Loading ...

Play interactive tourEdit tour

Analysis Report microsoft.exe

Overview

General Information

Sample Name:microsoft.exe
Analysis ID:278338
MD5:bfc7596ecd06a9d619dbd482631b0d84
SHA1:4030ca8acfd762700fa26b31ba1c9f53d5ce4826
SHA256:ea3c89f63b3655bc11eade2ca63df876233538224152115a02901634b457ba2c

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • microsoft.exe (PID: 6820 cmdline: 'C:\Users\user\Desktop\microsoft.exe' MD5: BFC7596ECD06A9D619DBD482631B0D84)
    • microsoft.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\microsoft.exe' MD5: BFC7596ECD06A9D619DBD482631B0D84)
      • explorer.exe (PID: 3368 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 6872 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 6848 cmdline: /c del 'C:\Users\user\Desktop\microsoft.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.356734126.000000001E280000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.356734126.000000001E280000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.356734126.000000001E280000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    0000000F.00000002.519634244.0000000003114000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x12644:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    0000000F.00000002.521659108.0000000003480000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 19 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: microsoft.exeAvira: detected
      Multi AV Scanner detection for submitted fileShow sources
      Source: microsoft.exeVirustotal: Detection: 44%Perma Link
      Source: microsoft.exeReversingLabs: Detection: 51%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.356734126.000000001E280000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.521659108.0000000003480000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.519361078.0000000003020000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.521298545.0000000003430000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.352954874.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: 0.0.microsoft.exe.400000.0.unpackAvira: Label: TR/Injector.wuyab
      Source: 3.0.microsoft.exe.400000.0.unpackAvira: Label: TR/Injector.wuyab
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi15_2_0302E572
      Source: global trafficHTTP traffic detected: GET /d2w/?4hLpH4=CPN44o67eahAEmS1z+PXycsvlS2bkGAQYceokC4yvDs6FWTInDJ1X9+EK84T2U0iUPYhD8JCVQ==&GhlpdH=xPGt_6qx HTTP/1.1Host: www.transunionsucks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: ITACE-AS-APItaceInternationalLimitedHK ITACE-AS-APItaceInternationalLimitedHK
      Source: global trafficHTTP traffic detected: GET /d2w/?4hLpH4=CPN44o67eahAEmS1z+PXycsvlS2bkGAQYceokC4yvDs6FWTInDJ1X9+EK84T2U0iUPYhD8JCVQ==&GhlpdH=xPGt_6qx HTTP/1.1Host: www.transunionsucks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: onedrive.live.com
      Source: microsoft.exe, 00000003.00000003.308150284.000000000094A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: microsoft.exe, 00000003.00000003.308067158.0000000000965000.00000004.00000001.sdmpString found in binary or memory: http://microsoft.co
      Source: microsoft.exe, 00000003.00000003.308150284.000000000094A000.00000004.00000001.sdmpString found in binary or memory: http://mscrl.Z
      Source: microsoft.exe, 00000003.00000003.308150284.000000000094A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: microsoft.exe, 00000003.00000003.308150284.000000000094A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000000C.00000000.337112447.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: microsoft.exe, 00000003.00000002.353325151.0000000000995000.00000004.00000001.sdmpString found in binary or memory: https://6lyy0a.am.files.1drv.com/y4mrpAmFXuLrMlicrs_2MxPy0LaI4-OoewYBlymu_OvxOlZgP-5lXyjsNgp7IbARiEI
      Source: microsoft.exe, 00000003.00000003.308150284.000000000094A000.00000004.00000001.sdmpString found in binary or memory: https://6lyy0a.am.files.1drv.com/y4mzLh86WB-vmKkaeSgWfGA76RA5u_Ek1AVK-RhF2AON65at_hvI3yXtzjkU2i-RmCt
      Source: explorer.exe, 0000000F.00000002.519347367.0000000002FFA000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Ll
      Source: microsoft.exe, 00000003.00000003.308067158.0000000000965000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=18579953F243D979&resid=18579953F243D979%21125&authkey=AI1EUE6
      Source: microsoft.exe, 00000003.00000003.308150284.000000000094A000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.356734126.000000001E280000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.521659108.0000000003480000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.519361078.0000000003020000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.521298545.0000000003430000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.352954874.00000000000A0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\SysWOW64\explorer.exeDropped file: C:\Users\user\AppData\Roaming\O-3BOR15\O-3logri.iniJump to dropped file
      Source: C:\Windows\SysWOW64\explorer.exeDropped file: C:\Users\user\AppData\Roaming\O-3BOR15\O-3logrv.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000003.00000002.356734126.000000001E280000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.356734126.000000001E280000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000F.00000002.519634244.0000000003114000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000F.00000002.521659108.0000000003480000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000F.00000002.521659108.0000000003480000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000F.00000002.519361078.0000000003020000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000F.00000002.519361078.0000000003020000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000F.00000002.521298545.0000000003430000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000F.00000002.521298545.0000000003430000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000F.00000002.526970247.000000000552F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000003.00000002.352954874.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.352954874.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C9EFE NtResumeThread,0_2_021C9EFE
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C9854 NtProtectVirtualMemory,0_2_021C9854
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C3690 NtWriteVirtualMemory,0_2_021C3690
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C3E8B NtWriteVirtualMemory,0_2_021C3E8B
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C9F0C NtResumeThread,0_2_021C9F0C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C075D NtSetInformationThread,TerminateProcess,0_2_021C075D
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C376C NtWriteVirtualMemory,0_2_021C376C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C0762 NtSetInformationThread,TerminateProcess,0_2_021C0762
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C3BDC NtWriteVirtualMemory,0_2_021C3BDC
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C881E NtSetInformationThread,TerminateProcess,0_2_021C881E
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C8454 NtSetInformationThread,TerminateProcess,0_2_021C8454
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C887E NtSetInformationThread,TerminateProcess,0_2_021C887E
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C906A NtWriteVirtualMemory,0_2_021C906A
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C84B9 NtSetInformationThread,TerminateProcess,0_2_021C84B9
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C80B1 NtSetInformationThread,TerminateProcess,0_2_021C80B1
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C791B NtSetInformationThread,TerminateProcess,0_2_021C791B
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C8505 NtSetInformationThread,TerminateProcess,0_2_021C8505
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021CA17E NtResumeThread,0_2_021CA17E
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519A50 NtCreateFile,LdrInitializeThunk,3_2_1E519A50
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_1E519660
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_1E519A00
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519A20 NtResumeThread,LdrInitializeThunk,3_2_1E519A20
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5196E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_1E5196E0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519710 NtQueryInformationToken,LdrInitializeThunk,3_2_1E519710
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519780 NtMapViewOfSection,LdrInitializeThunk,3_2_1E519780
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5197A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_1E5197A0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519840 NtDelayExecution,LdrInitializeThunk,3_2_1E519840
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519860 NtQuerySystemInformation,LdrInitializeThunk,3_2_1E519860
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5198F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_1E5198F0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519540 NtReadFile,LdrInitializeThunk,3_2_1E519540
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_1E519910
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5195D0 NtClose,LdrInitializeThunk,3_2_1E5195D0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5199A0 NtCreateSection,LdrInitializeThunk,3_2_1E5199A0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519650 NtQueryValueKey,3_2_1E519650
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519670 NtQueryInformationProcess,3_2_1E519670
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519610 NtEnumerateValueKey,3_2_1E519610
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519A10 NtQuerySection,3_2_1E519A10
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5196D0 NtCreateKey,3_2_1E5196D0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519A80 NtOpenDirectoryObject,3_2_1E519A80
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519770 NtSetInformationFile,3_2_1E519770
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E51A770 NtOpenThread,3_2_1E51A770
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519760 NtOpenProcess,3_2_1E519760
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E51A710 NtOpenProcessToken,3_2_1E51A710
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519B00 NtSetValueKey,3_2_1E519B00
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519730 NtQueryVirtualMemory,3_2_1E519730
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519FE0 NtCreateMutant,3_2_1E519FE0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E51A3B0 NtGetContextThread,3_2_1E51A3B0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E51B040 NtSuspendThread,3_2_1E51B040
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519820 NtEnumerateKey,3_2_1E519820
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5198A0 NtWriteVirtualMemory,3_2_1E5198A0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519950 NtQueueApcThread,3_2_1E519950
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519560 NtWriteFile,3_2_1E519560
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E51AD30 NtSetContextThread,3_2_1E51AD30
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519520 NtWaitForSingleObject,3_2_1E519520
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5199D0 NtCreateProcessEx,3_2_1E5199D0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5195F0 NtQueryInformationFile,3_2_1E5195F0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_05069910
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069540 NtReadFile,LdrInitializeThunk,15_2_05069540
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069560 NtWriteFile,LdrInitializeThunk,15_2_05069560
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_050699A0 NtCreateSection,LdrInitializeThunk,15_2_050699A0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_050695D0 NtClose,LdrInitializeThunk,15_2_050695D0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069840 NtDelayExecution,LdrInitializeThunk,15_2_05069840
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069860 NtQuerySystemInformation,LdrInitializeThunk,15_2_05069860
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069B00 NtSetValueKey,LdrInitializeThunk,15_2_05069B00
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069710 NtQueryInformationToken,LdrInitializeThunk,15_2_05069710
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069770 NtSetInformationFile,LdrInitializeThunk,15_2_05069770
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069780 NtMapViewOfSection,LdrInitializeThunk,15_2_05069780
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069FE0 NtCreateMutant,LdrInitializeThunk,15_2_05069FE0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069610 NtEnumerateValueKey,LdrInitializeThunk,15_2_05069610
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069650 NtQueryValueKey,LdrInitializeThunk,15_2_05069650
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069A50 NtCreateFile,LdrInitializeThunk,15_2_05069A50
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_05069660
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_050696D0 NtCreateKey,LdrInitializeThunk,15_2_050696D0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_050696E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_050696E0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069520 NtWaitForSingleObject,15_2_05069520
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0506AD30 NtSetContextThread,15_2_0506AD30
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069950 NtQueueApcThread,15_2_05069950
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_050699D0 NtCreateProcessEx,15_2_050699D0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_050695F0 NtQueryInformationFile,15_2_050695F0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069820 NtEnumerateKey,15_2_05069820
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0506B040 NtSuspendThread,15_2_0506B040
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_050698A0 NtWriteVirtualMemory,15_2_050698A0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_050698F0 NtReadVirtualMemory,15_2_050698F0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0506A710 NtOpenProcessToken,15_2_0506A710
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069730 NtQueryVirtualMemory,15_2_05069730
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069760 NtOpenProcess,15_2_05069760
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0506A770 NtOpenThread,15_2_0506A770
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_050697A0 NtUnmapViewOfSection,15_2_050697A0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0506A3B0 NtGetContextThread,15_2_0506A3B0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069A00 NtProtectVirtualMemory,15_2_05069A00
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069A10 NtQuerySection,15_2_05069A10
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069A20 NtResumeThread,15_2_05069A20
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069670 NtQueryInformationProcess,15_2_05069670
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05069A80 NtOpenDirectoryObject,15_2_05069A80
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_03039A10 NtAllocateVirtualMemory,15_2_03039A10
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_03039960 NtClose,15_2_03039960
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_03039830 NtCreateFile,15_2_03039830
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_030398E0 NtReadFile,15_2_030398E0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_03039A0A NtAllocateVirtualMemory,15_2_03039A0A
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0303995A NtClose,15_2_0303995A
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0303982C NtCreateFile,15_2_0303982C
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_030398DA NtReadFile,15_2_030398DA
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00401F3F0_2_00401F3F
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C4AB30_2_021C4AB3
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C1AD40_2_021C1AD4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C46C60_2_021C46C6
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C46E20_2_021C46E2
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C031E0_2_021C031E
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C17190_2_021C1719
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C9F0C0_2_021C9F0C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C0F090_2_021C0F09
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C6F090_2_021C6F09
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C1F0A0_2_021C1F0A
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C233C0_2_021C233C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C27350_2_021C2735
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C332C0_2_021C332C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C2F280_2_021C2F28
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C0B490_2_021C0B49
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C2B440_2_021C2B44
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C376C0_2_021C376C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C07620_2_021C0762
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C43B40_2_021C43B4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C3BDC0_2_021C3BDC
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C906A0_2_021C906A
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C4C850_2_021C4C85
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C00800_2_021C0080
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C9C800_2_021C9C80
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C94E60_2_021C94E6
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021CA51D0_2_021CA51D
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C853D0_2_021C853D
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C8D2C0_2_021C8D2C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021CA17E0_2_021CA17E
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C89840_2_021C8984
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C79BD0_2_021C79BD
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C7DA40_2_021C7DA4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C75D00_2_021C75D0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C81C90_2_021C81C9
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C71F40_2_021C71F4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4F6E303_2_1E4F6E30
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A2EF73_2_1E5A2EF7
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A22AE3_2_1E5A22AE
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A2B283_2_1E5A2B28
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A1FF13_2_1E5A1FF1
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E50EBB03_2_1E50EBB0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4E841F3_2_1E4E841F
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5910023_2_1E591002
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4EB0903_2_1E4EB090
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5020A03_2_1E5020A0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A20A83_2_1E5A20A8
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A1D553_2_1E5A1D55
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4DF9003_2_1E4DF900
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A2D073_2_1E5A2D07
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D0D203_2_1E4D0D20
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4F41203_2_1E4F4120
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4ED5E03_2_1E4ED5E0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5025813_2_1E502581
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0502F90015_2_0502F900
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05020D2015_2_05020D20
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0504412015_2_05044120
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_050F1D5515_2_050F1D55
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0503D5E015_2_0503D5E0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_050E100215_2_050E1002
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0503841F15_2_0503841F
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0503B09015_2_0503B090
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0505EBB015_2_0505EBB0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05046E3015_2_05046E30
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0303D9A815_2_0303D9A8
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_03029F5B15_2_03029F5B
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_03029F6015_2_03029F60
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_03022FB015_2_03022FB0
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0303DD7F15_2_0303DD7F
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_03022D8715_2_03022D87
      Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_03022D9015_2_03022D90
      Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0502B150 appears 32 times
      Source: C:\Users\user\Desktop\microsoft.exeCode function: String function: 1E4DB150 appears 35 times
      Source: microsoft.exe, 00000000.00000002.276356252.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGRAL.exe vs microsoft.exe
      Source: microsoft.exe, 00000000.00000002.276638896.0000000002090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs microsoft.exe
      Source: microsoft.exe, 00000003.00000000.273685725.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGRAL.exe vs microsoft.exe
      Source: microsoft.exe, 00000003.00000002.356602257.000000001DD70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs microsoft.exe
      Source: microsoft.exe, 00000003.00000002.357358321.000000001E75F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs microsoft.exe
      Source: microsoft.exe, 00000003.00000002.360875752.000000001EC1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs microsoft.exe
      Source: microsoft.exe, 00000003.00000002.356656900.000000001DEE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs microsoft.exe
      Source: microsoft.exeBinary or memory string: OriginalFilenameGRAL.exe vs microsoft.exe
      Source: 00000003.00000002.356734126.000000001E280000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.356734126.000000001E280000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000F.00000002.519634244.0000000003114000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000F.00000002.521659108.0000000003480000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000F.00000002.521659108.0000000003480000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000F.00000002.519361078.0000000003020000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000F.00000002.519361078.0000000003020000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000F.00000002.521298545.0000000003430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000F.00000002.521298545.0000000003430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000F.00000002.526970247.000000000552F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.352954874.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.352954874.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@11/2
      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Roaming\O-3BOR15Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
      Source: C:\Users\user\Desktop\microsoft.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DF1134D85D8FA000D4.TMPJump to behavior
      Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
      Source: microsoft.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\microsoft.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: microsoft.exeVirustotal: Detection: 44%
      Source: microsoft.exeReversingLabs: Detection: 51%
      Source: unknownProcess created: C:\Users\user\Desktop\microsoft.exe 'C:\Users\user\Desktop\microsoft.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\microsoft.exe 'C:\Users\user\Desktop\microsoft.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\microsoft.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\microsoft.exeProcess created: C:\Users\user\Desktop\microsoft.exe 'C:\Users\user\Desktop\microsoft.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\microsoft.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeFile written: C:\Users\user\AppData\Roaming\O-3BOR15\O-3logri.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
      Source: Binary string: explorer.pdbUGP source: microsoft.exe, 00000003.00000002.357572793.000000001E8E0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.339768429.000000000E7C0000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: microsoft.exe, 00000003.00000002.356910478.000000001E4B0000.00000040.00000001.sdmp, explorer.exe, 0000000F.00000002.525021471.000000000511F000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: microsoft.exe, explorer.exe
      Source: Binary string: explorer.pdb source: microsoft.exe, 00000003.00000002.357572793.000000001E8E0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.339768429.000000000E7C0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000003.00000002.352999167.0000000000560000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: microsoft.exe PID: 7064, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: microsoft.exe PID: 6820, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: microsoft.exe PID: 7064, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: microsoft.exe PID: 6820, type: MEMORY
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00401F3F push es; iretd 0_2_00402F72
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00405C4C push 68680E46h; ret 0_2_00405C5B
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00408C59 push 7FF930ADh; retf 0_2_00408C63
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00409C5D push edx; iretd 0_2_00409C6C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040B863 push edx; iretd 0_2_0040B868
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040843B push eax; iretd 0_2_00408448
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00409CF4 push 00000033h; retf 0_2_00409D0F
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00409C82 push edx; iretd 0_2_00409CB4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00409CA4 push edx; iretd 0_2_00409CB4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040995D push edx; iretd 0_2_00409CB4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00409D5D push edx; iretd 0_2_00409D60
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00409D10 push ebp; iretd 0_2_00409D20
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040A1CA push 979630ADh; retf 0_2_0040A1CF
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040F1DB push edx; iretd 0_2_0040F1DC
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040FDEB pushad ; iretd 0_2_0040FDEC
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040F1ED push edx; iretd 0_2_0040F1F4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00409984 push edx; iretd 0_2_0040999C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040FDA9 push edx; iretd 0_2_0040FDC4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_004099B0 push edx; iretd 0_2_00409CB4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_00409DB2 push ecx; iretw 0_2_00409DB3
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040E256 push edx; iretd 0_2_0040E218
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040EE7B push edx; iretd 0_2_0040EE7C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040DE0D push edx; iretd 0_2_0040DE20
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040FA27 push edx; iretd 0_2_0040FA28
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040E236 push edx; iretd 0_2_0040E248
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040B23A push edx; iretd 0_2_0040B240
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040D6D1 push edx; iretd 0_2_0040D6E4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040CA8C push 681AF2ADh; retf 0_2_0040CA93
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040FB06 push 709956ADh; retf 0_2_0040FB0B
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040EF0F push edx; iretd 0_2_0040EF10
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_0040DF3A push edx; iretd 0_2_0040E218

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x43 0x36
      Source: C:\Users\user\Desktop\microsoft.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C887E NtSetInformationThread,TerminateProcess,0_2_021C887E
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\microsoft.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\microsoft.exeRDTSC instruction interceptor: First address: 00000000021C0E71 second address: 00000000021C0E71 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp eax, 053914D4h 0x00000008 je 00007FE6CCAB9274h 0x0000000e cmp ax, 0000C09Eh 0x00000012 cmp eax, 05818DB2h 0x00000017 je 00007FE6CCAB9265h 0x0000001d fnop 0x0000001f cmp eax, F852F882h 0x00000024 je 00007FE6CCAB9258h 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007FE6CCAB1411h 0x00000033 dec ecx 0x00000034 push ecx 0x00000035 push edi 0x00000036 cld 0x00000037 add dword ptr [esp], ecx 0x0000003a call 00007FE6CCAB82C7h 0x0000003f mov esi, dword ptr [esp+04h] 0x00000043 test bx, cx 0x00000046 mov eax, 00001505h 0x0000004b cmp edx, ebx 0x0000004d cmp byte ptr [esi], FFFFFFA4h 0x00000050 jnc 00007FE6CCAB14BDh 0x00000052 mov ebx, eax 0x00000054 shl eax, 05h 0x00000057 test bl, FFFFFFEEh 0x0000005a add eax, ebx 0x0000005c movzx ecx, byte ptr [esi] 0x0000005f add eax, ecx 0x00000061 inc esi 0x00000062 cmp byte ptr [esi], 00000000h 0x00000065 jne 00007FE6CCAB1478h 0x00000067 retn 0004h 0x0000006a pop ecx 0x0000006b test ax, bx 0x0000006e mov esi, 00000000h 0x00000073 cmp esi, 01h 0x00000076 jne 00007FE6CCAB14B9h 0x00000078 cmp eax, 0B8814DEh 0x0000007d je 00007FE6CCAB9288h 0x00000083 pushad 0x00000084 mov edi, 000000A2h 0x00000089 rdtsc
      Source: C:\Users\user\Desktop\microsoft.exeRDTSC instruction interceptor: First address: 0000000000560E71 second address: 0000000000560E71 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp eax, 053914D4h 0x00000008 je 00007FE6CCD67674h 0x0000000e cmp ax, 0000C09Eh 0x00000012 cmp eax, 05818DB2h 0x00000017 je 00007FE6CCD67665h 0x0000001d fnop 0x0000001f cmp eax, F852F882h 0x00000024 je 00007FE6CCD67658h 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007FE6CCD5F811h 0x00000033 dec ecx 0x00000034 push ecx 0x00000035 push edi 0x00000036 cld 0x00000037 add dword ptr [esp], ecx 0x0000003a call 00007FE6CCD666C7h 0x0000003f mov esi, dword ptr [esp+04h] 0x00000043 test bx, cx 0x00000046 mov eax, 00001505h 0x0000004b cmp edx, ebx 0x0000004d cmp byte ptr [esi], FFFFFFA4h 0x00000050 jnc 00007FE6CCD5F8BDh 0x00000052 mov ebx, eax 0x00000054 shl eax, 05h 0x00000057 test bl, FFFFFFEEh 0x0000005a add eax, ebx 0x0000005c movzx ecx, byte ptr [esi] 0x0000005f add eax, ecx 0x00000061 inc esi 0x00000062 cmp byte ptr [esi], 00000000h 0x00000065 jne 00007FE6CCD5F878h 0x00000067 retn 0004h 0x0000006a pop ecx 0x0000006b test ax, bx 0x0000006e mov esi, 00000000h 0x00000073 cmp esi, 01h 0x00000076 jne 00007FE6CCD5F8B9h 0x00000078 cmp eax, 0B8814DEh 0x0000007d je 00007FE6CCD67688h 0x00000083 pushad 0x00000084 mov edi, 000000A2h 0x00000089 rdtsc
      Source: C:\Users\user\Desktop\microsoft.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\microsoft.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000030298B4 second address: 00000000030298BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000003029B1E second address: 0000000003029B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C3690 rdtsc 0_2_021C3690
      Source: C:\Users\user\Desktop\microsoft.exe TID: 6856Thread sleep count: 188 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\explorer.exe TID: 2476Thread sleep time: -35000s >= -30000sJump to behavior
      Source: microsoft.exe, 00000000.00000002.297158854.000000000524A000.00000004.00000001.sdmp, microsoft.exe, 00000003.00000002.353428327.00000000024EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: explorer.exe, 0000000C.00000000.336161611.0000000008142000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: microsoft.exe, 00000000.00000002.297158854.000000000524A000.00000004.00000001.sdmp, microsoft.exe, 00000003.00000002.353428327.00000000024EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: explorer.exe, 0000000C.00000000.333996001.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 0000000C.00000000.336621060.00000000082D9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: microsoft.exe, 00000003.00000002.353428327.00000000024EA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
      Source: microsoft.exe, 00000000.00000002.297158854.000000000524A000.00000004.00000001.sdmp, microsoft.exe, 00000003.00000002.353428327.00000000024EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: explorer.exe, 0000000C.00000000.329864450.0000000005EB0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: microsoft.exe, 00000000.00000002.297158854.000000000524A000.00000004.00000001.sdmp, microsoft.exe, 00000003.00000002.353428327.00000000024EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: microsoft.exe, 00000000.00000002.297158854.000000000524A000.00000004.00000001.sdmp, microsoft.exe, 00000003.00000002.353428327.00000000024EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: microsoft.exe, 00000003.00000002.353428327.00000000024EA000.00000004.00000001.sdmpBinary or memory string: vmicvss
      Source: microsoft.exe, 00000003.00000003.308150284.000000000094A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 0000000C.00000000.336161611.0000000008142000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 0000000C.00000000.333996001.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: microsoft.exe, 00000000.00000002.276791651.00000000021C0000.00000040.00000001.sdmp, microsoft.exe, 00000003.00000002.352999167.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000C.00000000.333996001.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: microsoft.exe, 00000000.00000002.297158854.000000000524A000.00000004.00000001.sdmp, microsoft.exe, 00000003.00000002.353428327.00000000024EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: microsoft.exe, 00000000.00000002.297158854.000000000524A000.00000004.00000001.sdmp, microsoft.exe, 00000003.00000002.353428327.00000000024EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: microsoft.exe, 00000000.00000002.297158854.000000000524A000.00000004.00000001.sdmp, microsoft.exe, 00000003.00000002.353428327.00000000024EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: explorer.exe, 0000000C.00000000.336161611.0000000008142000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: microsoft.exe, 00000003.00000002.353428327.00000000024EA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
      Source: explorer.exe, 0000000C.00000000.333996001.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\microsoft.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C075D NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,021C36FC,021CA41C,?,000000000_2_021C075D
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\microsoft.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C3690 rdtsc 0_2_021C3690
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E519A50 NtCreateFile,LdrInitializeThunk,3_2_1E519A50
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C8FC0 mov eax, dword ptr fs:[00000030h]0_2_021C8FC0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C2E9E mov eax, dword ptr fs:[00000030h]0_2_021C2E9E
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C42BB mov eax, dword ptr fs:[00000030h]0_2_021C42BB
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C22B5 mov eax, dword ptr fs:[00000030h]0_2_021C22B5
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C8030 mov eax, dword ptr fs:[00000030h]0_2_021C8030
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 0_2_021C788B mov eax, dword ptr fs:[00000030h]0_2_021C788B
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E564257 mov eax, dword ptr fs:[00000030h]3_2_1E564257
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D9240 mov eax, dword ptr fs:[00000030h]3_2_1E4D9240
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D9240 mov eax, dword ptr fs:[00000030h]3_2_1E4D9240
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D9240 mov eax, dword ptr fs:[00000030h]3_2_1E4D9240
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D9240 mov eax, dword ptr fs:[00000030h]3_2_1E4D9240
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4E7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4E7E41
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4E7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4E7E41
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4E7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4E7E41
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4E7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4E7E41
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4E7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4E7E41
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4E7E41 mov eax, dword ptr fs:[00000030h]3_2_1E4E7E41
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4E766D mov eax, dword ptr fs:[00000030h]3_2_1E4E766D
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E51927A mov eax, dword ptr fs:[00000030h]3_2_1E51927A
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E58B260 mov eax, dword ptr fs:[00000030h]3_2_1E58B260
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E58B260 mov eax, dword ptr fs:[00000030h]3_2_1E58B260
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A8A62 mov eax, dword ptr fs:[00000030h]3_2_1E5A8A62
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4FAE73 mov eax, dword ptr fs:[00000030h]3_2_1E4FAE73
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4FAE73 mov eax, dword ptr fs:[00000030h]3_2_1E4FAE73
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4FAE73 mov eax, dword ptr fs:[00000030h]3_2_1E4FAE73
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4FAE73 mov eax, dword ptr fs:[00000030h]3_2_1E4FAE73
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4FAE73 mov eax, dword ptr fs:[00000030h]3_2_1E4FAE73
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4E8A0A mov eax, dword ptr fs:[00000030h]3_2_1E4E8A0A
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E50A61C mov eax, dword ptr fs:[00000030h]3_2_1E50A61C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E50A61C mov eax, dword ptr fs:[00000030h]3_2_1E50A61C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4DC600 mov eax, dword ptr fs:[00000030h]3_2_1E4DC600
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4DC600 mov eax, dword ptr fs:[00000030h]3_2_1E4DC600
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4DC600 mov eax, dword ptr fs:[00000030h]3_2_1E4DC600
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E508E00 mov eax, dword ptr fs:[00000030h]3_2_1E508E00
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E591608 mov eax, dword ptr fs:[00000030h]3_2_1E591608
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4F3A1C mov eax, dword ptr fs:[00000030h]3_2_1E4F3A1C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4DAA16 mov eax, dword ptr fs:[00000030h]3_2_1E4DAA16
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4DAA16 mov eax, dword ptr fs:[00000030h]3_2_1E4DAA16
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D5210 mov eax, dword ptr fs:[00000030h]3_2_1E4D5210
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D5210 mov ecx, dword ptr fs:[00000030h]3_2_1E4D5210
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D5210 mov eax, dword ptr fs:[00000030h]3_2_1E4D5210
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D5210 mov eax, dword ptr fs:[00000030h]3_2_1E4D5210
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E58FE3F mov eax, dword ptr fs:[00000030h]3_2_1E58FE3F
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4DE620 mov eax, dword ptr fs:[00000030h]3_2_1E4DE620
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E514A2C mov eax, dword ptr fs:[00000030h]3_2_1E514A2C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E514A2C mov eax, dword ptr fs:[00000030h]3_2_1E514A2C
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A8ED6 mov eax, dword ptr fs:[00000030h]3_2_1E5A8ED6
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E518EC7 mov eax, dword ptr fs:[00000030h]3_2_1E518EC7
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E58FEC0 mov eax, dword ptr fs:[00000030h]3_2_1E58FEC0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E502ACB mov eax, dword ptr fs:[00000030h]3_2_1E502ACB
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5036CC mov eax, dword ptr fs:[00000030h]3_2_1E5036CC
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4E76E2 mov eax, dword ptr fs:[00000030h]3_2_1E4E76E2
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5016E0 mov ecx, dword ptr fs:[00000030h]3_2_1E5016E0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E502AE4 mov eax, dword ptr fs:[00000030h]3_2_1E502AE4
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E50D294 mov eax, dword ptr fs:[00000030h]3_2_1E50D294
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E50D294 mov eax, dword ptr fs:[00000030h]3_2_1E50D294
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E56FE87 mov eax, dword ptr fs:[00000030h]3_2_1E56FE87
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E50FAB0 mov eax, dword ptr fs:[00000030h]3_2_1E50FAB0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D52A5 mov eax, dword ptr fs:[00000030h]3_2_1E4D52A5
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D52A5 mov eax, dword ptr fs:[00000030h]3_2_1E4D52A5
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D52A5 mov eax, dword ptr fs:[00000030h]3_2_1E4D52A5
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D52A5 mov eax, dword ptr fs:[00000030h]3_2_1E4D52A5
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D52A5 mov eax, dword ptr fs:[00000030h]3_2_1E4D52A5
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5546A7 mov eax, dword ptr fs:[00000030h]3_2_1E5546A7
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4EAAB0 mov eax, dword ptr fs:[00000030h]3_2_1E4EAAB0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4EAAB0 mov eax, dword ptr fs:[00000030h]3_2_1E4EAAB0
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A0EA5 mov eax, dword ptr fs:[00000030h]3_2_1E5A0EA5
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A0EA5 mov eax, dword ptr fs:[00000030h]3_2_1E5A0EA5
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A0EA5 mov eax, dword ptr fs:[00000030h]3_2_1E5A0EA5
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A8B58 mov eax, dword ptr fs:[00000030h]3_2_1E5A8B58
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4DDB40 mov eax, dword ptr fs:[00000030h]3_2_1E4DDB40
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4EEF40 mov eax, dword ptr fs:[00000030h]3_2_1E4EEF40
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4DF358 mov eax, dword ptr fs:[00000030h]3_2_1E4DF358
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E503B7A mov eax, dword ptr fs:[00000030h]3_2_1E503B7A
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E503B7A mov eax, dword ptr fs:[00000030h]3_2_1E503B7A
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4DDB60 mov ecx, dword ptr fs:[00000030h]3_2_1E4DDB60
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4EFF60 mov eax, dword ptr fs:[00000030h]3_2_1E4EFF60
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A8F6A mov eax, dword ptr fs:[00000030h]3_2_1E5A8F6A
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E59131B mov eax, dword ptr fs:[00000030h]3_2_1E59131B
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E56FF10 mov eax, dword ptr fs:[00000030h]3_2_1E56FF10
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E56FF10 mov eax, dword ptr fs:[00000030h]3_2_1E56FF10
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A070D mov eax, dword ptr fs:[00000030h]3_2_1E5A070D
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5A070D mov eax, dword ptr fs:[00000030h]3_2_1E5A070D
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4FF716 mov eax, dword ptr fs:[00000030h]3_2_1E4FF716
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E50A70E mov eax, dword ptr fs:[00000030h]3_2_1E50A70E
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E50A70E mov eax, dword ptr fs:[00000030h]3_2_1E50A70E
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E50E730 mov eax, dword ptr fs:[00000030h]3_2_1E50E730
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D4F2E mov eax, dword ptr fs:[00000030h]3_2_1E4D4F2E
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E4D4F2E mov eax, dword ptr fs:[00000030h]3_2_1E4D4F2E
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5553CA mov eax, dword ptr fs:[00000030h]3_2_1E5553CA
      Source: C:\Users\user\Desktop\microsoft.exeCode function: 3_2_1E5553CA mov eax, dword ptr fs:[00000030h]