, dword ptr fs:[00000030h] 2_2_0145F51B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B254C mov eax, dword ptr fs:[00000030h] 2_2_013B254C
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013CE547 mov eax, dword ptr fs:[00000030h] 2_2_013CE547
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E6540 mov eax, dword ptr fs:[00000030h] 2_2_013E6540
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E8540 mov eax, dword ptr fs:[00000030h] 2_2_013E8540
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014305C6 mov eax, dword ptr fs:[00000030h] 2_2_014305C6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B45B0 mov eax, dword ptr fs:[00000030h] 2_2_013B45B0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B45B0 mov eax, dword ptr fs:[00000030h] 2_2_013B45B0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014355E0 mov eax, dword ptr fs:[00000030h] 2_2_014355E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E2594 mov eax, dword ptr fs:[00000030h] 2_2_013E2594
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EA580 mov eax, dword ptr fs:[00000030h] 2_2_013EA580
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EA580 mov eax, dword ptr fs:[00000030h] 2_2_013EA580
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E9580 mov eax, dword ptr fs:[00000030h] 2_2_013E9580
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E9580 mov eax, dword ptr fs:[00000030h] 2_2_013E9580
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143C5FC mov eax, dword ptr fs:[00000030h] 2_2_0143C5FC
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146F582 mov eax, dword ptr fs:[00000030h] 2_2_0146F582
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0142E588 mov eax, dword ptr fs:[00000030h] 2_2_0142E588
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0142E588 mov eax, dword ptr fs:[00000030h] 2_2_0142E588
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E15EF mov eax, dword ptr fs:[00000030h] 2_2_013E15EF
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143C592 mov eax, dword ptr fs:[00000030h] 2_2_0143C592
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01457591 mov edi, dword ptr fs:[00000030h] 2_2_01457591
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EA5E7 mov ebx, dword ptr fs:[00000030h] 2_2_013EA5E7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EA5E7 mov eax, dword ptr fs:[00000030h] 2_2_013EA5E7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h] 2_2_013BB5E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h] 2_2_013BB5E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h] 2_2_013BB5E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h] 2_2_013BB5E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h] 2_2_013BB5E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BB5E0 mov eax, dword ptr fs:[00000030h] 2_2_013BB5E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014385AA mov eax, dword ptr fs:[00000030h] 2_2_014385AA
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E65D0 mov eax, dword ptr fs:[00000030h] 2_2_013E65D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EC5C6 mov eax, dword ptr fs:[00000030h] 2_2_013EC5C6
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h] 2_2_013AF5C7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h] 2_2_013AF5C7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h] 2_2_013AF5C7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h] 2_2_013AF5C7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h] 2_2_013AF5C7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h] 2_2_013AF5C7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h] 2_2_013AF5C7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h] 2_2_013AF5C7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF5C7 mov eax, dword ptr fs:[00000030h] 2_2_013AF5C7
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01430443 mov eax, dword ptr fs:[00000030h] 2_2_01430443
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB420 mov eax, dword ptr fs:[00000030h] 2_2_013AB420
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E7425 mov eax, dword ptr fs:[00000030h] 2_2_013E7425
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E7425 mov ecx, dword ptr fs:[00000030h] 2_2_013E7425
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147A464 mov eax, dword ptr fs:[00000030h] 2_2_0147A464
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013A640D mov eax, dword ptr fs:[00000030h] 2_2_013A640D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146F478 mov eax, dword ptr fs:[00000030h] 2_2_0146F478
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01446400 mov eax, dword ptr fs:[00000030h] 2_2_01446400
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01446400 mov eax, dword ptr fs:[00000030h] 2_2_01446400
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B8470 mov eax, dword ptr fs:[00000030h] 2_2_013B8470
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B8470 mov eax, dword ptr fs:[00000030h] 2_2_013B8470
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146F409 mov eax, dword ptr fs:[00000030h] 2_2_0146F409
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE45E mov eax, dword ptr fs:[00000030h] 2_2_013DE45E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE45E mov eax, dword ptr fs:[00000030h] 2_2_013DE45E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE45E mov eax, dword ptr fs:[00000030h] 2_2_013DE45E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE45E mov eax, dword ptr fs:[00000030h] 2_2_013DE45E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DE45E mov eax, dword ptr fs:[00000030h] 2_2_013DE45E
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_01439429 mov eax, dword ptr fs:[00000030h] 2_2_01439429
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143F42F mov eax, dword ptr fs:[00000030h] 2_2_0143F42F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143F42F mov eax, dword ptr fs:[00000030h] 2_2_0143F42F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143F42F mov eax, dword ptr fs:[00000030h] 2_2_0143F42F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143F42F mov eax, dword ptr fs:[00000030h] 2_2_0143F42F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143F42F mov eax, dword ptr fs:[00000030h] 2_2_0143F42F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013ED450 mov eax, dword ptr fs:[00000030h] 2_2_013ED450
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013ED450 mov eax, dword ptr fs:[00000030h] 2_2_013ED450
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h] 2_2_013BD454
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h] 2_2_013BD454
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h] 2_2_013BD454
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h] 2_2_013BD454
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h] 2_2_013BD454
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BD454 mov eax, dword ptr fs:[00000030h] 2_2_013BD454
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h] 2_2_013C0445
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h] 2_2_013C0445
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h] 2_2_013C0445
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h] 2_2_013C0445
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h] 2_2_013C0445
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C0445 mov eax, dword ptr fs:[00000030h] 2_2_013C0445
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE4BC mov eax, dword ptr fs:[00000030h] 2_2_013EE4BC
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E44A8 mov eax, dword ptr fs:[00000030h] 2_2_013E44A8
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B24A2 mov eax, dword ptr fs:[00000030h] 2_2_013B24A2
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B24A2 mov ecx, dword ptr fs:[00000030h] 2_2_013B24A2
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EB490 mov eax, dword ptr fs:[00000030h] 2_2_013EB490
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EB490 mov eax, dword ptr fs:[00000030h] 2_2_013EB490
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E648A mov eax, dword ptr fs:[00000030h] 2_2_013E648A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E648A mov eax, dword ptr fs:[00000030h] 2_2_013E648A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E648A mov eax, dword ptr fs:[00000030h] 2_2_013E648A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146F4FD mov eax, dword ptr fs:[00000030h] 2_2_0146F4FD
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B0485 mov ecx, dword ptr fs:[00000030h] 2_2_013B0485
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D94FA mov eax, dword ptr fs:[00000030h] 2_2_013D94FA
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B64F0 mov eax, dword ptr fs:[00000030h] 2_2_013B64F0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EA4F0 mov eax, dword ptr fs:[00000030h] 2_2_013EA4F0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EA4F0 mov eax, dword ptr fs:[00000030h] 2_2_013EA4F0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE4EF mov eax, dword ptr fs:[00000030h] 2_2_013EE4EF
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EE4EF mov eax, dword ptr fs:[00000030h] 2_2_013EE4EF
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143C490 mov eax, dword ptr fs:[00000030h] 2_2_0143C490
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E54E0 mov eax, dword ptr fs:[00000030h] 2_2_013E54E0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143D4A0 mov ecx, dword ptr fs:[00000030h] 2_2_0143D4A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143D4A0 mov eax, dword ptr fs:[00000030h] 2_2_0143D4A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143D4A0 mov eax, dword ptr fs:[00000030h] 2_2_0143D4A0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D44D1 mov eax, dword ptr fs:[00000030h] 2_2_013D44D1
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D44D1 mov eax, dword ptr fs:[00000030h] 2_2_013D44D1
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h] 2_2_013DF4D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h] 2_2_013DF4D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h] 2_2_013DF4D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h] 2_2_013DF4D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h] 2_2_013DF4D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h] 2_2_013DF4D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h] 2_2_013DF4D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h] 2_2_013DF4D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013DF4D0 mov eax, dword ptr fs:[00000030h] 2_2_013DF4D0
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D14C9 mov eax, dword ptr fs:[00000030h] 2_2_013D14C9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D14C9 mov eax, dword ptr fs:[00000030h] 2_2_013D14C9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D14C9 mov eax, dword ptr fs:[00000030h] 2_2_013D14C9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D14C9 mov eax, dword ptr fs:[00000030h] 2_2_013D14C9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D14C9 mov eax, dword ptr fs:[00000030h] 2_2_013D14C9
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_014484BB mov eax, dword ptr fs:[00000030h] 2_2_014484BB
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143174B mov eax, dword ptr fs:[00000030h] 2_2_0143174B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0143174B mov ecx, dword ptr fs:[00000030h] 2_2_0143174B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0145E750 mov eax, dword ptr fs:[00000030h] 2_2_0145E750
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D9723 mov eax, dword ptr fs:[00000030h] 2_2_013D9723
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B471B mov eax, dword ptr fs:[00000030h] 2_2_013B471B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B471B mov eax, dword ptr fs:[00000030h] 2_2_013B471B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D270D mov eax, dword ptr fs:[00000030h] 2_2_013D270D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D270D mov eax, dword ptr fs:[00000030h] 2_2_013D270D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D270D mov eax, dword ptr fs:[00000030h] 2_2_013D270D
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013BD700 mov ecx, dword ptr fs:[00000030h] 2_2_013BD700
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB705 mov eax, dword ptr fs:[00000030h] 2_2_013AB705
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB705 mov eax, dword ptr fs:[00000030h] 2_2_013AB705
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB705 mov eax, dword ptr fs:[00000030h] 2_2_013AB705
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AB705 mov eax, dword ptr fs:[00000030h] 2_2_013AB705
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B4779 mov eax, dword ptr fs:[00000030h] 2_2_013B4779
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013B4779 mov eax, dword ptr fs:[00000030h] 2_2_013B4779
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E0774 mov eax, dword ptr fs:[00000030h] 2_2_013E0774
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147970B mov eax, dword ptr fs:[00000030h] 2_2_0147970B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0147970B mov eax, dword ptr fs:[00000030h] 2_2_0147970B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_0146F717 mov eax, dword ptr fs:[00000030h] 2_2_0146F717
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013C2760 mov ecx, dword ptr fs:[00000030h] 2_2_013C2760
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h] 2_2_013F1763
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h] 2_2_013F1763
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h] 2_2_013F1763
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h] 2_2_013F1763
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h] 2_2_013F1763
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013F1763 mov eax, dword ptr fs:[00000030h] 2_2_013F1763
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h] 2_2_013AF75B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h] 2_2_013AF75B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h] 2_2_013AF75B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h] 2_2_013AF75B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h] 2_2_013AF75B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h] 2_2_013AF75B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h] 2_2_013AF75B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h] 2_2_013AF75B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013AF75B mov eax, dword ptr fs:[00000030h] 2_2_013AF75B
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D2755 mov eax, dword ptr fs:[00000030h] 2_2_013D2755
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D2755 mov eax, dword ptr fs:[00000030h] 2_2_013D2755
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D2755 mov eax, dword ptr fs:[00000030h] 2_2_013D2755
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D2755 mov ecx, dword ptr fs:[00000030h] 2_2_013D2755
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D2755 mov eax, dword ptr fs:[00000030h] 2_2_013D2755
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013D2755 mov eax, dword ptr fs:[00000030h] 2_2_013D2755
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013EA750 mov eax, dword ptr fs:[00000030h] 2_2_013EA750
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Code function: 2_2_013E174A mov eax, dword ptr fs:[00000030h] 2_2_013E174A
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtResumeThread: Direct from: 0x4AD532C Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe NtResumeThread: Indirect: 0x1773ED0 Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtDelayExecution: Direct from: 0x4AD50E6 Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe NtSuspendThread: Indirect: 0x1773BC0 Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtProtectVirtualMemory: Direct from: 0x7FFA14822651 Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe NtSetContextThread: Indirect: 0x17738B0 Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe NtClose: Indirect: 0x176F6E5
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtProtectVirtualMemory: Direct from: 0x4ADCE23 Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe NtQueueApcThread: Indirect: 0x176F654 Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtClose: Direct from: 0x7FF9E0149E7F
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Memory written: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Section loaded: NULL target: C:\Windows\SysWOW64\cleanmgr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Thread register set: target process: 4172 Jump to behavior
Source: C:\Windows\SysWOW64\cleanmgr.exe Thread register set: target process: 4172 Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Thread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Process created: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe "C:\Users\user\Desktop\TaojCblZKXL9OpS.exe" Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\cleanmgr.exe "C:\Windows\SysWOW64\cleanmgr.exe" Jump to behavior
Source: RAVCpl64.exe, 00000008.00000002.364907063272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000008.00000000.360142330439.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364914245498.00000000042C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: RAVCpl64.exe, 00000008.00000002.364907063272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000008.00000000.360142330439.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364906818104.0000000000CE1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000002.364930107759.000000000CE56000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.361700866168.000000000CE56000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndcs
Source: RAVCpl64.exe, 00000008.00000002.364907063272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000008.00000000.360142330439.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364906818104.0000000000CE1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: RAVCpl64.exe, 00000008.00000002.364907063272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000008.00000000.360142330439.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.364906818104.0000000000CE1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager@
Source: explorer.exe, 0000000A.00000000.361691047356.0000000000504000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.364904632689.0000000000504000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanu
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Queries volume information: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TaojCblZKXL9OpS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 2.2.TaojCblZKXL9OpS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.TaojCblZKXL9OpS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.360221134076.0000000003FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.361767051155.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.360211048000.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.361766387497.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
No contacted IP infos