Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
215.exe

Overview

General Information

Sample name:215.exe
Analysis ID:1559177
MD5:4d18783059031dea15c1ff32f60ea380
SHA1:b370235425ba172a351eb7bd9c3e711029103c62
SHA256:62dcd6e23be41d2f3d5a350d909240714781431b2d8dbffea6d31cd9b4d170d1
Tags:exeopendiruser-Joker
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Renames NTDLL to bypass HIPS
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • 215.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\215.exe" MD5: 4D18783059031DEA15C1FF32F60EA380)
  • 215.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\215.exe" MD5: 4D18783059031DEA15C1FF32F60EA380)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: 215.exe PID: 7260JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: 215.exe PID: 7584JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Sigma Signatures

      Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\215.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\215.exe, ProcessId: 7260, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\Desktop\QQWER.dllReversingLabs: Detection: 73%
      Multi AV Scanner detection for submitted file
      Source: 215.exeReversingLabs: Detection: 47%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.3% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\Desktop\QQWER.dllJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: 215.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Detected unpacking (creates a PE file in dynamic memory)
      Source: C:\Users\user\Desktop\215.exeUnpacked PE file: 0.2.215.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\215.exeUnpacked PE file: 4.2.215.exe.10000000.2.unpack
      Source: 215.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Binary string: devco n.pdbo source: 215.exe
      Source: Binary string: wntdll.pdbUGP source: 215.exe, 00000000.00000002.2630715178.0000000002BD1000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000003.1373948172.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1526583142.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2630835922.0000000002C8D000.00000040.00000020.00020000.00000000.sdmp, 64c0e8.tmp.4.dr, 648508.tmp.0.dr
      Source: Binary string: wntdll.pdb source: 215.exe, 00000000.00000002.2630715178.0000000002BD1000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000003.1373948172.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1526583142.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2630835922.0000000002C8D000.00000040.00000020.00020000.00000000.sdmp, 64c0e8.tmp.4.dr, 648508.tmp.0.dr
      Source: Binary string: DrvInDM U.pdbe source: 215.exe
      Source: Binary string: wuser32.pdb source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1527587500.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2631166829.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, 6485a4.tmp.0.dr, 64c146.tmp.4.dr
      Source: Binary string: devc@on.pdb source: 215.exe
      Source: Binary string: wuser32.pdbUGP source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1527587500.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2631166829.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, 6485a4.tmp.0.dr, 64c146.tmp.4.dr
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A199
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018EEA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10007FDD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10018801
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10017804
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013C18
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10011C1A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A031
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024C38
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001385A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10002461
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000F472
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001847E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022882
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10025484
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025484
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10006495
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006C96
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FCB0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_100198CC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100188E1
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A4E7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1000B90D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10003116
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FD4D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10001D56
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025977
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10010199
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008DA3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100111A7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007DB8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_100259D9
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100189E6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000FDEA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100101FB
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10014203
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000B61E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A236
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1001363D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001363D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008E40
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FA6F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022A80
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10011E89
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A6C7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10017ECA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10008EDD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BADE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100246E4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FF10
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008B27
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BB29
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10015B34
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000833D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp0_2_10012B40
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1000634E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B353
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10026356
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017B68
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10024781
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024781
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1000A7A2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100137A3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000F7AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008BC4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013FC8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007BCA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10005FDA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100253E7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B3F0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A199
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10018AD3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10018AD3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10018EEA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_100193C2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_100193C2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10007FDD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10018801
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10017804
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10011772
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10013C18
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10011C1A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A031
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10024C38
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001AC51
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10006051
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10006051
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001385A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10002461
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1000F472
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_1001847E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10022882
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp4_2_10025484
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10025484
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_10006495
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10006C96
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10014096
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10014096
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FCB0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_100198CC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100188E1
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001A4E7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1000210D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1000210D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_1000B90D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10003116
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10017D41
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10017D41
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FD4D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10001D56
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10025977
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10010199
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008DA3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100111A7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10007DB8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_100151BD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp4_2_1001D1C4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001D1C4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_100259D9
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_100189E6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1000FDEA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100101FB
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10014203
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1000B61E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001A236
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1001363D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001363D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008E40
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10011653
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10011653
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010255
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010255
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10007E55
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_10007E55
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FA6F
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10022A80
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10011E89
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001A6C7
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_10017ECA
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010AD6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010AD6
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp4_2_10008EDD
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001BADE
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_100246E4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100236FF
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100236FF
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FF10
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008B27
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001BB29
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10015B34
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000833D
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp4_2_10012B40
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1000634E
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000B353
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10026356
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp4_2_1001DB5C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_1001DB5C
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10017B68
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10011772
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp4_2_10024781
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10024781
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_1000A7A2
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_100137A3
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000F7AC
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008BC4
      Source: C:\Users\user\Desktop\215.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10013FC8
      Source: Joe Sandbox ViewIP Address: 42.193.100.57 42.193.100.57
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:21:59 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:22:15 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69
      Source: 215.exeString found in binary or memory: http://.httpsset-cookie:;;
      Source: 215.exeString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/
      Source: 215.exe, 00000004.00000002.2629366792.0000000000AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
      Source: 215.exe, 00000000.00000002.2629312386.0000000000A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt-
      Source: 215.exe, 00000004.00000002.2629366792.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt._cache_
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtJ
      Source: 215.exeString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt
      Source: 215.exe, 00000000.00000002.2629312386.0000000000A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt1
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt3
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtAs
      Source: 215.exe, 00000000.00000002.2629312386.00000000009D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtS
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtST
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtgrams
      Source: 215.exe, 00000004.00000002.2629366792.0000000000B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtm
      Source: 215.exe, 00000000.00000002.2629312386.0000000000A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtn
      Source: 215.exeString found in binary or memory: http://ocsp.t
      Source: 215.exeString found in binary or memory: http://sf.symc
      Source: 215.exeString found in binary or memory: http://ts-ocsp.ws.s
      Source: 215.exeString found in binary or memory: http://ts-ocsp.ws.symantec.
      Source: 215.exeString found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
      Source: 215.exeString found in binary or memory: https://User-Agent:Mozilla/4.0
      Source: 215.exeString found in binary or memory: https://note.youdao.com/yws/public/note/03cb89fe74e7b4305099ed5dabde2135?sev=j1
      Source: 215.exeString found in binary or memory: https://ww(w.v
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_2e29a65d-f
      Source: Yara matchFile source: Process Memory Space: 215.exe PID: 7260, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 215.exe PID: 7584, type: MEMORYSTR
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_10007FDD NtClose,0_2_10007FDD
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1001419C ReleaseMutex,NtClose,0_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1001221F NtClose,0_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_10007FDD NtClose,4_2_10007FDD
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1001419C ReleaseMutex,NtClose,4_2_1001419C
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1001221F NtClose,4_2_1001221F
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_004C60B00_2_004C60B0
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_100026280_2_10002628
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_100032EA0_2_100032EA
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_004C60B04_2_004C60B0
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_100026284_2_10002628
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_100032EA4_2_100032EA
      Source: C:\Users\user\Desktop\215.exeProcess token adjusted: Load DriverJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess token adjusted: SecurityJump to behavior
      Source: C:\Users\user\Desktop\215.exeCode function: String function: 10029640 appears 130 times
      Source: 648508.tmp.0.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 64c0e8.tmp.4.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 64c0e8.tmp.4.drStatic PE information: No import functions for PE file found
      Source: 648508.tmp.0.drStatic PE information: No import functions for PE file found
      Source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 215.exe
      Source: 215.exe, 00000000.00000003.1373948172.0000000002B4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 215.exe
      Source: 215.exe, 00000000.00000002.2631007926.0000000002E2B000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 215.exe
      Source: 215.exe, 00000000.00000002.2630715178.0000000002CFE000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 215.exe
      Source: 215.exe, 00000004.00000003.1526583142.0000000002C01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 215.exe
      Source: 215.exe, 00000004.00000002.2630835922.0000000002DBA000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 215.exe
      Source: 215.exe, 00000004.00000003.1527587500.0000000002ADF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 215.exe
      Source: 215.exe, 00000004.00000002.2631166829.0000000002EF4000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 215.exe
      Source: 215.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: QQWER.dll.0.drStatic PE information: Section: .rsrc ZLIB complexity 1.0002780183550337
      Source: 648508.tmp.0.drBinary string: \Device\IPT[
      Source: classification engineClassification label: mal84.evad.winEXE@2/11@0/1
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_00415A0C GetDiskFreeSpaceExA,0_2_00415A0C
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeMutant created: NULL
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\AppData\Local\Temp\648508.tmpJump to behavior
      Source: 215.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\215.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 215.exeReversingLabs: Detection: 47%
      Source: unknownProcess created: C:\Users\user\Desktop\215.exe "C:\Users\user\Desktop\215.exe"
      Source: unknownProcess created: C:\Users\user\Desktop\215.exe "C:\Users\user\Desktop\215.exe"
      Source: C:\Users\user\Desktop\215.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\215.exeWindow detected: Number of UI elements: 23
      Source: 215.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: 215.exeStatic file information: File size 5222400 > 1048576
      Source: 215.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x14f000
      Source: 215.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x286000
      Source: 215.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10d000
      Source: Binary string: devco n.pdbo source: 215.exe
      Source: Binary string: wntdll.pdbUGP source: 215.exe, 00000000.00000002.2630715178.0000000002BD1000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000003.1373948172.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1526583142.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2630835922.0000000002C8D000.00000040.00000020.00020000.00000000.sdmp, 64c0e8.tmp.4.dr, 648508.tmp.0.dr
      Source: Binary string: wntdll.pdb source: 215.exe, 00000000.00000002.2630715178.0000000002BD1000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000003.1373948172.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1526583142.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2630835922.0000000002C8D000.00000040.00000020.00020000.00000000.sdmp, 64c0e8.tmp.4.dr, 648508.tmp.0.dr
      Source: Binary string: DrvInDM U.pdbe source: 215.exe
      Source: Binary string: wuser32.pdb source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1527587500.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2631166829.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, 6485a4.tmp.0.dr, 64c146.tmp.4.dr
      Source: Binary string: devc@on.pdb source: 215.exe
      Source: Binary string: wuser32.pdbUGP source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000003.1527587500.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2631166829.0000000002E4C000.00000040.00000020.00020000.00000000.sdmp, 6485a4.tmp.0.dr, 64c146.tmp.4.dr

      Data Obfuscation

      barindex
      Detected unpacking (creates a PE file in dynamic memory)
      Source: C:\Users\user\Desktop\215.exeUnpacked PE file: 0.2.215.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\215.exeUnpacked PE file: 4.2.215.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_004C4020 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004C4020
      Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
      Source: QQWER.dll.0.drStatic PE information: section name: .Upack
      Source: 648508.tmp.0.drStatic PE information: section name: RT
      Source: 648508.tmp.0.drStatic PE information: section name: .mrdata
      Source: 648508.tmp.0.drStatic PE information: section name: .00cfg
      Source: 6485a4.tmp.0.drStatic PE information: section name: .didat
      Source: 64c0e8.tmp.4.drStatic PE information: section name: RT
      Source: 64c0e8.tmp.4.drStatic PE information: section name: .mrdata
      Source: 64c0e8.tmp.4.drStatic PE information: section name: .00cfg
      Source: 64c146.tmp.4.drStatic PE information: section name: .didat
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_0052ECF0 push eax; ret 0_2_0052ED1E
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_00530F64 push eax; ret 0_2_00530F82
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1002C7F8 push edi; ret 0_2_1002C7FC
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_0052ECF0 push eax; ret 4_2_0052ED1E
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_00530F64 push eax; ret 4_2_00530F82
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1002C7F8 push edi; ret 4_2_1002C7FC
      Source: QQWER.dll.0.drStatic PE information: section name: .rsrc entropy: 7.999713933191419
      Source: 648508.tmp.0.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: 64c0e8.tmp.4.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\AppData\Local\Temp\64c146.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\AppData\Local\Temp\64c0e8.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\AppData\Local\Temp\6485a4.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeFile created: C:\Users\user\AppData\Local\Temp\648508.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\215.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_004CBFC0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,0_2_004CBFC0
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_004CBFC0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,4_2_004CBFC0
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,4_2_1001F2ED
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Found evasive API chain (may stop execution after checking mutex)
      Source: C:\Users\user\Desktop\215.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-21399
      Renames NTDLL to bypass HIPS
      Source: C:\Users\user\Desktop\215.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\215.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\64c146.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeDropped PE file which has not been started: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\215.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\64c0e8.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6485a4.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\648508.tmpJump to dropped file
      Source: C:\Users\user\Desktop\215.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\215.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1000710E GetVersionExA,GetSystemInfo,RtlGetNtVersionNumbers,0_2_1000710E
      Source: 215.exe, 00000000.00000002.2629312386.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2629312386.000000000098E000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2629366792.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000004.00000002.2629366792.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\215.exeAPI call chain: ExitProcess graph end nodegraph_0-21513
      Source: C:\Users\user\Desktop\215.exeAPI call chain: ExitProcess graph end nodegraph_4-21512
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_10004B1B LdrInitializeThunk,0_2_10004B1B
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_004C4020 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004C4020
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1001A4C7 mov eax, dword ptr fs:[00000030h]0_2_1001A4C7
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_1000AE99 mov eax, dword ptr fs:[00000030h]0_2_1000AE99
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1001A4C7 mov eax, dword ptr fs:[00000030h]4_2_1001A4C7
      Source: C:\Users\user\Desktop\215.exeCode function: 4_2_1000AE99 mov eax, dword ptr fs:[00000030h]4_2_1000AE99
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_10027BB0 GetProcessHeap,RtlAllocateHeap,MessageBoxA,0_2_10027BB0
      Source: C:\Users\user\Desktop\215.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\215.exeProcess token adjusted: DebugJump to behavior
      Source: 215.exeBinary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow32@@
      Source: 215.exeBinary or memory string: Shell_TrayWnd
      Source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2629312386.000000000098E000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
      Source: 215.exe, 00000004.00000002.2629366792.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindowx
      Source: 215.exe, 00000004.00000002.2629366792.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow*
      Source: 215.exe, 00000000.00000003.1374898577.0000000002A2C000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2629312386.000000000098E000.00000004.00000020.00020000.00000000.sdmp, 215.exe, 00000000.00000002.2631007926.0000000002D83000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
      Source: 215.exe, 00000000.00000002.2629312386.000000000098E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindowk{
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_10019EDC cpuid 0_2_10019EDC
      Source: C:\Users\user\Desktop\215.exeCode function: 0_2_00533630 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,0_2_00533630

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
      Native API      		1
      Registry Run Keys / Startup Folder      		2
      Process Injection      		1
      Masquerading      		11
      Input Capture      		111
      Security Software Discovery      		Remote Services1
      Screen Capture      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      LSASS Driver      		1
      Registry Run Keys / Startup Folder      		2
      Process Injection      		LSASS Memory1
      Process Discovery      		Remote Desktop Protocol11
      Input Capture      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      LSASS Driver      		1
      Deobfuscate/Decode Files or Information      		Security Account Manager1
      Application Window Discovery      		SMB/Windows Admin Shares1
      Archive Collected Data      		2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading      		4
      Obfuscated Files or Information      		NTDS15
      System Information Discovery      		Distributed Component Object ModelInput Capture12
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
      Software Packing      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.