Windows Analysis Report
P.O.exe

AV Detection

Source: P.O.exe

ReversingLabs: Detection: 36%

Source: Yara match	File source: 5.2.P.O.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.P.O.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2357534519.0000000001210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: P.O.exe

Joe Sandbox ML: detected

Compliance

Source: P.O.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: P.O.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: P.O.exe, 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: P.O.exe, P.O.exe, 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp

Networking

Source: P.O.exe	String found in binary or memory: http://tempuri.org/ianiDataSet.xsd
Source: P.O.exe	String found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
Source: P.O.exe	String found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud

Source: Yara match	File source: 5.2.P.O.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.P.O.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2357534519.0000000001210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07737A50 NtUnmapViewOfSection,		0_2_07737A50
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07737A48 NtUnmapViewOfSection,		0_2_07737A48
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0042CCB3 NtClose,		5_2_0042CCB3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F335C0 NtCreateMutant,LdrInitializeThunk,		5_2_00F335C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32B60 NtClose,LdrInitializeThunk,		5_2_00F32B60
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32C70 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_00F32C70
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32DF0 NtQuerySystemInformation,LdrInitializeThunk,		5_2_00F32DF0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F33090 NtSetValueKey,		5_2_00F33090
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F33010 NtOpenDirectoryObject,		5_2_00F33010
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F34340 NtSetContextThread,		5_2_00F34340
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F34650 NtSuspendThread,		5_2_00F34650
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F339B0 NtGetContextThread,		5_2_00F339B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32AF0 NtWriteFile,		5_2_00F32AF0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32AD0 NtReadFile,		5_2_00F32AD0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32AB0 NtWaitForSingleObject,		5_2_00F32AB0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32BF0 NtAllocateVirtualMemory,		5_2_00F32BF0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32BE0 NtQueryValueKey,		5_2_00F32BE0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32BA0 NtEnumerateValueKey,		5_2_00F32BA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32B80 NtQueryInformationFile,		5_2_00F32B80
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32CF0 NtOpenProcess,		5_2_00F32CF0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32CC0 NtQueryVirtualMemory,		5_2_00F32CC0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32CA0 NtQueryInformationToken,		5_2_00F32CA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32C60 NtCreateKey,		5_2_00F32C60
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32C00 NtQueryInformationProcess,		5_2_00F32C00
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32DD0 NtDelayExecution,		5_2_00F32DD0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32DB0 NtEnumerateKey,		5_2_00F32DB0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F33D70 NtOpenThread,		5_2_00F33D70
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32D30 NtUnmapViewOfSection,		5_2_00F32D30
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32D10 NtMapViewOfSection,		5_2_00F32D10
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F33D10 NtOpenProcessToken,		5_2_00F33D10
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32D00 NtSetInformationFile,		5_2_00F32D00
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32EE0 NtQueueApcThread,		5_2_00F32EE0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32EA0 NtAdjustPrivilegesToken,		5_2_00F32EA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32E80 NtReadVirtualMemory,		5_2_00F32E80
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32E30 NtWriteVirtualMemory,		5_2_00F32E30
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32FE0 NtCreateFile,		5_2_00F32FE0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32FB0 NtResumeThread,		5_2_00F32FB0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32FA0 NtQuerySection,		5_2_00F32FA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32F90 NtProtectVirtualMemory,		5_2_00F32F90
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32F60 NtCreateProcessEx,		5_2_00F32F60
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32F30 NtCreateSection,		5_2_00F32F30

Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_0144D51C		0_2_0144D51C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_0773AAD0		0_2_0773AAD0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07735738		0_2_07735738
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07734EC8		0_2_07734EC8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07735B70		0_2_07735B70
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07735300		0_2_07735300
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_077372B0		0_2_077372B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0042F253		5_2_0042F253
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_004022E0		5_2_004022E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0041046B		5_2_0041046B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00410473		5_2_00410473
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_004025F0		5_2_004025F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00416DF3		5_2_00416DF3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00416DAC		5_2_00416DAC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040E673		5_2_0040E673
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00410693		5_2_00410693
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00402F25		5_2_00402F25
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00402F30		5_2_00402F30
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040E7C3		5_2_0040E7C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040E7B7		5_2_0040E7B7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB70E9		5_2_00FB70E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBF0E0		5_2_00FBF0E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF0CC		5_2_00FAF0CC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB81CC		5_2_00FB81CC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0B1B0		5_2_00F0B1B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC01AA		5_2_00FC01AA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FCB16B		5_2_00FCB16B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F3516C		5_2_00F3516C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F88158		5_2_00F88158
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9A118		5_2_00F9A118
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF0100		5_2_00EF0100
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0		5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F802C0		5_2_00F802C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F052A0		5_2_00F052A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E3F0		5_2_00F0E3F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC03E6		5_2_00FC03E6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F4739A		5_2_00F4739A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EED34C		5_2_00EED34C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBA352		5_2_00FBA352
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB132D		5_2_00FB132D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAE4F6		5_2_00FAE4F6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460		5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB2446		5_2_00FB2446
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBF43F		5_2_00FBF43F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9D5B0		5_2_00F9D5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC0591		5_2_00FC0591
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB7571		5_2_00FB7571
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535		5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1C6E0		5_2_00F1C6E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB16CC		5_2_00FB16CC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFC7C0		5_2_00EFC7C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBF7B0		5_2_00FBF7B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00770		5_2_00F00770
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F24750		5_2_00F24750
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E8F0		5_2_00F2E8F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F038E0		5_2_00F038E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE68B8		5_2_00EE68B8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F02840		5_2_00F02840
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0A840		5_2_00F0A840
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D800		5_2_00F6D800
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F029A0		5_2_00F029A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FCA9A6		5_2_00FCA9A6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F16962		5_2_00F16962
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F09950		5_2_00F09950
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B950		5_2_00F1B950
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FADAC6		5_2_00FADAC6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F45AA0		5_2_00F45AA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9DAAC		5_2_00F9DAAC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFEA80		5_2_00EFEA80
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F73A6C		5_2_00F73A6C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBFA49		5_2_00FBFA49
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB7A46		5_2_00FB7A46
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F75BF0		5_2_00F75BF0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F3DBF9		5_2_00F3DBF9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB6BD7		5_2_00FB6BD7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1FB80		5_2_00F1FB80
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBFB76		5_2_00FBFB76
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBAB40		5_2_00FBAB40
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBFCF2		5_2_00FBFCF2
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF0CF2		5_2_00EF0CF2
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0CB5		5_2_00FA0CB5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F79C32		5_2_00F79C32
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00C00		5_2_00F00C00
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFADE0		5_2_00EFADE0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1FDC0		5_2_00F1FDC0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F18DBF		5_2_00F18DBF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB7D73		5_2_00FB7D73
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB1D5A		5_2_00FB1D5A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F03D40		5_2_00F03D40
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0AD00		5_2_00F0AD00
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBEEDB		5_2_00FBEEDB
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F09EB0		5_2_00F09EB0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F12E90		5_2_00F12E90
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBCE93		5_2_00FBCE93
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00E59		5_2_00F00E59
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBEE26		5_2_00FBEE26
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF2FC8		5_2_00EF2FC8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBFFB1		5_2_00FBFFB1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7EFA0		5_2_00F7EFA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01F92		5_2_00F01F92
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F74F40		5_2_00F74F40
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F20F30		5_2_00F20F30
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F42F28		5_2_00F42F28
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBFF09		5_2_00FBFF09

Source: C:\Users\user\Desktop\P.O.exe	Code function: String function: 00F7F290 appears 105 times
Source: C:\Users\user\Desktop\P.O.exe	Code function: String function: 00F47E54 appears 94 times
Source: C:\Users\user\Desktop\P.O.exe	Code function: String function: 00F35130 appears 36 times
Source: C:\Users\user\Desktop\P.O.exe	Code function: String function: 00F6EA12 appears 86 times
Source: C:\Users\user\Desktop\P.O.exe	Code function: String function: 00EEB970 appears 253 times

Source: P.O.exe, 00000000.00000002.1954637867.0000000007C30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs P.O.exe
Source: P.O.exe, 00000000.00000002.1948781389.000000000120E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs P.O.exe
Source: P.O.exe, 00000000.00000002.1952792955.0000000005640000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs P.O.exe
Source: P.O.exe, 00000000.00000000.1703495934.0000000000B6C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeuWT.exe4 vs P.O.exe
Source: P.O.exe, 00000000.00000002.1949349380.0000000002F73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs P.O.exe
Source: P.O.exe, 00000005.00000002.2356525474.0000000000FED000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs P.O.exe
Source: P.O.exe	Binary or memory string: OriginalFilenameeuWT.exe4 vs P.O.exe

Source: P.O.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: P.O.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, pXblAmimsnTC264Gfp.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, pXblAmimsnTC264Gfp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: _0020.AddAccessRule
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: _0020.AddAccessRule
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, pXblAmimsnTC264Gfp.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, pXblAmimsnTC264Gfp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\P.O.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P.O.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Mutant created: NULL

Source: P.O.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: P.O.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\P.O.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);

Source: P.O.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\P.O.exe "C:\Users\user\Desktop\P.O.exe"
Source: C:\Users\user\Desktop\P.O.exe	Process created: C:\Users\user\Desktop\P.O.exe "C:\Users\user\Desktop\P.O.exe"
Source: C:\Users\user\Desktop\P.O.exe	Process created: C:\Users\user\Desktop\P.O.exe "C:\Users\user\Desktop\P.O.exe"			Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: windowscodecs.dll			Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: P.O.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: P.O.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: P.O.exe, 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: P.O.exe, P.O.exe, 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Source: P.O.exe, InnerForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, DvKkmjD3k46QOm7KdT.cs	.Net Code: qZIrNlsV5j System.Reflection.Assembly.Load(byte[])
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, DvKkmjD3k46QOm7KdT.cs	.Net Code: qZIrNlsV5j System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_0144DB84 pushfd ; ret		0_2_0144DB89
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_077342A4 push ebx; ret		0_2_077342DA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040D8D0 pushad ; iretd		5_2_0040D8D1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_004031B0 push eax; ret		5_2_004031B2
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040D3DE pushad ; retf		5_2_0040D3DF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00414C77 push es; iretd		5_2_00414C79
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00415DE9 push ebp; iretd		5_2_00415E4B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040E61C push es; retf		5_2_0040E61D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00405F99 push edi; retf		5_2_00405F9A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF09AD push ecx; mov dword ptr [esp], ecx		5_2_00EF09B6

Source: P.O.exe

Static PE information: section name: .text entropy: 7.559514437779557

Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, N5GegfGQFfXMbcSkDs.cs	High entropy of concatenated method names: 'zZOXib27YE', 'Ii7X657CM6', 'ix2X2h7iP9', 'WaEXLQ5f5J', 'd1EXn76oBQ', 'I6SXKrI58F', 'tH7XmIhpAU', 'egFXf9p4WY', 'wnYXA1iaX9', 'x7OXy5Aj8T'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, z2a8i2ojUgvyJwRfCF.cs	High entropy of concatenated method names: 'xsnNQ8cQd', 'tp4OEgPKh', 'Hi6jUnuMO', 'g4NkWZNWY', 'ile6l3XSm', 'ta8CHk2Ku', 'Q1lAsilZQgZ2c2eWrG', 'AxAS1RJfkXm4Mdf1Zd', 'j73VXdI9JSLj1OT7Ok', 'nr1pKvyom'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, celYeqzM3KC4ypVT5Q.cs	High entropy of concatenated method names: 'Bw2cjkZQ6w', 'ypSciv2F5L', 'Jgec6Vu8cx', 'hVBc2nfu0N', 'bKOcLeHfGB', 'NK9cne54u2', 'dMycKfni3P', 'l8Cc9Gm0MK', 'MQocFRXEFu', 'Wglc7kays3'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, PL6oH92bSmQPe6LV7e.cs	High entropy of concatenated method names: 'O4A1MkUMJC', 'UTI1aGsmXG', 'iYk1wMh30Y', 'quV1Vr7oVR', 'dtu1D4GlSN', 'xWvwWB0Ra4', 'M2cwh8hwP5', 'ifewJC5qSo', 'QkPwSQlqa4', 'cRgwvgp56U'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, n1KClrJpONMWo6xxrk.cs	High entropy of concatenated method names: 'V1s3QtX2iw', 'Y0Z3805iAC', 'dyY335kWJR', 'Jl23PU7JgU', 'Y2f3xMecxL', 'jEH39GHMWA', 'Dispose', 'avapZQKGo7', 'yNupa6NKyt', 'CqNploCCWJ'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, GXJsgnaU8ZhvdK8JmB.cs	High entropy of concatenated method names: 'Dispose', 'zMW4vo6xxr', 'zJOoLjQaN1', 'hAXRTn1c9H', 'Cn54dtmNVt', 'RWY4zTfHf6', 'ProcessDialogKey', 'Lbsob0BWDx', 'laro4yhF1c', 'ahgoowT3BD'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, hT3BDndstDB0ojUCiK.cs	High entropy of concatenated method names: 'UDbclflIhB', 'Uybcw3qoAm', 'em2c1LF7pS', 'xIvcVFNLlE', 'd6gc3BcnQt', 'mbXcDTTiHt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, lckN0ishG93fnW4P4C.cs	High entropy of concatenated method names: 'oIvQA4howN', 'GyqQqgV2oa', 'GvcQsB4VYB', 'ejJQ0JmgNG', 'LMWQLVqNLa', 'sbPQt3pZoK', 'HvxQnpKuFo', 'FRgQKq60M4', 'ufPQEIUWsX', 'V6MQmkuEYJ'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, vdDBXrHFUq3rHX3VUZ.cs	High entropy of concatenated method names: 'k2PVFmN9Ad', 'DQcV75hrwI', 'RLmVNNZFUg', 'DSOVO1Uwgd', 'QYMVgSAoR9', 'GvFVjqplOe', 'Mv0VkOMHFv', 'DJ3VigJyZG', 'VSCV6ASkbI', 'lYmVC97XoG'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, Bn8Bcx4rjnO1EoGlhZG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UvMu3nxRdN', 'K6Bucbvsn5', 'jxZuPydBaM', 'JQluuqVeSp', 'HtwuxUJthQ', 'nJ0uBvk5OF', 'IbBu95p2x7'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, DvKkmjD3k46QOm7KdT.cs	High entropy of concatenated method names: 'tgJUMivVCn', 'CaVUZWNBxJ', 'FuaUagq9Ax', 'Y1wUlYfKlS', 'vmkUwE8ijn', 'jEtU1HRyRc', 'gBFUV0SZwm', 'GBsUDxNiDF', 'mvkUYnqrc3', 'u6JURSvq3B'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, pjCCI7LCB9GSLQmT8m.cs	High entropy of concatenated method names: 'rbXyEuwvTmtvBD1OwQl', 'Px2lqLwqsC2FkiIJhUl', 'pQB1pkKoZJ', 'dNW13vI0gQ', 'GGe1cnpfcO', 'NiAgkxwC1MlKE83IECd', 'tfVnyZwhAB0SbpZOUfi'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, wOjsFFr0eb67Ueyky9.cs	High entropy of concatenated method names: 'Il84VXblAm', 'Ksn4DTC264', 'M6v4RVnvEM', 'DgY4TleExR', 'pXr4QqGqL6', 'cH94IbSmQP', 'v83bVDPRM9v2Q5qhpM', 'Tt7bqfspR5tueGBwEc', 'bGB448ISnD', 'Gf34UYwj1w'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, YLmevh4bWI9hrnX9NGr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bxmcyCivYC', 'GKRcqb3Wey', 'I2OcGmwnI3', 'CPacsxYC6j', 'fTtc0H1MdR', 'hU2ceFWSHK', 'CG6c5aqoDY'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, A00TKdlh3bniX5QxRk.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zFyovkNUr8', 'Y3vodAiIFY', 'BhhozUy9RS', 'IxDUbAMUOC', 'xQBU4Pr5Ed', 'IgpUosh5yt', 'i6XUUisrph', 'XwIvbGcjUIsIt0OBFoF'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, Tniemf66vVnvEMigYl.cs	High entropy of concatenated method names: 'k5JlOGmpXM', 'f1JljXYZ38', 'AnGlipaQFc', 'ck3l68Uek1', 'm96lQVAes2', 'aV4lIkfLxW', 'lXEl8sDcIr', 'tcclpuUxF1', 'yCOl3vuyK3', 'QHqlceQ8CZ'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, rsrOF64oALLZOGUvSbn.cs	High entropy of concatenated method names: 'ToString', 'V0xPiASIJ1', 'Hw6P6pL3w1', 'BxkPCfuVDf', 'IPwP2dPXmm', 'He4PLjiGLj', 'oYoPtMKCct', 'qcUPn4nJ58', 'TS0tV8G27pK49f9hxB2', 'kiuG6wG5qyx3qWOiXRs'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, AjXsOrmdP6cL18GgmJ.cs	High entropy of concatenated method names: 'qaAVZltIvq', 'WJRVlrYuBE', 'irSV19JZjd', 'uIO1dqmsjK', 'Sca1zI97r8', 'Vg9VbGOEc8', 'frNV4kJ16k', 'ySOVoFh4Qd', 'pL6VUb5RF3', 'LSLVrK8Ee6'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, pXblAmimsnTC264Gfp.cs	High entropy of concatenated method names: 'v1JastbZM9', 'jCva0qQLBq', 'adiaedXoid', 'VWEa5m10Bd', 'B1maWDSXyk', 'q2bahMCKRR', 'uRkaJ5L8V3', 'a1maSrDa9F', 'Xd0avtgNJL', 'tc5admaFAs'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, IRKLfs44Q03G3eEvCFA.cs	High entropy of concatenated method names: 'dbvcdVQnCp', 'EfIczxDgfj', 'FugPbNuLjS', 'OwpP48GQ55', 'pZmPopINYm', 'Ma9PU0EYih', 'CVLPr5grfY', 'DasPMHxDpb', 'C3FPZiO5nJ', 'BnnPalYQFS'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, h5j0lWhqbryNj1r59W.cs	High entropy of concatenated method names: 'nmM8SBWEW5', 'm8C8dpXIP4', 'ODQpb3lx14', 'dEtp4cew06', 'hcI8yWN6bl', 'uJd8qIif5v', 'bd58GPwjhR', 'DTs8s5JppY', 'mkV80vt3PO', 'IbJ8eYPVfX'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, Q0BWDxvYaryhF1cbhg.cs	High entropy of concatenated method names: 'fSr32vpwF1', 'Nwo3LJ3rHT', 'EIt3tMJjgV', 'jOB3nFSnyv', 'vbC3KUg9QO', 't863ErsUDD', 'dZ63mwDfeI', 'k333fqZt3h', 'mZa3H09Diw', 'WcR3APFw25'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, SExR6jCjVkYVOIXrqG.cs	High entropy of concatenated method names: 'z0bwgYnS7V', 'mnAwkN7wZ4', 'fuQlt2JI3x', 'Idjln5xB40', 'kYTlKIw917', 'eEDlEQ5XB7', 'OaFlmqAHeb', 'sIPlfSkDh2', 'SEDlHg18RN', 'gSKlA0p7wb'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, N5GegfGQFfXMbcSkDs.cs	High entropy of concatenated method names: 'zZOXib27YE', 'Ii7X657CM6', 'ix2X2h7iP9', 'WaEXLQ5f5J', 'd1EXn76oBQ', 'I6SXKrI58F', 'tH7XmIhpAU', 'egFXf9p4WY', 'wnYXA1iaX9', 'x7OXy5Aj8T'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, z2a8i2ojUgvyJwRfCF.cs	High entropy of concatenated method names: 'xsnNQ8cQd', 'tp4OEgPKh', 'Hi6jUnuMO', 'g4NkWZNWY', 'ile6l3XSm', 'ta8CHk2Ku', 'Q1lAsilZQgZ2c2eWrG', 'AxAS1RJfkXm4Mdf1Zd', 'j73VXdI9JSLj1OT7Ok', 'nr1pKvyom'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, celYeqzM3KC4ypVT5Q.cs	High entropy of concatenated method names: 'Bw2cjkZQ6w', 'ypSciv2F5L', 'Jgec6Vu8cx', 'hVBc2nfu0N', 'bKOcLeHfGB', 'NK9cne54u2', 'dMycKfni3P', 'l8Cc9Gm0MK', 'MQocFRXEFu', 'Wglc7kays3'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, PL6oH92bSmQPe6LV7e.cs	High entropy of concatenated method names: 'O4A1MkUMJC', 'UTI1aGsmXG', 'iYk1wMh30Y', 'quV1Vr7oVR', 'dtu1D4GlSN', 'xWvwWB0Ra4', 'M2cwh8hwP5', 'ifewJC5qSo', 'QkPwSQlqa4', 'cRgwvgp56U'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, n1KClrJpONMWo6xxrk.cs	High entropy of concatenated method names: 'V1s3QtX2iw', 'Y0Z3805iAC', 'dyY335kWJR', 'Jl23PU7JgU', 'Y2f3xMecxL', 'jEH39GHMWA', 'Dispose', 'avapZQKGo7', 'yNupa6NKyt', 'CqNploCCWJ'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, GXJsgnaU8ZhvdK8JmB.cs	High entropy of concatenated method names: 'Dispose', 'zMW4vo6xxr', 'zJOoLjQaN1', 'hAXRTn1c9H', 'Cn54dtmNVt', 'RWY4zTfHf6', 'ProcessDialogKey', 'Lbsob0BWDx', 'laro4yhF1c', 'ahgoowT3BD'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, hT3BDndstDB0ojUCiK.cs	High entropy of concatenated method names: 'UDbclflIhB', 'Uybcw3qoAm', 'em2c1LF7pS', 'xIvcVFNLlE', 'd6gc3BcnQt', 'mbXcDTTiHt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, lckN0ishG93fnW4P4C.cs	High entropy of concatenated method names: 'oIvQA4howN', 'GyqQqgV2oa', 'GvcQsB4VYB', 'ejJQ0JmgNG', 'LMWQLVqNLa', 'sbPQt3pZoK', 'HvxQnpKuFo', 'FRgQKq60M4', 'ufPQEIUWsX', 'V6MQmkuEYJ'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, vdDBXrHFUq3rHX3VUZ.cs	High entropy of concatenated method names: 'k2PVFmN9Ad', 'DQcV75hrwI', 'RLmVNNZFUg', 'DSOVO1Uwgd', 'QYMVgSAoR9', 'GvFVjqplOe', 'Mv0VkOMHFv', 'DJ3VigJyZG', 'VSCV6ASkbI', 'lYmVC97XoG'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, Bn8Bcx4rjnO1EoGlhZG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UvMu3nxRdN', 'K6Bucbvsn5', 'jxZuPydBaM', 'JQluuqVeSp', 'HtwuxUJthQ', 'nJ0uBvk5OF', 'IbBu95p2x7'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, DvKkmjD3k46QOm7KdT.cs	High entropy of concatenated method names: 'tgJUMivVCn', 'CaVUZWNBxJ', 'FuaUagq9Ax', 'Y1wUlYfKlS', 'vmkUwE8ijn', 'jEtU1HRyRc', 'gBFUV0SZwm', 'GBsUDxNiDF', 'mvkUYnqrc3', 'u6JURSvq3B'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, pjCCI7LCB9GSLQmT8m.cs	High entropy of concatenated method names: 'rbXyEuwvTmtvBD1OwQl', 'Px2lqLwqsC2FkiIJhUl', 'pQB1pkKoZJ', 'dNW13vI0gQ', 'GGe1cnpfcO', 'NiAgkxwC1MlKE83IECd', 'tfVnyZwhAB0SbpZOUfi'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, wOjsFFr0eb67Ueyky9.cs	High entropy of concatenated method names: 'Il84VXblAm', 'Ksn4DTC264', 'M6v4RVnvEM', 'DgY4TleExR', 'pXr4QqGqL6', 'cH94IbSmQP', 'v83bVDPRM9v2Q5qhpM', 'Tt7bqfspR5tueGBwEc', 'bGB448ISnD', 'Gf34UYwj1w'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, YLmevh4bWI9hrnX9NGr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bxmcyCivYC', 'GKRcqb3Wey', 'I2OcGmwnI3', 'CPacsxYC6j', 'fTtc0H1MdR', 'hU2ceFWSHK', 'CG6c5aqoDY'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, A00TKdlh3bniX5QxRk.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zFyovkNUr8', 'Y3vodAiIFY', 'BhhozUy9RS', 'IxDUbAMUOC', 'xQBU4Pr5Ed', 'IgpUosh5yt', 'i6XUUisrph', 'XwIvbGcjUIsIt0OBFoF'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, Tniemf66vVnvEMigYl.cs	High entropy of concatenated method names: 'k5JlOGmpXM', 'f1JljXYZ38', 'AnGlipaQFc', 'ck3l68Uek1', 'm96lQVAes2', 'aV4lIkfLxW', 'lXEl8sDcIr', 'tcclpuUxF1', 'yCOl3vuyK3', 'QHqlceQ8CZ'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, rsrOF64oALLZOGUvSbn.cs	High entropy of concatenated method names: 'ToString', 'V0xPiASIJ1', 'Hw6P6pL3w1', 'BxkPCfuVDf', 'IPwP2dPXmm', 'He4PLjiGLj', 'oYoPtMKCct', 'qcUPn4nJ58', 'TS0tV8G27pK49f9hxB2', 'kiuG6wG5qyx3qWOiXRs'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, AjXsOrmdP6cL18GgmJ.cs	High entropy of concatenated method names: 'qaAVZltIvq', 'WJRVlrYuBE', 'irSV19JZjd', 'uIO1dqmsjK', 'Sca1zI97r8', 'Vg9VbGOEc8', 'frNV4kJ16k', 'ySOVoFh4Qd', 'pL6VUb5RF3', 'LSLVrK8Ee6'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, pXblAmimsnTC264Gfp.cs	High entropy of concatenated method names: 'v1JastbZM9', 'jCva0qQLBq', 'adiaedXoid', 'VWEa5m10Bd', 'B1maWDSXyk', 'q2bahMCKRR', 'uRkaJ5L8V3', 'a1maSrDa9F', 'Xd0avtgNJL', 'tc5admaFAs'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, IRKLfs44Q03G3eEvCFA.cs	High entropy of concatenated method names: 'dbvcdVQnCp', 'EfIczxDgfj', 'FugPbNuLjS', 'OwpP48GQ55', 'pZmPopINYm', 'Ma9PU0EYih', 'CVLPr5grfY', 'DasPMHxDpb', 'C3FPZiO5nJ', 'BnnPalYQFS'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, h5j0lWhqbryNj1r59W.cs	High entropy of concatenated method names: 'nmM8SBWEW5', 'm8C8dpXIP4', 'ODQpb3lx14', 'dEtp4cew06', 'hcI8yWN6bl', 'uJd8qIif5v', 'bd58GPwjhR', 'DTs8s5JppY', 'mkV80vt3PO', 'IbJ8eYPVfX'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, Q0BWDxvYaryhF1cbhg.cs	High entropy of concatenated method names: 'fSr32vpwF1', 'Nwo3LJ3rHT', 'EIt3tMJjgV', 'jOB3nFSnyv', 'vbC3KUg9QO', 't863ErsUDD', 'dZ63mwDfeI', 'k333fqZt3h', 'mZa3H09Diw', 'WcR3APFw25'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, SExR6jCjVkYVOIXrqG.cs	High entropy of concatenated method names: 'z0bwgYnS7V', 'mnAwkN7wZ4', 'fuQlt2JI3x', 'Idjln5xB40', 'kYTlKIw917', 'eEDlEQ5XB7', 'OaFlmqAHeb', 'sIPlfSkDh2', 'SEDlHg18RN', 'gSKlA0p7wb'

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: Yara match

File source: Process Memory Space: P.O.exe PID: 7424, type: MEMORYSTR

Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 1400000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 2F10000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 2E20000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 7DC0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 8DC0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 8F70000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 9F70000 memory reserve | memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Code function: 5_2_00F6D1C0 rdtsc

5_2_00F6D1C0

Source: C:\Users\user\Desktop\P.O.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

API coverage: 0.7 %

Source: C:\Users\user\Desktop\P.O.exe TID: 7444	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe TID: 7952	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\P.O.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Code function: 5_2_00F6D1C0 rdtsc

5_2_00F6D1C0

Source: C:\Users\user\Desktop\P.O.exe

Code function: 5_2_00417D83 LdrLoadDll,

5_2_00417D83

Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F320F0 mov ecx, dword ptr fs:[00000030h]		5_2_00F320F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF80E9 mov eax, dword ptr fs:[00000030h]		5_2_00EF80E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA0E3 mov ecx, dword ptr fs:[00000030h]		5_2_00EEA0E3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F150E4 mov eax, dword ptr fs:[00000030h]		5_2_00F150E4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F150E4 mov ecx, dword ptr fs:[00000030h]		5_2_00F150E4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F760E0 mov eax, dword ptr fs:[00000030h]		5_2_00F760E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEC0F0 mov eax, dword ptr fs:[00000030h]		5_2_00EEC0F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC50D9 mov eax, dword ptr fs:[00000030h]		5_2_00FC50D9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F720DE mov eax, dword ptr fs:[00000030h]		5_2_00F720DE
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F190DB mov eax, dword ptr fs:[00000030h]		5_2_00F190DB
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov ecx, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov ecx, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov ecx, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov ecx, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]		5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D0C0 mov eax, dword ptr fs:[00000030h]		5_2_00F6D0C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D0C0 mov eax, dword ptr fs:[00000030h]		5_2_00F6D0C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB60B8 mov eax, dword ptr fs:[00000030h]		5_2_00FB60B8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB60B8 mov ecx, dword ptr fs:[00000030h]		5_2_00FB60B8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F880A8 mov eax, dword ptr fs:[00000030h]		5_2_00F880A8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1D090 mov eax, dword ptr fs:[00000030h]		5_2_00F1D090
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1D090 mov eax, dword ptr fs:[00000030h]		5_2_00F1D090
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EED08D mov eax, dword ptr fs:[00000030h]		5_2_00EED08D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF208A mov eax, dword ptr fs:[00000030h]		5_2_00EF208A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2909C mov eax, dword ptr fs:[00000030h]		5_2_00F2909C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7D080 mov eax, dword ptr fs:[00000030h]		5_2_00F7D080
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7D080 mov eax, dword ptr fs:[00000030h]		5_2_00F7D080
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF5096 mov eax, dword ptr fs:[00000030h]		5_2_00EF5096
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov ecx, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]		5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1C073 mov eax, dword ptr fs:[00000030h]		5_2_00F1C073
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D070 mov ecx, dword ptr fs:[00000030h]		5_2_00F6D070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7106E mov eax, dword ptr fs:[00000030h]		5_2_00F7106E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5060 mov eax, dword ptr fs:[00000030h]		5_2_00FC5060
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B052 mov eax, dword ptr fs:[00000030h]		5_2_00F1B052
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9705E mov ebx, dword ptr fs:[00000030h]		5_2_00F9705E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9705E mov eax, dword ptr fs:[00000030h]		5_2_00F9705E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76050 mov eax, dword ptr fs:[00000030h]		5_2_00F76050
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF2050 mov eax, dword ptr fs:[00000030h]		5_2_00EF2050
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB903E mov eax, dword ptr fs:[00000030h]		5_2_00FB903E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB903E mov eax, dword ptr fs:[00000030h]		5_2_00FB903E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB903E mov eax, dword ptr fs:[00000030h]		5_2_00FB903E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB903E mov eax, dword ptr fs:[00000030h]		5_2_00FB903E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA020 mov eax, dword ptr fs:[00000030h]		5_2_00EEA020
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEC020 mov eax, dword ptr fs:[00000030h]		5_2_00EEC020
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E016 mov eax, dword ptr fs:[00000030h]		5_2_00F0E016
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E016 mov eax, dword ptr fs:[00000030h]		5_2_00F0E016
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E016 mov eax, dword ptr fs:[00000030h]		5_2_00F0E016
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E016 mov eax, dword ptr fs:[00000030h]		5_2_00F0E016
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F74000 mov ecx, dword ptr fs:[00000030h]		5_2_00F74000
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F971F9 mov esi, dword ptr fs:[00000030h]		5_2_00F971F9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF51ED mov eax, dword ptr fs:[00000030h]		5_2_00EF51ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F201F8 mov eax, dword ptr fs:[00000030h]		5_2_00F201F8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC61E5 mov eax, dword ptr fs:[00000030h]		5_2_00FC61E5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]		5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2D1D0 mov eax, dword ptr fs:[00000030h]		5_2_00F2D1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2D1D0 mov ecx, dword ptr fs:[00000030h]		5_2_00F2D1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6E1D0 mov eax, dword ptr fs:[00000030h]		5_2_00F6E1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6E1D0 mov eax, dword ptr fs:[00000030h]		5_2_00F6E1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6E1D0 mov ecx, dword ptr fs:[00000030h]		5_2_00F6E1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6E1D0 mov eax, dword ptr fs:[00000030h]		5_2_00F6E1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6E1D0 mov eax, dword ptr fs:[00000030h]		5_2_00F6E1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC51CB mov eax, dword ptr fs:[00000030h]		5_2_00FC51CB
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB61C3 mov eax, dword ptr fs:[00000030h]		5_2_00FB61C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB61C3 mov eax, dword ptr fs:[00000030h]		5_2_00FB61C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0B1B0 mov eax, dword ptr fs:[00000030h]		5_2_00F0B1B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA11A4 mov eax, dword ptr fs:[00000030h]		5_2_00FA11A4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA11A4 mov eax, dword ptr fs:[00000030h]		5_2_00FA11A4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA11A4 mov eax, dword ptr fs:[00000030h]		5_2_00FA11A4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA11A4 mov eax, dword ptr fs:[00000030h]		5_2_00FA11A4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F47190 mov eax, dword ptr fs:[00000030h]		5_2_00F47190
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7019F mov eax, dword ptr fs:[00000030h]		5_2_00F7019F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7019F mov eax, dword ptr fs:[00000030h]		5_2_00F7019F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7019F mov eax, dword ptr fs:[00000030h]		5_2_00F7019F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7019F mov eax, dword ptr fs:[00000030h]		5_2_00F7019F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAC188 mov eax, dword ptr fs:[00000030h]		5_2_00FAC188
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAC188 mov eax, dword ptr fs:[00000030h]		5_2_00FAC188
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F30185 mov eax, dword ptr fs:[00000030h]		5_2_00F30185
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA197 mov eax, dword ptr fs:[00000030h]		5_2_00EEA197
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA197 mov eax, dword ptr fs:[00000030h]		5_2_00EEA197
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA197 mov eax, dword ptr fs:[00000030h]		5_2_00EEA197
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F89179 mov eax, dword ptr fs:[00000030h]		5_2_00F89179
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]		5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F88158 mov eax, dword ptr fs:[00000030h]		5_2_00F88158
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9148 mov eax, dword ptr fs:[00000030h]		5_2_00EE9148
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9148 mov eax, dword ptr fs:[00000030h]		5_2_00EE9148
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9148 mov eax, dword ptr fs:[00000030h]		5_2_00EE9148
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9148 mov eax, dword ptr fs:[00000030h]		5_2_00EE9148
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5152 mov eax, dword ptr fs:[00000030h]		5_2_00FC5152
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEC156 mov eax, dword ptr fs:[00000030h]		5_2_00EEC156
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F83140 mov eax, dword ptr fs:[00000030h]		5_2_00F83140
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F83140 mov eax, dword ptr fs:[00000030h]		5_2_00F83140
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F83140 mov eax, dword ptr fs:[00000030h]		5_2_00F83140
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF6154 mov eax, dword ptr fs:[00000030h]		5_2_00EF6154
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF6154 mov eax, dword ptr fs:[00000030h]		5_2_00EF6154
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F84144 mov eax, dword ptr fs:[00000030h]		5_2_00F84144
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F84144 mov eax, dword ptr fs:[00000030h]		5_2_00F84144
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F84144 mov ecx, dword ptr fs:[00000030h]		5_2_00F84144
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F84144 mov eax, dword ptr fs:[00000030h]		5_2_00F84144
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F84144 mov eax, dword ptr fs:[00000030h]		5_2_00F84144
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF7152 mov eax, dword ptr fs:[00000030h]		5_2_00EF7152
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F20124 mov eax, dword ptr fs:[00000030h]		5_2_00F20124
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB136 mov eax, dword ptr fs:[00000030h]		5_2_00EEB136
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB136 mov eax, dword ptr fs:[00000030h]		5_2_00EEB136
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB136 mov eax, dword ptr fs:[00000030h]		5_2_00EEB136
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB136 mov eax, dword ptr fs:[00000030h]		5_2_00EEB136
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1131 mov eax, dword ptr fs:[00000030h]		5_2_00EF1131
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1131 mov eax, dword ptr fs:[00000030h]		5_2_00EF1131
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9A118 mov ecx, dword ptr fs:[00000030h]		5_2_00F9A118
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9A118 mov eax, dword ptr fs:[00000030h]		5_2_00F9A118
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9A118 mov eax, dword ptr fs:[00000030h]		5_2_00F9A118
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9A118 mov eax, dword ptr fs:[00000030h]		5_2_00F9A118
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB0115 mov eax, dword ptr fs:[00000030h]		5_2_00FB0115
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF2F8 mov eax, dword ptr fs:[00000030h]		5_2_00FAF2F8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE92FF mov eax, dword ptr fs:[00000030h]		5_2_00EE92FF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F002E1 mov eax, dword ptr fs:[00000030h]		5_2_00F002E1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F002E1 mov eax, dword ptr fs:[00000030h]		5_2_00F002E1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F002E1 mov eax, dword ptr fs:[00000030h]		5_2_00F002E1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]		5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC52E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC52E2
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F2D0 mov eax, dword ptr fs:[00000030h]		5_2_00F1F2D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F2D0 mov eax, dword ptr fs:[00000030h]		5_2_00F1F2D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF92C5 mov eax, dword ptr fs:[00000030h]		5_2_00EF92C5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF92C5 mov eax, dword ptr fs:[00000030h]		5_2_00EF92C5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA2C3 mov eax, dword ptr fs:[00000030h]		5_2_00EFA2C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA2C3 mov eax, dword ptr fs:[00000030h]		5_2_00EFA2C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA2C3 mov eax, dword ptr fs:[00000030h]		5_2_00EFA2C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA2C3 mov eax, dword ptr fs:[00000030h]		5_2_00EFA2C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA2C3 mov eax, dword ptr fs:[00000030h]		5_2_00EFA2C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]		5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]		5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]		5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]		5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]		5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]		5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]		5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB2D3 mov eax, dword ptr fs:[00000030h]		5_2_00EEB2D3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB2D3 mov eax, dword ptr fs:[00000030h]		5_2_00EEB2D3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB2D3 mov eax, dword ptr fs:[00000030h]		5_2_00EEB2D3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F792BC mov eax, dword ptr fs:[00000030h]		5_2_00F792BC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F792BC mov eax, dword ptr fs:[00000030h]		5_2_00F792BC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F792BC mov ecx, dword ptr fs:[00000030h]		5_2_00F792BC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F792BC mov ecx, dword ptr fs:[00000030h]		5_2_00F792BC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F002A0 mov eax, dword ptr fs:[00000030h]		5_2_00F002A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F002A0 mov eax, dword ptr fs:[00000030h]		5_2_00F002A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F052A0 mov eax, dword ptr fs:[00000030h]		5_2_00F052A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F052A0 mov eax, dword ptr fs:[00000030h]		5_2_00F052A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F052A0 mov eax, dword ptr fs:[00000030h]		5_2_00F052A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F052A0 mov eax, dword ptr fs:[00000030h]		5_2_00F052A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F872A0 mov eax, dword ptr fs:[00000030h]		5_2_00F872A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F872A0 mov eax, dword ptr fs:[00000030h]		5_2_00F872A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov eax, dword ptr fs:[00000030h]		5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov ecx, dword ptr fs:[00000030h]		5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov eax, dword ptr fs:[00000030h]		5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov eax, dword ptr fs:[00000030h]		5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov eax, dword ptr fs:[00000030h]		5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov eax, dword ptr fs:[00000030h]		5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB92A6 mov eax, dword ptr fs:[00000030h]		5_2_00FB92A6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB92A6 mov eax, dword ptr fs:[00000030h]		5_2_00FB92A6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB92A6 mov eax, dword ptr fs:[00000030h]		5_2_00FB92A6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB92A6 mov eax, dword ptr fs:[00000030h]		5_2_00FB92A6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2329E mov eax, dword ptr fs:[00000030h]		5_2_00F2329E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2329E mov eax, dword ptr fs:[00000030h]		5_2_00F2329E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F70283 mov eax, dword ptr fs:[00000030h]		5_2_00F70283
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F70283 mov eax, dword ptr fs:[00000030h]		5_2_00F70283
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F70283 mov eax, dword ptr fs:[00000030h]		5_2_00F70283
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E284 mov eax, dword ptr fs:[00000030h]		5_2_00F2E284
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E284 mov eax, dword ptr fs:[00000030h]		5_2_00F2E284
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5283 mov eax, dword ptr fs:[00000030h]		5_2_00FC5283
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F31270 mov eax, dword ptr fs:[00000030h]		5_2_00F31270
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F31270 mov eax, dword ptr fs:[00000030h]		5_2_00F31270
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE826B mov eax, dword ptr fs:[00000030h]		5_2_00EE826B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F19274 mov eax, dword ptr fs:[00000030h]		5_2_00F19274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]		5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF4260 mov eax, dword ptr fs:[00000030h]		5_2_00EF4260
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF4260 mov eax, dword ptr fs:[00000030h]		5_2_00EF4260
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF4260 mov eax, dword ptr fs:[00000030h]		5_2_00EF4260
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBD26B mov eax, dword ptr fs:[00000030h]		5_2_00FBD26B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBD26B mov eax, dword ptr fs:[00000030h]		5_2_00FBD26B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAB256 mov eax, dword ptr fs:[00000030h]		5_2_00FAB256
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAB256 mov eax, dword ptr fs:[00000030h]		5_2_00FAB256
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9240 mov eax, dword ptr fs:[00000030h]		5_2_00EE9240
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9240 mov eax, dword ptr fs:[00000030h]		5_2_00EE9240
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F78243 mov eax, dword ptr fs:[00000030h]		5_2_00F78243
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F78243 mov ecx, dword ptr fs:[00000030h]		5_2_00F78243
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF6259 mov eax, dword ptr fs:[00000030h]		5_2_00EF6259
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA250 mov eax, dword ptr fs:[00000030h]		5_2_00EEA250
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2724D mov eax, dword ptr fs:[00000030h]		5_2_00F2724D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE823B mov eax, dword ptr fs:[00000030h]		5_2_00EE823B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5227 mov eax, dword ptr fs:[00000030h]		5_2_00FC5227
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F27208 mov eax, dword ptr fs:[00000030h]		5_2_00F27208
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F27208 mov eax, dword ptr fs:[00000030h]		5_2_00F27208
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC53FC mov eax, dword ptr fs:[00000030h]		5_2_00FC53FC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E3F0 mov eax, dword ptr fs:[00000030h]		5_2_00F0E3F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E3F0 mov eax, dword ptr fs:[00000030h]		5_2_00F0E3F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E3F0 mov eax, dword ptr fs:[00000030h]		5_2_00F0E3F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F263FF mov eax, dword ptr fs:[00000030h]		5_2_00F263FF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]		5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]		5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]		5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]		5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]		5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]		5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]		5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]		5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF3E6 mov eax, dword ptr fs:[00000030h]		5_2_00FAF3E6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAB3D0 mov ecx, dword ptr fs:[00000030h]		5_2_00FAB3D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]		5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]		5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]		5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]		5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]		5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]		5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF83C0 mov eax, dword ptr fs:[00000030h]		5_2_00EF83C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF83C0 mov eax, dword ptr fs:[00000030h]		5_2_00EF83C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF83C0 mov eax, dword ptr fs:[00000030h]		5_2_00EF83C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF83C0 mov eax, dword ptr fs:[00000030h]		5_2_00EF83C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAC3CD mov eax, dword ptr fs:[00000030h]		5_2_00FAC3CD
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F763C0 mov eax, dword ptr fs:[00000030h]		5_2_00F763C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F233A0 mov eax, dword ptr fs:[00000030h]		5_2_00F233A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F233A0 mov eax, dword ptr fs:[00000030h]		5_2_00F233A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F133A5 mov eax, dword ptr fs:[00000030h]		5_2_00F133A5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC539D mov eax, dword ptr fs:[00000030h]		5_2_00FC539D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE388 mov eax, dword ptr fs:[00000030h]		5_2_00EEE388
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE388 mov eax, dword ptr fs:[00000030h]		5_2_00EEE388
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE388 mov eax, dword ptr fs:[00000030h]		5_2_00EEE388
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F4739A mov eax, dword ptr fs:[00000030h]		5_2_00F4739A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F4739A mov eax, dword ptr fs:[00000030h]		5_2_00F4739A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE8397 mov eax, dword ptr fs:[00000030h]		5_2_00EE8397
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE8397 mov eax, dword ptr fs:[00000030h]		5_2_00EE8397
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE8397 mov eax, dword ptr fs:[00000030h]		5_2_00EE8397
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1438F mov eax, dword ptr fs:[00000030h]		5_2_00F1438F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1438F mov eax, dword ptr fs:[00000030h]		5_2_00F1438F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9437C mov eax, dword ptr fs:[00000030h]		5_2_00F9437C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF367 mov eax, dword ptr fs:[00000030h]		5_2_00FAF367
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF7370 mov eax, dword ptr fs:[00000030h]		5_2_00EF7370
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF7370 mov eax, dword ptr fs:[00000030h]		5_2_00EF7370
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF7370 mov eax, dword ptr fs:[00000030h]		5_2_00EF7370
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EED34C mov eax, dword ptr fs:[00000030h]		5_2_00EED34C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EED34C mov eax, dword ptr fs:[00000030h]		5_2_00EED34C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBA352 mov eax, dword ptr fs:[00000030h]		5_2_00FBA352
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov eax, dword ptr fs:[00000030h]		5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov eax, dword ptr fs:[00000030h]		5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov eax, dword ptr fs:[00000030h]		5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov ecx, dword ptr fs:[00000030h]		5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov eax, dword ptr fs:[00000030h]		5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov eax, dword ptr fs:[00000030h]		5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5341 mov eax, dword ptr fs:[00000030h]		5_2_00FC5341
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9353 mov eax, dword ptr fs:[00000030h]		5_2_00EE9353
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9353 mov eax, dword ptr fs:[00000030h]		5_2_00EE9353
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]		5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB132D mov eax, dword ptr fs:[00000030h]		5_2_00FB132D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB132D mov eax, dword ptr fs:[00000030h]		5_2_00FB132D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F32A mov eax, dword ptr fs:[00000030h]		5_2_00F1F32A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE7330 mov eax, dword ptr fs:[00000030h]		5_2_00EE7330
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F10310 mov ecx, dword ptr fs:[00000030h]		5_2_00F10310
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A30B mov eax, dword ptr fs:[00000030h]		5_2_00F2A30B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A30B mov eax, dword ptr fs:[00000030h]		5_2_00F2A30B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A30B mov eax, dword ptr fs:[00000030h]		5_2_00F2A30B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7930B mov eax, dword ptr fs:[00000030h]		5_2_00F7930B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7930B mov eax, dword ptr fs:[00000030h]		5_2_00F7930B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7930B mov eax, dword ptr fs:[00000030h]		5_2_00F7930B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEC310 mov ecx, dword ptr fs:[00000030h]		5_2_00EEC310
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF04E5 mov ecx, dword ptr fs:[00000030h]		5_2_00EF04E5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F994E0 mov eax, dword ptr fs:[00000030h]		5_2_00F994E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC54DB mov eax, dword ptr fs:[00000030h]		5_2_00FC54DB
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F234B0 mov eax, dword ptr fs:[00000030h]		5_2_00F234B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F244B0 mov ecx, dword ptr fs:[00000030h]		5_2_00F244B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF64AB mov eax, dword ptr fs:[00000030h]		5_2_00EF64AB
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7A4B0 mov eax, dword ptr fs:[00000030h]		5_2_00F7A4B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF9486 mov eax, dword ptr fs:[00000030h]		5_2_00EF9486
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF9486 mov eax, dword ptr fs:[00000030h]		5_2_00EF9486
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB480 mov eax, dword ptr fs:[00000030h]		5_2_00EEB480
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1A470 mov eax, dword ptr fs:[00000030h]		5_2_00F1A470
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1A470 mov eax, dword ptr fs:[00000030h]		5_2_00F1A470
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1A470 mov eax, dword ptr fs:[00000030h]		5_2_00F1A470
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC547F mov eax, dword ptr fs:[00000030h]		5_2_00FC547F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460 mov eax, dword ptr fs:[00000030h]		5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460 mov eax, dword ptr fs:[00000030h]		5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460 mov eax, dword ptr fs:[00000030h]		5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460 mov eax, dword ptr fs:[00000030h]		5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460 mov eax, dword ptr fs:[00000030h]		5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]		5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]		5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]		5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]		5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]		5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]		5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7C460 mov ecx, dword ptr fs:[00000030h]		5_2_00F7C460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF453 mov eax, dword ptr fs:[00000030h]		5_2_00FAF453
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1245A mov eax, dword ptr fs:[00000030h]		5_2_00F1245A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]		5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]		5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]		5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]		5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]		5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]		5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]		5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]		5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]		5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]		5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]		5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]		5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]		5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]		5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE645D mov eax, dword ptr fs:[00000030h]		5_2_00EE645D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A430 mov eax, dword ptr fs:[00000030h]		5_2_00F2A430
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEC427 mov eax, dword ptr fs:[00000030h]		5_2_00EEC427
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE420 mov eax, dword ptr fs:[00000030h]		5_2_00EEE420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE420 mov eax, dword ptr fs:[00000030h]		5_2_00EEE420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE420 mov eax, dword ptr fs:[00000030h]		5_2_00EEE420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]		5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]		5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]		5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]		5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]		5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]		5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]		5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F77410 mov eax, dword ptr fs:[00000030h]		5_2_00F77410
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F28402 mov eax, dword ptr fs:[00000030h]		5_2_00F28402
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F28402 mov eax, dword ptr fs:[00000030h]		5_2_00F28402
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F28402 mov eax, dword ptr fs:[00000030h]		5_2_00F28402
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1340D mov eax, dword ptr fs:[00000030h]		5_2_00F1340D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]		5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]		5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]		5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]		5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]		5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]		5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF25E0 mov eax, dword ptr fs:[00000030h]		5_2_00EF25E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]		5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]		5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]		5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]		5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]		5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]		5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]		5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]		5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2C5ED mov eax, dword ptr fs:[00000030h]		5_2_00F2C5ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2C5ED mov eax, dword ptr fs:[00000030h]		5_2_00F2C5ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A5D0 mov eax, dword ptr fs:[00000030h]		5_2_00F2A5D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A5D0 mov eax, dword ptr fs:[00000030h]		5_2_00F2A5D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D5D0 mov eax, dword ptr fs:[00000030h]		5_2_00F6D5D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D5D0 mov ecx, dword ptr fs:[00000030h]		5_2_00F6D5D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F195DA mov eax, dword ptr fs:[00000030h]		5_2_00F195DA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC35D7 mov eax, dword ptr fs:[00000030h]		5_2_00FC35D7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC35D7 mov eax, dword ptr fs:[00000030h]		5_2_00FC35D7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC35D7 mov eax, dword ptr fs:[00000030h]		5_2_00FC35D7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F255C0 mov eax, dword ptr fs:[00000030h]		5_2_00F255C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC55C9 mov eax, dword ptr fs:[00000030h]		5_2_00FC55C9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E5CF mov eax, dword ptr fs:[00000030h]		5_2_00F2E5CF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E5CF mov eax, dword ptr fs:[00000030h]		5_2_00F2E5CF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF65D0 mov eax, dword ptr fs:[00000030h]		5_2_00EF65D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F145B1 mov eax, dword ptr fs:[00000030h]		5_2_00F145B1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F145B1 mov eax, dword ptr fs:[00000030h]		5_2_00F145B1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]		5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]		5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]		5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]		5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]		5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]		5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]		5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]		5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]		5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F835BA mov eax, dword ptr fs:[00000030h]		5_2_00F835BA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F835BA mov eax, dword ptr fs:[00000030h]		5_2_00F835BA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F835BA mov eax, dword ptr fs:[00000030h]		5_2_00F835BA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F835BA mov eax, dword ptr fs:[00000030h]		5_2_00F835BA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF5BE mov eax, dword ptr fs:[00000030h]		5_2_00FAF5BE
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F705A7 mov eax, dword ptr fs:[00000030h]		5_2_00F705A7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F705A7 mov eax, dword ptr fs:[00000030h]		5_2_00F705A7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F705A7 mov eax, dword ptr fs:[00000030h]		5_2_00F705A7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115A9 mov eax, dword ptr fs:[00000030h]		5_2_00F115A9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115A9 mov eax, dword ptr fs:[00000030h]		5_2_00F115A9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115A9 mov eax, dword ptr fs:[00000030h]		5_2_00F115A9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115A9 mov eax, dword ptr fs:[00000030h]		5_2_00F115A9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115A9 mov eax, dword ptr fs:[00000030h]		5_2_00F115A9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE758F mov eax, dword ptr fs:[00000030h]		5_2_00EE758F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE758F mov eax, dword ptr fs:[00000030h]		5_2_00EE758F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE758F mov eax, dword ptr fs:[00000030h]		5_2_00EE758F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7B594 mov eax, dword ptr fs:[00000030h]		5_2_00F7B594
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7B594 mov eax, dword ptr fs:[00000030h]		5_2_00F7B594
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF2582 mov eax, dword ptr fs:[00000030h]		5_2_00EF2582
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF2582 mov ecx, dword ptr fs:[00000030h]		5_2_00EF2582
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E59C mov eax, dword ptr fs:[00000030h]		5_2_00F2E59C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F24588 mov eax, dword ptr fs:[00000030h]		5_2_00F24588
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2B570 mov eax, dword ptr fs:[00000030h]		5_2_00F2B570
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2B570 mov eax, dword ptr fs:[00000030h]		5_2_00F2B570
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB562 mov eax, dword ptr fs:[00000030h]		5_2_00EEB562
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2656A mov eax, dword ptr fs:[00000030h]		5_2_00F2656A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2656A mov eax, dword ptr fs:[00000030h]		5_2_00F2656A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2656A mov eax, dword ptr fs:[00000030h]		5_2_00F2656A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF8550 mov eax, dword ptr fs:[00000030h]		5_2_00EF8550
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF8550 mov eax, dword ptr fs:[00000030h]		5_2_00EF8550
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2D530 mov eax, dword ptr fs:[00000030h]		5_2_00F2D530
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2D530 mov eax, dword ptr fs:[00000030h]		5_2_00F2D530
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]		5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]		5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]		5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]		5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]		5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]		5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5537 mov eax, dword ptr fs:[00000030h]		5_2_00FC5537
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E53E mov eax, dword ptr fs:[00000030h]		5_2_00F1E53E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E53E mov eax, dword ptr fs:[00000030h]		5_2_00F1E53E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E53E mov eax, dword ptr fs:[00000030h]		5_2_00F1E53E

Source: C:\Users\user\Desktop\P.O.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\P.O.exe

Memory written: C:\Users\user\Desktop\P.O.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Process created: C:\Users\user\Desktop\P.O.exe "C:\Users\user\Desktop\P.O.exe"

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Users\user\Desktop\P.O.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 5.2.P.O.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.P.O.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2357534519.0000000001210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 5.2.P.O.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.P.O.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2357534519.0000000001210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY