Windows Analysis Report
Occipitomental.exe

Overview

General Information

Sample name: Occipitomental.exe
Analysis ID: 1539390
MD5: b0468f2993c4838126375529ccd4155a
SHA1: 5a4544bf78b831bfa3c74ecc0e3d742a43af1161
SHA256: 8d9dfd67ef81fae440a3cd1cfbcc57646407f4116bbdb64d31ca1a0d51e479b3
Tags: exeGuLoaderuser-malwarelabnet
Infos:

Detection

FormBook, GuLoader
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection

barindex
Source: Occipitomental.exe Avira: detected
Source: Occipitomental.exe ReversingLabs: Detection: 60%
Source: Yara match File source: 00000006.00000002.3595105128.0000000035330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: Occipitomental.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.7:49971 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.7:49972 version: TLS 1.2
Source: Occipitomental.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mshtml.pdb source: Occipitomental.exe, 00000006.00000001.3062958359.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: wntdll.pdbUGP source: Occipitomental.exe, 00000006.00000002.3595143227.000000003582E000.00000040.00001000.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3532410512.00000000354E2000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000002.3595143227.0000000035690000.00000040.00001000.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530139121.000000003533E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Occipitomental.exe, Occipitomental.exe, 00000006.00000002.3595143227.000000003582E000.00000040.00001000.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3532410512.00000000354E2000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000002.3595143227.0000000035690000.00000040.00001000.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530139121.000000003533E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Occipitomental.exe, 00000006.00000001.3062958359.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_00406001 FindFirstFileA,FindClose, 0_2_00406001
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_00402688 FindFirstFileA, 0_2_00402688
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_0040559F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_0040559F
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user\AppData Jump to behavior
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=145RJWuI0Ln_ShdahU_6lgTEtOh5H5P1H HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=145RJWuI0Ln_ShdahU_6lgTEtOh5H5P1H&export=download HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: Occipitomental.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Occipitomental.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Occipitomental.exe, 00000006.00000001.3062958359.0000000000649000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Occipitomental.exe, 00000006.00000001.3062958359.00000000005F2000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Occipitomental.exe, 00000006.00000001.3062958359.00000000005F2000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: Occipitomental.exe, 00000006.00000003.3142188696.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005643000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: Occipitomental.exe, 00000006.00000002.3576972256.00000000055FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/%v
Source: Occipitomental.exe, 00000006.00000002.3576972256.00000000055FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/5v-z
Source: Occipitomental.exe, 00000006.00000002.3576972256.0000000005613000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000002.3576972256.00000000055FB000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000002.3594761256.0000000034AB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=145RJWuI0Ln_ShdahU_6lgTEtOh5H5P1H
Source: Occipitomental.exe, 00000006.00000002.3576972256.00000000055FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=145RJWuI0Ln_ShdahU_6lgTEtOh5H5P1HQx
Source: Occipitomental.exe, 00000006.00000003.3150992362.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530439708.0000000005640000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000002.3577066328.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530612351.0000000005640000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3182807402.0000000005643000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: Occipitomental.exe, 00000006.00000003.3572867436.000000000562D000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142188696.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3150992362.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530439708.0000000005640000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000002.3577066328.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530700388.000000000562D000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000002.3577030199.000000000562D000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530612351.0000000005640000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3182807402.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005643000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=145RJWuI0Ln_ShdahU_6lgTEtOh5H5P1H&export=download
Source: Occipitomental.exe, 00000006.00000003.3572867436.000000000562D000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530700388.000000000562D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=145RJWuI0Ln_ShdahU_6lgTEtOh5H5P1H&export=download1
Source: Occipitomental.exe, 00000006.00000001.3062958359.0000000000649000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: Occipitomental.exe, 00000006.00000003.3142188696.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005637000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005643000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: Occipitomental.exe, 00000006.00000003.3142188696.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005637000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005643000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Occipitomental.exe, 00000006.00000003.3142188696.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005637000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005643000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: Occipitomental.exe, 00000006.00000003.3142188696.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005637000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005643000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: Occipitomental.exe, 00000006.00000003.3142188696.0000000005643000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005637000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3142132922.0000000005643000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.7:49971 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.7:49972 version: TLS 1.2
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_00405054 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard, 0_2_00405054

E-Banking Fraud

barindex
Source: Yara match File source: 00000006.00000002.3595105128.0000000035330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 00000006.00000002.3595105128.0000000035330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\Desktop\Occipitomental.exe Process Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357035C0 NtCreateMutant,LdrInitializeThunk, 6_2_357035C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702DF0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_35702DF0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35703010 NtOpenDirectoryObject, 6_2_35703010
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35703090 NtSetValueKey, 6_2_35703090
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35703D70 NtOpenThread, 6_2_35703D70
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35703D10 NtOpenProcessToken, 6_2_35703D10
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357039B0 NtGetContextThread, 6_2_357039B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35704650 NtSuspendThread, 6_2_35704650
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35704340 NtSetContextThread, 6_2_35704340
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702D30 NtUnmapViewOfSection, 6_2_35702D30
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702D10 NtMapViewOfSection, 6_2_35702D10
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702D00 NtSetInformationFile, 6_2_35702D00
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702DD0 NtDelayExecution, 6_2_35702DD0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702DB0 NtEnumerateKey, 6_2_35702DB0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702C70 NtFreeVirtualMemory, 6_2_35702C70
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702C60 NtCreateKey, 6_2_35702C60
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702C00 NtQueryInformationProcess, 6_2_35702C00
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702CF0 NtOpenProcess, 6_2_35702CF0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702CC0 NtQueryVirtualMemory, 6_2_35702CC0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702CA0 NtQueryInformationToken, 6_2_35702CA0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702F60 NtCreateProcessEx, 6_2_35702F60
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702F30 NtCreateSection, 6_2_35702F30
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702FE0 NtCreateFile, 6_2_35702FE0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702FB0 NtResumeThread, 6_2_35702FB0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702FA0 NtQuerySection, 6_2_35702FA0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702F90 NtProtectVirtualMemory, 6_2_35702F90
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702E30 NtWriteVirtualMemory, 6_2_35702E30
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702EE0 NtQueueApcThread, 6_2_35702EE0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702EA0 NtAdjustPrivilegesToken, 6_2_35702EA0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702E80 NtReadVirtualMemory, 6_2_35702E80
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702B60 NtClose, 6_2_35702B60
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702BF0 NtAllocateVirtualMemory, 6_2_35702BF0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702BE0 NtQueryValueKey, 6_2_35702BE0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702BA0 NtEnumerateValueKey, 6_2_35702BA0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702B80 NtQueryInformationFile, 6_2_35702B80
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702AF0 NtWriteFile, 6_2_35702AF0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702AD0 NtReadFile, 6_2_35702AD0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35702AB0 NtWaitForSingleObject, 6_2_35702AB0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004030D9
Source: C:\Users\user\Desktop\Occipitomental.exe File created: C:\Windows\resources\0809 Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_00406344 0_2_00406344
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_00404893 0_2_00404893
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35787571 6_2_35787571
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357995C3 6_2_357995C3
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576D5B0 6_2_3576D5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C1460 6_2_356C1460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578F43F 6_2_3578F43F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578F7B0 6_2_3578F7B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35715630 6_2_35715630
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357816CC 6_2_357816CC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3579B16B 6_2_3579B16B
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3570516C 6_2_3570516C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DB1B0 6_2_356DB1B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357870E9 6_2_357870E9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578F0E0 6_2_3578F0E0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577F0CC 6_2_3577F0CC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BD34C 6_2_356BD34C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578132D 6_2_3578132D
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3571739A 6_2_3571739A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EB2C0 6_2_356EB2C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D52A0 6_2_356D52A0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35787D73 6_2_35787D73
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35781D5A 6_2_35781D5A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EFDC0 6_2_356EFDC0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35749C32 6_2_35749C32
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578FCF2 6_2_3578FCF2
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578FF09 6_2_3578FF09
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35693FD2 6_2_35693FD2
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35693FD5 6_2_35693FD5
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578FFB1 6_2_3578FFB1
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1F92 6_2_356D1F92
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D5EC0 6_2_356D5EC0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D9EB0 6_2_356D9EB0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D9950 6_2_356D9950
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EB950 6_2_356EB950
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35765910 6_2_35765910
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3573D800 6_2_3573D800
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D38E0 6_2_356D38E0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578FB76 6_2_3578FB76
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35745BF0 6_2_35745BF0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3570DBF9 6_2_3570DBF9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EFB80 6_2_356EFB80
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35743A6C 6_2_35743A6C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578FA49 6_2_3578FA49
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35787A46 6_2_35787A46
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577DAC6 6_2_3577DAC6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35715AA0 6_2_35715AA0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35771AA3 6_2_35771AA3
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576DAAC 6_2_3576DAAC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D0535 6_2_356D0535
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35790591 6_2_35790591
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35782446 6_2_35782446
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35774420 6_2_35774420
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577E4F6 6_2_3577E4F6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D0770 6_2_356D0770
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F4750 6_2_356F4750
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CC7C0 6_2_356CC7C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EC6E0 6_2_356EC6E0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35758158 6_2_35758158
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C0100 6_2_356C0100
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576A118 6_2_3576A118
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357881CC 6_2_357881CC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357901AA 6_2_357901AA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357841A2 6_2_357841A2
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35762000 6_2_35762000
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578A352 6_2_3578A352
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DE3F0 6_2_356DE3F0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357903E6 6_2_357903E6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35770274 6_2_35770274
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357502C0 6_2_357502C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576CD1F 6_2_3576CD1F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DAD00 6_2_356DAD00
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CADE0 6_2_356CADE0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E8DBF 6_2_356E8DBF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D0C00 6_2_356D0C00
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C0CF2 6_2_356C0CF2
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35770CB5 6_2_35770CB5
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35744F40 6_2_35744F40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35772F30 6_2_35772F30
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35712F28 6_2_35712F28
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F0F30 6_2_356F0F30
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DCFE0 6_2_356DCFE0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C2FC8 6_2_356C2FC8
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574EFA0 6_2_3574EFA0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D0E59 6_2_356D0E59
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578EE26 6_2_3578EE26
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578EEDB 6_2_3578EEDB
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578CE93 6_2_3578CE93
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E2E90 6_2_356E2E90
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E6962 6_2_356E6962
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D29A0 6_2_356D29A0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3579A9A6 6_2_3579A9A6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D2840 6_2_356D2840
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DA840 6_2_356DA840
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FE8F0 6_2_356FE8F0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B68B8 6_2_356B68B8
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578AB40 6_2_3578AB40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35786BD7 6_2_35786BD7
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CEA80 6_2_356CEA80
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: String function: 35705130 appears 58 times
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: String function: 3573EA12 appears 82 times
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: String function: 3574F290 appears 103 times
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: String function: 356BB970 appears 277 times
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: String function: 35717E54 appears 111 times
Source: Occipitomental.exe Static PE information: invalid certificate
Source: Occipitomental.exe Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: Occipitomental.exe, 00000006.00000003.3530139121.0000000035461000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Occipitomental.exe
Source: Occipitomental.exe, 00000006.00000002.3595143227.0000000035961000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Occipitomental.exe
Source: Occipitomental.exe, 00000006.00000003.3532410512.000000003560F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Occipitomental.exe
Source: Occipitomental.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 00000006.00000002.3595105128.0000000035330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal92.troj.evad.winEXE@3/9@2/2
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004030D9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_00404320 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404320
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_0040205E LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk, 0_2_0040205E
Source: C:\Users\user\Desktop\Occipitomental.exe File created: C:\Users\user\AppData\Local\barberknivene Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File created: C:\Users\user~1\AppData\Local\Temp\nsiA158.tmp Jump to behavior
Source: Occipitomental.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Occipitomental.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Occipitomental.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\Occipitomental.exe File read: C:\Users\user\Desktop\Occipitomental.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Occipitomental.exe "C:\Users\user\Desktop\Occipitomental.exe"
Source: C:\Users\user\Desktop\Occipitomental.exe Process created: C:\Users\user\Desktop\Occipitomental.exe "C:\Users\user\Desktop\Occipitomental.exe"
Source: C:\Users\user\Desktop\Occipitomental.exe Process created: C:\Users\user\Desktop\Occipitomental.exe "C:\Users\user\Desktop\Occipitomental.exe" Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\engelskgrs.ini Jump to behavior
Source: Occipitomental.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mshtml.pdb source: Occipitomental.exe, 00000006.00000001.3062958359.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source: Binary string: wntdll.pdbUGP source: Occipitomental.exe, 00000006.00000002.3595143227.000000003582E000.00000040.00001000.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3532410512.00000000354E2000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000002.3595143227.0000000035690000.00000040.00001000.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530139121.000000003533E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Occipitomental.exe, Occipitomental.exe, 00000006.00000002.3595143227.000000003582E000.00000040.00001000.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3532410512.00000000354E2000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000002.3595143227.0000000035690000.00000040.00001000.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530139121.000000003533E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Occipitomental.exe, 00000006.00000001.3062958359.0000000000649000.00000020.00000001.01000000.00000008.sdmp

Data Obfuscation

barindex
Source: Yara match File source: 00000006.00000002.3573012029.000000000215F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3064036852.0000000003A2F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_10002D20 push eax; ret 0_2_10002D4E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3569135D push eax; iretd 6_2_35691369
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356927FA pushad ; ret 6_2_356927F9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3569225F pushad ; ret 6_2_356927F9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C09AD push ecx; mov dword ptr [esp], ecx 6_2_356C09B6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3569283D push eax; iretd 6_2_35692858
Source: C:\Users\user\Desktop\Occipitomental.exe File created: C:\Users\user\AppData\Local\Temp\nslA8AC.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Occipitomental.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\engelskgrs.ini Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\Occipitomental.exe API/Special instruction interceptor: Address: 4007380
Source: C:\Users\user\Desktop\Occipitomental.exe API/Special instruction interceptor: Address: 2737380
Source: C:\Users\user\Desktop\Occipitomental.exe RDTSC instruction interceptor: First address: 3FE2BFC second address: 3FE2BFC instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F2CE052440Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Occipitomental.exe RDTSC instruction interceptor: First address: 2712BFC second address: 2712BFC instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F2CE0D2C8FAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357916A6 rdtsc 6_2_357916A6
Source: C:\Users\user\Desktop\Occipitomental.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA8AC.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Occipitomental.exe API coverage: 0.1 %
Source: C:\Users\user\Desktop\Occipitomental.exe TID: 7808 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_00406001 FindFirstFileA,FindClose, 0_2_00406001
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_00402688 FindFirstFileA, 0_2_00402688
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_0040559F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_0040559F
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe File opened: C:\Users\user\AppData Jump to behavior
Source: Occipitomental.exe, 00000006.00000002.3576972256.00000000055FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx@c
Source: Occipitomental.exe, 00000006.00000003.3572867436.000000000562D000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530700388.000000000562D000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000002.3577030199.000000000562D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Occipitomental.exe, 00000006.00000003.3572867436.000000000562D000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000003.3530700388.000000000562D000.00000004.00000020.00020000.00000000.sdmp, Occipitomental.exe, 00000006.00000002.3577030199.000000000562D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW"
Source: C:\Users\user\Desktop\Occipitomental.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Occipitomental.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357916A6 rdtsc 6_2_357916A6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_00401751 lstrcatA,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatA, 0_2_00401751
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB562 mov eax, dword ptr fs:[00000030h] 6_2_356BB562
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FB570 mov eax, dword ptr fs:[00000030h] 6_2_356FB570
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FB570 mov eax, dword ptr fs:[00000030h] 6_2_356FB570
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576B550 mov eax, dword ptr fs:[00000030h] 6_2_3576B550
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576B550 mov eax, dword ptr fs:[00000030h] 6_2_3576B550
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576B550 mov eax, dword ptr fs:[00000030h] 6_2_3576B550
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35795537 mov eax, dword ptr fs:[00000030h] 6_2_35795537
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576F525 mov eax, dword ptr fs:[00000030h] 6_2_3576F525
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576F525 mov eax, dword ptr fs:[00000030h] 6_2_3576F525
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576F525 mov eax, dword ptr fs:[00000030h] 6_2_3576F525
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576F525 mov eax, dword ptr fs:[00000030h] 6_2_3576F525
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576F525 mov eax, dword ptr fs:[00000030h] 6_2_3576F525
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576F525 mov eax, dword ptr fs:[00000030h] 6_2_3576F525
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576F525 mov eax, dword ptr fs:[00000030h] 6_2_3576F525
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577B52F mov eax, dword ptr fs:[00000030h] 6_2_3577B52F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CD534 mov eax, dword ptr fs:[00000030h] 6_2_356CD534
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CD534 mov eax, dword ptr fs:[00000030h] 6_2_356CD534
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CD534 mov eax, dword ptr fs:[00000030h] 6_2_356CD534
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CD534 mov eax, dword ptr fs:[00000030h] 6_2_356CD534
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CD534 mov eax, dword ptr fs:[00000030h] 6_2_356CD534
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CD534 mov eax, dword ptr fs:[00000030h] 6_2_356CD534
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FD530 mov eax, dword ptr fs:[00000030h] 6_2_356FD530
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FD530 mov eax, dword ptr fs:[00000030h] 6_2_356FD530
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F7505 mov eax, dword ptr fs:[00000030h] 6_2_356F7505
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F7505 mov ecx, dword ptr fs:[00000030h] 6_2_356F7505
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E15F4 mov eax, dword ptr fs:[00000030h] 6_2_356E15F4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E15F4 mov eax, dword ptr fs:[00000030h] 6_2_356E15F4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E15F4 mov eax, dword ptr fs:[00000030h] 6_2_356E15F4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E15F4 mov eax, dword ptr fs:[00000030h] 6_2_356E15F4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E15F4 mov eax, dword ptr fs:[00000030h] 6_2_356E15F4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E15F4 mov eax, dword ptr fs:[00000030h] 6_2_356E15F4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3573D5D0 mov eax, dword ptr fs:[00000030h] 6_2_3573D5D0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3573D5D0 mov ecx, dword ptr fs:[00000030h] 6_2_3573D5D0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357935D7 mov eax, dword ptr fs:[00000030h] 6_2_357935D7
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357935D7 mov eax, dword ptr fs:[00000030h] 6_2_357935D7
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357935D7 mov eax, dword ptr fs:[00000030h] 6_2_357935D7
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F55C0 mov eax, dword ptr fs:[00000030h] 6_2_356F55C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357955C9 mov eax, dword ptr fs:[00000030h] 6_2_357955C9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E95DA mov eax, dword ptr fs:[00000030h] 6_2_356E95DA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3575D5B0 mov eax, dword ptr fs:[00000030h] 6_2_3575D5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3575D5B0 mov eax, dword ptr fs:[00000030h] 6_2_3575D5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E15A9 mov eax, dword ptr fs:[00000030h] 6_2_356E15A9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E15A9 mov eax, dword ptr fs:[00000030h] 6_2_356E15A9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E15A9 mov eax, dword ptr fs:[00000030h] 6_2_356E15A9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E15A9 mov eax, dword ptr fs:[00000030h] 6_2_356E15A9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E15A9 mov eax, dword ptr fs:[00000030h] 6_2_356E15A9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577F5BE mov eax, dword ptr fs:[00000030h] 6_2_3577F5BE
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357535BA mov eax, dword ptr fs:[00000030h] 6_2_357535BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357535BA mov eax, dword ptr fs:[00000030h] 6_2_357535BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357535BA mov eax, dword ptr fs:[00000030h] 6_2_357535BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357535BA mov eax, dword ptr fs:[00000030h] 6_2_357535BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357935B6 mov eax, dword ptr fs:[00000030h] 6_2_357935B6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF5B0 mov eax, dword ptr fs:[00000030h] 6_2_356EF5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF5B0 mov eax, dword ptr fs:[00000030h] 6_2_356EF5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF5B0 mov eax, dword ptr fs:[00000030h] 6_2_356EF5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF5B0 mov eax, dword ptr fs:[00000030h] 6_2_356EF5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF5B0 mov eax, dword ptr fs:[00000030h] 6_2_356EF5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF5B0 mov eax, dword ptr fs:[00000030h] 6_2_356EF5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF5B0 mov eax, dword ptr fs:[00000030h] 6_2_356EF5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF5B0 mov eax, dword ptr fs:[00000030h] 6_2_356EF5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF5B0 mov eax, dword ptr fs:[00000030h] 6_2_356EF5B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574B594 mov eax, dword ptr fs:[00000030h] 6_2_3574B594
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574B594 mov eax, dword ptr fs:[00000030h] 6_2_3574B594
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B758F mov eax, dword ptr fs:[00000030h] 6_2_356B758F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B758F mov eax, dword ptr fs:[00000030h] 6_2_356B758F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B758F mov eax, dword ptr fs:[00000030h] 6_2_356B758F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3579547F mov eax, dword ptr fs:[00000030h] 6_2_3579547F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C1460 mov eax, dword ptr fs:[00000030h] 6_2_356C1460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C1460 mov eax, dword ptr fs:[00000030h] 6_2_356C1460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C1460 mov eax, dword ptr fs:[00000030h] 6_2_356C1460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C1460 mov eax, dword ptr fs:[00000030h] 6_2_356C1460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C1460 mov eax, dword ptr fs:[00000030h] 6_2_356C1460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DF460 mov eax, dword ptr fs:[00000030h] 6_2_356DF460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DF460 mov eax, dword ptr fs:[00000030h] 6_2_356DF460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DF460 mov eax, dword ptr fs:[00000030h] 6_2_356DF460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DF460 mov eax, dword ptr fs:[00000030h] 6_2_356DF460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DF460 mov eax, dword ptr fs:[00000030h] 6_2_356DF460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DF460 mov eax, dword ptr fs:[00000030h] 6_2_356DF460
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577F453 mov eax, dword ptr fs:[00000030h] 6_2_3577F453
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576B450 mov eax, dword ptr fs:[00000030h] 6_2_3576B450
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576B450 mov eax, dword ptr fs:[00000030h] 6_2_3576B450
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576B450 mov eax, dword ptr fs:[00000030h] 6_2_3576B450
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576B450 mov eax, dword ptr fs:[00000030h] 6_2_3576B450
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB440 mov eax, dword ptr fs:[00000030h] 6_2_356CB440
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB440 mov eax, dword ptr fs:[00000030h] 6_2_356CB440
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB440 mov eax, dword ptr fs:[00000030h] 6_2_356CB440
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB440 mov eax, dword ptr fs:[00000030h] 6_2_356CB440
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB440 mov eax, dword ptr fs:[00000030h] 6_2_356CB440
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB440 mov eax, dword ptr fs:[00000030h] 6_2_356CB440
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E340D mov eax, dword ptr fs:[00000030h] 6_2_356E340D
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35747410 mov eax, dword ptr fs:[00000030h] 6_2_35747410
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357914F6 mov eax, dword ptr fs:[00000030h] 6_2_357914F6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357914F6 mov eax, dword ptr fs:[00000030h] 6_2_357914F6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357694E0 mov eax, dword ptr fs:[00000030h] 6_2_357694E0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357954DB mov eax, dword ptr fs:[00000030h] 6_2_357954DB
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357674B0 mov eax, dword ptr fs:[00000030h] 6_2_357674B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B74B0 mov eax, dword ptr fs:[00000030h] 6_2_356B74B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B74B0 mov eax, dword ptr fs:[00000030h] 6_2_356B74B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F34B0 mov eax, dword ptr fs:[00000030h] 6_2_356F34B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C9486 mov eax, dword ptr fs:[00000030h] 6_2_356C9486
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C9486 mov eax, dword ptr fs:[00000030h] 6_2_356C9486
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB480 mov eax, dword ptr fs:[00000030h] 6_2_356BB480
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB765 mov eax, dword ptr fs:[00000030h] 6_2_356BB765
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB765 mov eax, dword ptr fs:[00000030h] 6_2_356BB765
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB765 mov eax, dword ptr fs:[00000030h] 6_2_356BB765
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB765 mov eax, dword ptr fs:[00000030h] 6_2_356BB765
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576375F mov eax, dword ptr fs:[00000030h] 6_2_3576375F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576375F mov eax, dword ptr fs:[00000030h] 6_2_3576375F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576375F mov eax, dword ptr fs:[00000030h] 6_2_3576375F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576375F mov eax, dword ptr fs:[00000030h] 6_2_3576375F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576375F mov eax, dword ptr fs:[00000030h] 6_2_3576375F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3740 mov eax, dword ptr fs:[00000030h] 6_2_356D3740
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3740 mov eax, dword ptr fs:[00000030h] 6_2_356D3740
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3740 mov eax, dword ptr fs:[00000030h] 6_2_356D3740
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35793749 mov eax, dword ptr fs:[00000030h] 6_2_35793749
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3579B73C mov eax, dword ptr fs:[00000030h] 6_2_3579B73C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3579B73C mov eax, dword ptr fs:[00000030h] 6_2_3579B73C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3579B73C mov eax, dword ptr fs:[00000030h] 6_2_3579B73C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3579B73C mov eax, dword ptr fs:[00000030h] 6_2_3579B73C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C3720 mov eax, dword ptr fs:[00000030h] 6_2_356C3720
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DF720 mov eax, dword ptr fs:[00000030h] 6_2_356DF720
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DF720 mov eax, dword ptr fs:[00000030h] 6_2_356DF720
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DF720 mov eax, dword ptr fs:[00000030h] 6_2_356DF720
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578972B mov eax, dword ptr fs:[00000030h] 6_2_3578972B
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C973A mov eax, dword ptr fs:[00000030h] 6_2_356C973A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C973A mov eax, dword ptr fs:[00000030h] 6_2_356C973A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577F72E mov eax, dword ptr fs:[00000030h] 6_2_3577F72E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9730 mov eax, dword ptr fs:[00000030h] 6_2_356B9730
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9730 mov eax, dword ptr fs:[00000030h] 6_2_356B9730
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F5734 mov eax, dword ptr fs:[00000030h] 6_2_356F5734
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C5702 mov eax, dword ptr fs:[00000030h] 6_2_356C5702
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C5702 mov eax, dword ptr fs:[00000030h] 6_2_356C5702
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C7703 mov eax, dword ptr fs:[00000030h] 6_2_356C7703
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FF71F mov eax, dword ptr fs:[00000030h] 6_2_356FF71F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FF71F mov eax, dword ptr fs:[00000030h] 6_2_356FF71F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CD7E0 mov ecx, dword ptr fs:[00000030h] 6_2_356CD7E0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C57C0 mov eax, dword ptr fs:[00000030h] 6_2_356C57C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C57C0 mov eax, dword ptr fs:[00000030h] 6_2_356C57C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C57C0 mov eax, dword ptr fs:[00000030h] 6_2_356C57C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577D7B0 mov eax, dword ptr fs:[00000030h] 6_2_3577D7B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577D7B0 mov eax, dword ptr fs:[00000030h] 6_2_3577D7B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357937B6 mov eax, dword ptr fs:[00000030h] 6_2_357937B6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF7BA mov eax, dword ptr fs:[00000030h] 6_2_356BF7BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF7BA mov eax, dword ptr fs:[00000030h] 6_2_356BF7BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF7BA mov eax, dword ptr fs:[00000030h] 6_2_356BF7BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF7BA mov eax, dword ptr fs:[00000030h] 6_2_356BF7BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF7BA mov eax, dword ptr fs:[00000030h] 6_2_356BF7BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF7BA mov eax, dword ptr fs:[00000030h] 6_2_356BF7BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF7BA mov eax, dword ptr fs:[00000030h] 6_2_356BF7BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF7BA mov eax, dword ptr fs:[00000030h] 6_2_356BF7BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF7BA mov eax, dword ptr fs:[00000030h] 6_2_356BF7BA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574F7AF mov eax, dword ptr fs:[00000030h] 6_2_3574F7AF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574F7AF mov eax, dword ptr fs:[00000030h] 6_2_3574F7AF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574F7AF mov eax, dword ptr fs:[00000030h] 6_2_3574F7AF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574F7AF mov eax, dword ptr fs:[00000030h] 6_2_3574F7AF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574F7AF mov eax, dword ptr fs:[00000030h] 6_2_3574F7AF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357497A9 mov eax, dword ptr fs:[00000030h] 6_2_357497A9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356ED7B0 mov eax, dword ptr fs:[00000030h] 6_2_356ED7B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577F78A mov eax, dword ptr fs:[00000030h] 6_2_3577F78A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F9660 mov eax, dword ptr fs:[00000030h] 6_2_356F9660
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F9660 mov eax, dword ptr fs:[00000030h] 6_2_356F9660
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3575D660 mov eax, dword ptr fs:[00000030h] 6_2_3575D660
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF626 mov eax, dword ptr fs:[00000030h] 6_2_356BF626
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF626 mov eax, dword ptr fs:[00000030h] 6_2_356BF626
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF626 mov eax, dword ptr fs:[00000030h] 6_2_356BF626
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF626 mov eax, dword ptr fs:[00000030h] 6_2_356BF626
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF626 mov eax, dword ptr fs:[00000030h] 6_2_356BF626
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF626 mov eax, dword ptr fs:[00000030h] 6_2_356BF626
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF626 mov eax, dword ptr fs:[00000030h] 6_2_356BF626
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF626 mov eax, dword ptr fs:[00000030h] 6_2_356BF626
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF626 mov eax, dword ptr fs:[00000030h] 6_2_356BF626
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35795636 mov eax, dword ptr fs:[00000030h] 6_2_35795636
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F1607 mov eax, dword ptr fs:[00000030h] 6_2_356F1607
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FF603 mov eax, dword ptr fs:[00000030h] 6_2_356FF603
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C3616 mov eax, dword ptr fs:[00000030h] 6_2_356C3616
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C3616 mov eax, dword ptr fs:[00000030h] 6_2_356C3616
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F36EF mov eax, dword ptr fs:[00000030h] 6_2_356F36EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577D6F0 mov eax, dword ptr fs:[00000030h] 6_2_3577D6F0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356ED6E0 mov eax, dword ptr fs:[00000030h] 6_2_356ED6E0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356ED6E0 mov eax, dword ptr fs:[00000030h] 6_2_356ED6E0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357536EE mov eax, dword ptr fs:[00000030h] 6_2_357536EE
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357536EE mov eax, dword ptr fs:[00000030h] 6_2_357536EE
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357536EE mov eax, dword ptr fs:[00000030h] 6_2_357536EE
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357536EE mov eax, dword ptr fs:[00000030h] 6_2_357536EE
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357536EE mov eax, dword ptr fs:[00000030h] 6_2_357536EE
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357536EE mov eax, dword ptr fs:[00000030h] 6_2_357536EE
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F16CF mov eax, dword ptr fs:[00000030h] 6_2_356F16CF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_356CB6C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_356CB6C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_356CB6C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_356CB6C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_356CB6C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CB6C0 mov eax, dword ptr fs:[00000030h] 6_2_356CB6C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577F6C7 mov eax, dword ptr fs:[00000030h] 6_2_3577F6C7
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357816CC mov eax, dword ptr fs:[00000030h] 6_2_357816CC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357816CC mov eax, dword ptr fs:[00000030h] 6_2_357816CC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357816CC mov eax, dword ptr fs:[00000030h] 6_2_357816CC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357816CC mov eax, dword ptr fs:[00000030h] 6_2_357816CC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BD6AA mov eax, dword ptr fs:[00000030h] 6_2_356BD6AA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BD6AA mov eax, dword ptr fs:[00000030h] 6_2_356BD6AA
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B76B2 mov eax, dword ptr fs:[00000030h] 6_2_356B76B2
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B76B2 mov eax, dword ptr fs:[00000030h] 6_2_356B76B2
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B76B2 mov eax, dword ptr fs:[00000030h] 6_2_356B76B2
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574368C mov eax, dword ptr fs:[00000030h] 6_2_3574368C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574368C mov eax, dword ptr fs:[00000030h] 6_2_3574368C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574368C mov eax, dword ptr fs:[00000030h] 6_2_3574368C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574368C mov eax, dword ptr fs:[00000030h] 6_2_3574368C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35759179 mov eax, dword ptr fs:[00000030h] 6_2_35759179
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BF172 mov eax, dword ptr fs:[00000030h] 6_2_356BF172
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9148 mov eax, dword ptr fs:[00000030h] 6_2_356B9148
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9148 mov eax, dword ptr fs:[00000030h] 6_2_356B9148
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9148 mov eax, dword ptr fs:[00000030h] 6_2_356B9148
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9148 mov eax, dword ptr fs:[00000030h] 6_2_356B9148
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35795152 mov eax, dword ptr fs:[00000030h] 6_2_35795152
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35753140 mov eax, dword ptr fs:[00000030h] 6_2_35753140
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35753140 mov eax, dword ptr fs:[00000030h] 6_2_35753140
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35753140 mov eax, dword ptr fs:[00000030h] 6_2_35753140
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C7152 mov eax, dword ptr fs:[00000030h] 6_2_356C7152
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35797120 mov eax, dword ptr fs:[00000030h] 6_2_35797120
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C1131 mov eax, dword ptr fs:[00000030h] 6_2_356C1131
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C1131 mov eax, dword ptr fs:[00000030h] 6_2_356C1131
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB136 mov eax, dword ptr fs:[00000030h] 6_2_356BB136
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB136 mov eax, dword ptr fs:[00000030h] 6_2_356BB136
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB136 mov eax, dword ptr fs:[00000030h] 6_2_356BB136
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB136 mov eax, dword ptr fs:[00000030h] 6_2_356BB136
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E51EF mov eax, dword ptr fs:[00000030h] 6_2_356E51EF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C51ED mov eax, dword ptr fs:[00000030h] 6_2_356C51ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357671F9 mov esi, dword ptr fs:[00000030h] 6_2_357671F9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357931E1 mov eax, dword ptr fs:[00000030h] 6_2_357931E1
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357951CB mov eax, dword ptr fs:[00000030h] 6_2_357951CB
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FD1D0 mov eax, dword ptr fs:[00000030h] 6_2_356FD1D0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FD1D0 mov ecx, dword ptr fs:[00000030h] 6_2_356FD1D0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357711A4 mov eax, dword ptr fs:[00000030h] 6_2_357711A4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357711A4 mov eax, dword ptr fs:[00000030h] 6_2_357711A4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357711A4 mov eax, dword ptr fs:[00000030h] 6_2_357711A4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357711A4 mov eax, dword ptr fs:[00000030h] 6_2_357711A4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DB1B0 mov eax, dword ptr fs:[00000030h] 6_2_356DB1B0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35717190 mov eax, dword ptr fs:[00000030h] 6_2_35717190
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35775180 mov eax, dword ptr fs:[00000030h] 6_2_35775180
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35775180 mov eax, dword ptr fs:[00000030h] 6_2_35775180
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3573D070 mov ecx, dword ptr fs:[00000030h] 6_2_3573D070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35795060 mov eax, dword ptr fs:[00000030h] 6_2_35795060
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574106E mov eax, dword ptr fs:[00000030h] 6_2_3574106E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov ecx, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1070 mov eax, dword ptr fs:[00000030h] 6_2_356D1070
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576705E mov ebx, dword ptr fs:[00000030h] 6_2_3576705E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576705E mov eax, dword ptr fs:[00000030h] 6_2_3576705E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EB052 mov eax, dword ptr fs:[00000030h] 6_2_356EB052
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578903E mov eax, dword ptr fs:[00000030h] 6_2_3578903E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578903E mov eax, dword ptr fs:[00000030h] 6_2_3578903E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578903E mov eax, dword ptr fs:[00000030h] 6_2_3578903E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578903E mov eax, dword ptr fs:[00000030h] 6_2_3578903E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E50E4 mov eax, dword ptr fs:[00000030h] 6_2_356E50E4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E50E4 mov ecx, dword ptr fs:[00000030h] 6_2_356E50E4
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357950D9 mov eax, dword ptr fs:[00000030h] 6_2_357950D9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov ecx, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov ecx, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov ecx, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov ecx, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D70C0 mov eax, dword ptr fs:[00000030h] 6_2_356D70C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3573D0C0 mov eax, dword ptr fs:[00000030h] 6_2_3573D0C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3573D0C0 mov eax, dword ptr fs:[00000030h] 6_2_3573D0C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E90DB mov eax, dword ptr fs:[00000030h] 6_2_356E90DB
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BD08D mov eax, dword ptr fs:[00000030h] 6_2_356BD08D
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F909C mov eax, dword ptr fs:[00000030h] 6_2_356F909C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574D080 mov eax, dword ptr fs:[00000030h] 6_2_3574D080
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574D080 mov eax, dword ptr fs:[00000030h] 6_2_3574D080
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C5096 mov eax, dword ptr fs:[00000030h] 6_2_356C5096
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356ED090 mov eax, dword ptr fs:[00000030h] 6_2_356ED090
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356ED090 mov eax, dword ptr fs:[00000030h] 6_2_356ED090
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35763370 mov eax, dword ptr fs:[00000030h] 6_2_35763370
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577F367 mov eax, dword ptr fs:[00000030h] 6_2_3577F367
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C7370 mov eax, dword ptr fs:[00000030h] 6_2_356C7370
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C7370 mov eax, dword ptr fs:[00000030h] 6_2_356C7370
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C7370 mov eax, dword ptr fs:[00000030h] 6_2_356C7370
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BD34C mov eax, dword ptr fs:[00000030h] 6_2_356BD34C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BD34C mov eax, dword ptr fs:[00000030h] 6_2_356BD34C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35795341 mov eax, dword ptr fs:[00000030h] 6_2_35795341
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9353 mov eax, dword ptr fs:[00000030h] 6_2_356B9353
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9353 mov eax, dword ptr fs:[00000030h] 6_2_356B9353
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF32A mov eax, dword ptr fs:[00000030h] 6_2_356EF32A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578132D mov eax, dword ptr fs:[00000030h] 6_2_3578132D
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578132D mov eax, dword ptr fs:[00000030h] 6_2_3578132D
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B7330 mov eax, dword ptr fs:[00000030h] 6_2_356B7330
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574930B mov eax, dword ptr fs:[00000030h] 6_2_3574930B
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574930B mov eax, dword ptr fs:[00000030h] 6_2_3574930B
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574930B mov eax, dword ptr fs:[00000030h] 6_2_3574930B
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357953FC mov eax, dword ptr fs:[00000030h] 6_2_357953FC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577F3E6 mov eax, dword ptr fs:[00000030h] 6_2_3577F3E6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577B3D0 mov ecx, dword ptr fs:[00000030h] 6_2_3577B3D0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E33A5 mov eax, dword ptr fs:[00000030h] 6_2_356E33A5
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F33A0 mov eax, dword ptr fs:[00000030h] 6_2_356F33A0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F33A0 mov eax, dword ptr fs:[00000030h] 6_2_356F33A0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357613B9 mov eax, dword ptr fs:[00000030h] 6_2_357613B9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357613B9 mov eax, dword ptr fs:[00000030h] 6_2_357613B9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357613B9 mov eax, dword ptr fs:[00000030h] 6_2_357613B9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3579539D mov eax, dword ptr fs:[00000030h] 6_2_3579539D
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3571739A mov eax, dword ptr fs:[00000030h] 6_2_3571739A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3571739A mov eax, dword ptr fs:[00000030h] 6_2_3571739A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35701270 mov eax, dword ptr fs:[00000030h] 6_2_35701270
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35701270 mov eax, dword ptr fs:[00000030h] 6_2_35701270
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578D26B mov eax, dword ptr fs:[00000030h] 6_2_3578D26B
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578D26B mov eax, dword ptr fs:[00000030h] 6_2_3578D26B
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356E9274 mov eax, dword ptr fs:[00000030h] 6_2_356E9274
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577B256 mov eax, dword ptr fs:[00000030h] 6_2_3577B256
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577B256 mov eax, dword ptr fs:[00000030h] 6_2_3577B256
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F724D mov eax, dword ptr fs:[00000030h] 6_2_356F724D
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574D250 mov ecx, dword ptr fs:[00000030h] 6_2_3574D250
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9240 mov eax, dword ptr fs:[00000030h] 6_2_356B9240
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9240 mov eax, dword ptr fs:[00000030h] 6_2_356B9240
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35795227 mov eax, dword ptr fs:[00000030h] 6_2_35795227
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F7208 mov eax, dword ptr fs:[00000030h] 6_2_356F7208
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F7208 mov eax, dword ptr fs:[00000030h] 6_2_356F7208
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576B2F0 mov eax, dword ptr fs:[00000030h] 6_2_3576B2F0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576B2F0 mov eax, dword ptr fs:[00000030h] 6_2_3576B2F0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577F2F8 mov eax, dword ptr fs:[00000030h] 6_2_3577F2F8
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B92FF mov eax, dword ptr fs:[00000030h] 6_2_356B92FF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357712ED mov eax, dword ptr fs:[00000030h] 6_2_357712ED
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357952E2 mov eax, dword ptr fs:[00000030h] 6_2_357952E2
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C92C5 mov eax, dword ptr fs:[00000030h] 6_2_356C92C5
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C92C5 mov eax, dword ptr fs:[00000030h] 6_2_356C92C5
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_356EB2C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_356EB2C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_356EB2C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_356EB2C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_356EB2C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_356EB2C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EB2C0 mov eax, dword ptr fs:[00000030h] 6_2_356EB2C0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB2D3 mov eax, dword ptr fs:[00000030h] 6_2_356BB2D3
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB2D3 mov eax, dword ptr fs:[00000030h] 6_2_356BB2D3
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BB2D3 mov eax, dword ptr fs:[00000030h] 6_2_356BB2D3
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF2D0 mov eax, dword ptr fs:[00000030h] 6_2_356EF2D0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356EF2D0 mov eax, dword ptr fs:[00000030h] 6_2_356EF2D0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357492BC mov eax, dword ptr fs:[00000030h] 6_2_357492BC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357492BC mov eax, dword ptr fs:[00000030h] 6_2_357492BC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357492BC mov ecx, dword ptr fs:[00000030h] 6_2_357492BC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357492BC mov ecx, dword ptr fs:[00000030h] 6_2_357492BC
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D52A0 mov eax, dword ptr fs:[00000030h] 6_2_356D52A0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D52A0 mov eax, dword ptr fs:[00000030h] 6_2_356D52A0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D52A0 mov eax, dword ptr fs:[00000030h] 6_2_356D52A0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D52A0 mov eax, dword ptr fs:[00000030h] 6_2_356D52A0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357572A0 mov eax, dword ptr fs:[00000030h] 6_2_357572A0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357572A0 mov eax, dword ptr fs:[00000030h] 6_2_357572A0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357892A6 mov eax, dword ptr fs:[00000030h] 6_2_357892A6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357892A6 mov eax, dword ptr fs:[00000030h] 6_2_357892A6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357892A6 mov eax, dword ptr fs:[00000030h] 6_2_357892A6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_357892A6 mov eax, dword ptr fs:[00000030h] 6_2_357892A6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F329E mov eax, dword ptr fs:[00000030h] 6_2_356F329E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F329E mov eax, dword ptr fs:[00000030h] 6_2_356F329E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35795283 mov eax, dword ptr fs:[00000030h] 6_2_35795283
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35779D70 mov eax, dword ptr fs:[00000030h] 6_2_35779D70
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35779D70 mov eax, dword ptr fs:[00000030h] 6_2_35779D70
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576FD78 mov eax, dword ptr fs:[00000030h] 6_2_3576FD78
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576FD78 mov eax, dword ptr fs:[00000030h] 6_2_3576FD78
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576FD78 mov eax, dword ptr fs:[00000030h] 6_2_3576FD78
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576FD78 mov eax, dword ptr fs:[00000030h] 6_2_3576FD78
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3576FD78 mov eax, dword ptr fs:[00000030h] 6_2_3576FD78
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C7D75 mov eax, dword ptr fs:[00000030h] 6_2_356C7D75
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C7D75 mov eax, dword ptr fs:[00000030h] 6_2_356C7D75
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FBD4E mov eax, dword ptr fs:[00000030h] 6_2_356FBD4E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FBD4E mov eax, dword ptr fs:[00000030h] 6_2_356FBD4E
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35781D5A mov eax, dword ptr fs:[00000030h] 6_2_35781D5A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35781D5A mov eax, dword ptr fs:[00000030h] 6_2_35781D5A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35781D5A mov eax, dword ptr fs:[00000030h] 6_2_35781D5A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35781D5A mov eax, dword ptr fs:[00000030h] 6_2_35781D5A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35795D50 mov eax, dword ptr fs:[00000030h] 6_2_35795D50
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35795D50 mov eax, dword ptr fs:[00000030h] 6_2_35795D50
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B7D41 mov eax, dword ptr fs:[00000030h] 6_2_356B7D41
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov ecx, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov ecx, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov ecx, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov ecx, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov ecx, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov ecx, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D40 mov eax, dword ptr fs:[00000030h] 6_2_356D3D40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574DD47 mov eax, dword ptr fs:[00000030h] 6_2_3574DD47
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D20 mov eax, dword ptr fs:[00000030h] 6_2_356D3D20
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574FD2A mov eax, dword ptr fs:[00000030h] 6_2_3574FD2A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574FD2A mov eax, dword ptr fs:[00000030h] 6_2_3574FD2A
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D3D00 mov eax, dword ptr fs:[00000030h] 6_2_356D3D00
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577DDC7 mov eax, dword ptr fs:[00000030h] 6_2_3577DDC7
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574DDC0 mov eax, dword ptr fs:[00000030h] 6_2_3574DDC0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C3DD0 mov eax, dword ptr fs:[00000030h] 6_2_356C3DD0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356C3DD0 mov eax, dword ptr fs:[00000030h] 6_2_356C3DD0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578DDC6 mov eax, dword ptr fs:[00000030h] 6_2_3578DDC6
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F9DAF mov eax, dword ptr fs:[00000030h] 6_2_356F9DAF
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574DDB1 mov eax, dword ptr fs:[00000030h] 6_2_3574DDB1
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356CFDA9 mov eax, dword ptr fs:[00000030h] 6_2_356CFDA9
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35755DA0 mov eax, dword ptr fs:[00000030h] 6_2_35755DA0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35755DA0 mov eax, dword ptr fs:[00000030h] 6_2_35755DA0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35755DA0 mov eax, dword ptr fs:[00000030h] 6_2_35755DA0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35755DA0 mov ecx, dword ptr fs:[00000030h] 6_2_35755DA0
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DDDB1 mov eax, dword ptr fs:[00000030h] 6_2_356DDDB1
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DDDB1 mov eax, dword ptr fs:[00000030h] 6_2_356DDDB1
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356DDDB1 mov eax, dword ptr fs:[00000030h] 6_2_356DDDB1
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356BFD80 mov eax, dword ptr fs:[00000030h] 6_2_356BFD80
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9D96 mov eax, dword ptr fs:[00000030h] 6_2_356B9D96
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9D96 mov eax, dword ptr fs:[00000030h] 6_2_356B9D96
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B9D96 mov ecx, dword ptr fs:[00000030h] 6_2_356B9D96
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356D1C60 mov eax, dword ptr fs:[00000030h] 6_2_356D1C60
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356F1C7C mov eax, dword ptr fs:[00000030h] 6_2_356F1C7C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B7C40 mov eax, dword ptr fs:[00000030h] 6_2_356B7C40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B7C40 mov ecx, dword ptr fs:[00000030h] 6_2_356B7C40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B7C40 mov eax, dword ptr fs:[00000030h] 6_2_356B7C40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356B7C40 mov eax, dword ptr fs:[00000030h] 6_2_356B7C40
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3577FC4F mov eax, dword ptr fs:[00000030h] 6_2_3577FC4F
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35791C3C mov eax, dword ptr fs:[00000030h] 6_2_35791C3C
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35749C32 mov eax, dword ptr fs:[00000030h] 6_2_35749C32
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_356FBC3B mov esi, dword ptr fs:[00000030h] 6_2_356FBC3B
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578DC27 mov eax, dword ptr fs:[00000030h] 6_2_3578DC27
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578DC27 mov eax, dword ptr fs:[00000030h] 6_2_3578DC27
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3578DC27 mov eax, dword ptr fs:[00000030h] 6_2_3578DC27
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574BC10 mov eax, dword ptr fs:[00000030h] 6_2_3574BC10
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574BC10 mov eax, dword ptr fs:[00000030h] 6_2_3574BC10
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3574BC10 mov ecx, dword ptr fs:[00000030h] 6_2_3574BC10
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3579BC01 mov eax, dword ptr fs:[00000030h] 6_2_3579BC01
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_3579BC01 mov eax, dword ptr fs:[00000030h] 6_2_3579BC01
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 6_2_35761CF9 mov eax, dword ptr fs:[00000030h] 6_2_35761CF9
Source: C:\Users\user\Desktop\Occipitomental.exe Process created: C:\Users\user\Desktop\Occipitomental.exe "C:\Users\user\Desktop\Occipitomental.exe" Jump to behavior
Source: C:\Users\user\Desktop\Occipitomental.exe Code function: 0_2_00405D1F GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405D1F

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000006.00000002.3595105128.0000000035330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 00000006.00000002.3595105128.0000000035330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs