Edit tour

Windows Analysis Report
S12.exe

Overview

General Information

Sample name:	S12.exe
Analysis ID:	1562140
MD5:	ffd8b14a461473ffc4f11bcfcc5455c0
SHA1:	decdfeb89ce19547d312b0bd3f905a21d11dac8f
SHA256:	02a5fca125cbaa58a96ad120e3fc159dc9db2b5e5eaa724fa749734ed75546ab
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

AI detected suspicious sample

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for dropped file

Machine Learning detection for sample

Renames NTDLL to bypass HIPS

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Enables driver privileges

Enables security privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

S12.exe (PID: 5624 cmdline: "C:\Users\user\Desktop\S12.exe" MD5: FFD8B14A461473FFC4F11BCFCC5455C0)

S12.exe (PID: 2700 cmdline: "C:\Users\user\Desktop\S12.exe" MD5: FFD8B14A461473FFC4F11BCFCC5455C0)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: S12.exe PID: 5624	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: S12.exe PID: 2700	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Signatures

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\S12.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\S12.exe, ProcessId: 5624, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\QQWER.dll

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\QQWER.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: S12.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\S12.exe	Unpacked PE file: 0.2.S12.exe.10000000.2.unpack
Source: C:\Users\user\Desktop\S12.exe	Unpacked PE file: 5.2.S12.exe.10000000.2.unpack

Source: S12.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: devco n.pdbo source: S12.exe
Source:	Binary string: wntdll.pdbUGP source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source:	Binary string: wntdll.pdb source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source:	Binary string: DrvInDM U.pdbe source: S12.exe
Source:	Binary string: wuser32.pdb source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr
Source:	Binary string: devc@on.pdb source: S12.exe
Source:	Binary string: wuser32.pdbUGP source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr

Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A199
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10018EEA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_100193C2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_100193C2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10018801
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_10017804
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10011772
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10013C18
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10011C1A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A031
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10024C38
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10006051
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10006051
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001385A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10002461
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1000F472
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_1001847E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10022882
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	0_2_10025484
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10025484
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_10006495
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10006C96
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10014096
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10014096
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FCB0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_100198CC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100188E1
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001A4E7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1000210D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1000210D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_1000B90D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10003116
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10017D41
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10017D41
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FD4D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10001D56
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10025977
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10010199
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008DA3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100111A7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10007DB8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	0_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_100259D9
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100189E6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1000FDEA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100101FB
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10014203
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1000B61E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_1001221F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	0_2_1001221F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001A236
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1001363D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001363D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008E40
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10011653
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_10011653
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010255
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010255
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10007E55
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_10007E55
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FA6F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10022A80
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10011E89
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1001A6C7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	0_2_10017ECA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	0_2_10008EDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001BADE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100246E4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100236FF
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	0_2_100236FF
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000FF10
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008B27
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1001BB29
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_10015B34
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000833D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	0_2_10012B40
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_1000634E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000B353
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_10026356
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	0_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10017B68
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_10011772
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	0_2_10024781
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10024781
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	0_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	0_2_1000A7A2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100137A3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000F7AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10008BC4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10013FC8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_10007BCA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	0_2_10005FDA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_100253E7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	0_2_1000B3F0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A199
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10018EEA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_100193C2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	5_2_100193C2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10018801
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_10017804
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10011772
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10013C18
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10011C1A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A031
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10024C38
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10006051
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10006051
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001385A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10002461
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1000F472
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_1001847E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10022882
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	5_2_10025484
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10025484
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_10006495
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10006C96
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10014096
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_10014096
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000FCB0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_100198CC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_100188E1
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001A4E7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1000210D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1000210D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	5_2_1000B90D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10003116
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10017D41
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10017D41
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000FD4D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_10001D56
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10025977
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10010199
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10008DA3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_100111A7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10007DB8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_100151BD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-28h], esp	5_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_100259D9
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_100189E6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1000FDEA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_100101FB
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_10014203
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1000B61E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_1001221F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp	5_2_1001221F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001A236
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1001363D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001363D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10008E40
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_10011653
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_10011653
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10010255
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10010255
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10007E55
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	5_2_10007E55
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-40h], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp	5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000FA6F
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10022A80
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10011E89
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1001A6C7
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], esp	5_2_10017ECA
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	5_2_10008EDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_1001BADE
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_100246E4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp	5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_100236FF
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-08h], esp	5_2_100236FF
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000FF10
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10008B27
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_1001BB29
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_10015B34
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000833D
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-34h], esp	5_2_10012B40
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-04h], esp	5_2_1000634E
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000B353
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_10026356
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-54h], esp	5_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10017B68
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_10011772
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-38h], esp	5_2_10024781
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10024781
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], esp	5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp	5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-58h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-44h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-48h], esp	5_2_10014289
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-24h], esp	5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp	5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-18h], esp	5_2_1000A7A2
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_100137A3
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_1000F7AC
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10008BC4
Source: C:\Users\user\Desktop\S12.exe	Code function: 4x nop then cmp dword ptr [ebp-10h], esp	5_2_10013FC8

Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown	TCP traffic detected without corresponding DNS query: 82.156.239.188

Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /123.txt HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache

Source: S12.exe, 00000000.00000002.2719852664.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/
Source: S12.exe	String found in binary or memory: http://82.156.239.188/%E5%AD%98%E6%A1%A3/
Source: S12.exe	String found in binary or memory: http://82.156.239.188/%E7%89%88%E6%9C%AC%E6%9B%B4%E6%96%B0.txt
Source: S12.exe	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt.
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt0
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt2658-3693405117-2476756634-1003
Source: S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt8E
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt:&B
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt=
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtbP
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txth
Source: S12.exe	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txthttp://82.156.239.188/123.txt
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtmP
Source: S12.exe, 00000000.00000002.2719852664.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtwsock.dll.mui1
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txty
Source: S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/-E
Source: S12.exe	String found in binary or memory: http://82.156.239.188/123.txt
Source: S12.exe, 00000000.00000002.2719852664.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txt-2476756634-1003N
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txtpP
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txtu
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txtxt
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txtxt1P
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.156.239.188/123.txtz
Source: S12.exe	String found in binary or memory: http://ocsp.t
Source: S12.exe	String found in binary or memory: http://sf.symc
Source: S12.exe	String found in binary or memory: http://ts-ocsp.ws.s
Source: S12.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.
Source: S12.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: S12.exe	String found in binary or memory: https://ww(w.v

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,

0_2_1001F2ED

Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_a0b33def-1

Source: Yara match	File source: Process Memory Space: S12.exe PID: 5624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S12.exe PID: 2700, type: MEMORYSTR

Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_10007FDD NtClose,	0_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1001419C ReleaseMutex,NtClose,	0_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1001221F NtClose,	0_2_1001221F
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_10007FDD NtClose,	5_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1001419C ReleaseMutex,NtClose,	5_2_1001419C
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1001221F NtClose,	5_2_1001221F

Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_10002628	0_2_10002628
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_100032EA	0_2_100032EA
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_10002628	5_2_10002628
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_100032EA	5_2_100032EA

Source: C:\Users\user\Desktop\S12.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Code function: String function: 10029640 appears 130 times

Source: 602d46.tmp.0.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 60bae0.tmp.5.dr	Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped

Source: 602d46.tmp.0.dr	Static PE information: No import functions for PE file found
Source: 60bae0.tmp.5.dr	Static PE information: No import functions for PE file found

Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000000.00000002.2720833506.0000000002BEC000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000000.00000002.2721133599.0000000002E24000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe
Source: S12.exe, 00000000.00000003.1469901007.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe
Source: S12.exe, 00000005.00000002.2721522199.0000000002E67000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000005.00000002.2721298956.0000000002D2A000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe
Source: S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000005.00000003.1832201461.0000000002B70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe

Source: S12.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: QQWER.dll.0.dr

Static PE information: Section: .rsrc ZLIB complexity 1.0002780183550337

Source: 602d46.tmp.0.dr

Binary string: \Device\IPT[

Source: classification engine

Classification label: mal76.evad.winEXE@2/12@0/1

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_0040E048 GetDiskFreeSpaceExA,

0_2_0040E048

Source: C:\Users\user\Desktop\S12.exe

File created: C:\Users\user\Desktop\QQWER.dll

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\S12.exe

File created: C:\Users\user\AppData\Local\Temp\602d46.tmp

Jump to behavior

Source: S12.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\S12.exe

File read: C:\Users\user\Desktop\ .ini

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\S12.exe "C:\Users\user\Desktop\S12.exe"
Source: unknown	Process created: C:\Users\user\Desktop\S12.exe "C:\Users\user\Desktop\S12.exe"

Source: C:\Users\user\Desktop\S12.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

File written: C:\Users\user\Desktop\ .ini

Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Window detected: Number of UI elements: 27

Source: S12.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: S12.exe

Static file information: File size 4943872 > 1048576

Source: S12.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13b000
Source: S12.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x256000
Source: S12.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10d000

Source:	Binary string: devco n.pdbo source: S12.exe
Source:	Binary string: wntdll.pdbUGP source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source:	Binary string: wntdll.pdb source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source:	Binary string: DrvInDM U.pdbe source: S12.exe
Source:	Binary string: wuser32.pdb source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr
Source:	Binary string: devc@on.pdb source: S12.exe
Source:	Binary string: wuser32.pdbUGP source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\S12.exe	Unpacked PE file: 0.2.S12.exe.10000000.2.unpack
Source: C:\Users\user\Desktop\S12.exe	Unpacked PE file: 5.2.S12.exe.10000000.2.unpack

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_004AB900 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_004AB900

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

Source: QQWER.dll.0.dr	Static PE information: section name: .Upack
Source: 602d46.tmp.0.dr	Static PE information: section name: RT
Source: 602d46.tmp.0.dr	Static PE information: section name: .mrdata
Source: 602d46.tmp.0.dr	Static PE information: section name: .00cfg
Source: 602da4.tmp.0.dr	Static PE information: section name: .didat
Source: 60bae0.tmp.5.dr	Static PE information: section name: RT
Source: 60bae0.tmp.5.dr	Static PE information: section name: .mrdata
Source: 60bae0.tmp.5.dr	Static PE information: section name: .00cfg
Source: 60bb2f.tmp.5.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_0051AA60 push eax; ret	0_2_0051AA8E
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_0051CCD4 push eax; ret	0_2_0051CCF2
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1002C7F8 push edi; ret	0_2_1002C7FC
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_0051AA60 push eax; ret	5_2_0051AA8E
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_0051CCD4 push eax; ret	5_2_0051CCF2
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1002C7F8 push edi; ret	5_2_1002C7FC

Source: QQWER.dll.0.dr	Static PE information: section name: .rsrc entropy: 7.999713933191419
Source: 602d46.tmp.0.dr	Static PE information: section name: .text entropy: 6.844715065913507
Source: 60bae0.tmp.5.dr	Static PE information: section name: .text entropy: 6.844715065913507

Source: C:\Users\user\Desktop\S12.exe	File created: C:\Users\user\Desktop\QQWER.dll	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	File created: C:\Users\user\AppData\Local\Temp\60bb2f.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	File created: C:\Users\user\AppData\Local\Temp\602d46.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	File created: C:\Users\user\AppData\Local\Temp\60bae0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	File created: C:\Users\user\AppData\Local\Temp\602da4.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\S12.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run			Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run			Jump to behavior

Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,		0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,		5_2_1001F2ED

Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\S12.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-22256

Renames NTDLL to bypass HIPS

Source: C:\Users\user\Desktop\S12.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	File opened: C:\Windows\SysWOW64\ntdll.dll	Jump to behavior

Source: C:\Users\user\Desktop\S12.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QQWER.dll	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\60bb2f.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\60bae0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\602d46.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\602da4.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\S12.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_1000710E GetVersionExA,GetSystemInfo,RtlGetNtVersionNumbers,

0_2_1000710E

Source: S12.exe, 00000005.00000002.2719959118.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(&
Source: S12.exe, 00000000.00000002.2719852664.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2719852664.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2719959118.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: S12.exe, 00000000.00000002.2719852664.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*

Source: C:\Users\user\Desktop\S12.exe	API call chain: ExitProcess graph end node			graph_0-22370
Source: C:\Users\user\Desktop\S12.exe	API call chain: ExitProcess graph end node			graph_5-22369

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_10004B1B LdrInitializeThunk,

0_2_10004B1B

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_004AB900 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_004AB900

Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1001A4C7 mov eax, dword ptr fs:[00000030h]	0_2_1001A4C7
Source: C:\Users\user\Desktop\S12.exe	Code function: 0_2_1000AE99 mov eax, dword ptr fs:[00000030h]	0_2_1000AE99
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1001A4C7 mov eax, dword ptr fs:[00000030h]	5_2_1001A4C7
Source: C:\Users\user\Desktop\S12.exe	Code function: 5_2_1000AE99 mov eax, dword ptr fs:[00000030h]	5_2_1000AE99

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_10027BB0 GetProcessHeap,RtlAllocateHeap,MessageBoxA,

0_2_10027BB0

Source: C:\Users\user\Desktop\S12.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\S12.exe	Process token adjusted: Debug			Jump to behavior

Source: S12.exe, 00000005.00000002.2719959118.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow@
Source: S12.exe	Binary or memory string: Shell_TrayWnd
Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2719852664.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2719852664.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow
Source: S12.exe	Binary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow3260

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_10019EDC cpuid

0_2_10019EDC

Source: C:\Users\user\Desktop\S12.exe

Code function: 0_2_00536062 GetVersion,InitializeCriticalSection,

0_2_00536062

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 Registry Run Keys / Startup Folder	2 Process Injection	1 Masquerading	11 Input Capture	111 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 LSASS Driver	1 Registry Run Keys / Startup Folder	2 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 LSASS Driver	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	4 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
S12.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report S12.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
S12.exe