Loading ...

Play interactive tourEdit tour

Analysis Report CopyMX2N79.exe

Overview

General Information

Sample Name:CopyMX2N79.exe
Analysis ID:288431
MD5:c02762dd741807fe5db17e96c29448a1
SHA1:0b1c135bc1c956c05b3962be6ec79cb44e29ba1d
SHA256:02296010035b93a3435b5b06a9af1f2715310bcf370918cd80114b18fae780b6
Tags:Formbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CopyMX2N79.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\CopyMX2N79.exe' MD5: C02762DD741807FE5DB17E96C29448A1)
    • CopyMX2N79.exe (PID: 7160 cmdline: {path} MD5: C02762DD741807FE5DB17E96C29448A1)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 6712 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • control.exe (PID: 6072 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
        • cmd.exe (PID: 4112 cmdline: /c del 'C:\Users\user\Desktop\CopyMX2N79.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.629860804.0000000000B10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000012.00000002.629860804.0000000000B10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000012.00000002.629860804.0000000000B10000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000012.00000002.631108329.00000000044E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000012.00000002.631108329.00000000044E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.CopyMX2N79.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.CopyMX2N79.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.CopyMX2N79.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18429:$sqlite3step: 68 34 1C 7B E1
        • 0x1853c:$sqlite3step: 68 34 1C 7B E1
        • 0x18458:$sqlite3text: 68 38 2A 90 C5
        • 0x1857d:$sqlite3text: 68 38 2A 90 C5
        • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
        3.2.CopyMX2N79.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.CopyMX2N79.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: CopyMX2N79.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: CopyMX2N79.exeVirustotal: Detection: 34%Perma Link
          Source: CopyMX2N79.exeReversingLabs: Detection: 27%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000012.00000002.629860804.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.631108329.00000000044E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.373041556.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.425130944.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.629275388.0000000000520000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.428338140.0000000003239000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.425450015.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.425405260.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.CopyMX2N79.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.CopyMX2N79.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 3.2.CopyMX2N79.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: explorer.exe, 00000005.00000000.388963726.000000000E1B0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000002.630828492.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000003.550190091.0000000007CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.387335684.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000012.00000002.629860804.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.631108329.00000000044E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.373041556.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.425130944.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.629275388.0000000000520000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.428338140.0000000003239000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.425450015.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.425405260.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.CopyMX2N79.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.CopyMX2N79.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000012.00000002.629860804.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.629860804.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.631108329.00000000044E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.631108329.00000000044E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.373041556.0000000003C99000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.373041556.0000000003C99000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.425130944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.425130944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.629275388.0000000000520000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.629275388.0000000000520000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.428338140.0000000003239000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.428338140.0000000003239000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.425450015.0000000000FF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.425450015.0000000000FF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.425405260.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.425405260.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.CopyMX2N79.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.CopyMX2N79.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.CopyMX2N79.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.CopyMX2N79.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00419830 NtCreateFile,3_2_00419830
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_004198E0 NtReadFile,3_2_004198E0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00419960 NtClose,3_2_00419960
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00419A10 NtAllocateVirtualMemory,3_2_00419A10
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041982D NtCreateFile,3_2_0041982D
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_004198DA NtReadFile,3_2_004198DA
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00419883 NtReadFile,3_2_00419883
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041995A NtClose,3_2_0041995A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00419A0B NtAllocateVirtualMemory,3_2_00419A0B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_015D9910
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D99A0 NtCreateSection,LdrInitializeThunk,3_2_015D99A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9840 NtDelayExecution,LdrInitializeThunk,3_2_015D9840
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_015D9860
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_015D98F0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9A50 NtCreateFile,LdrInitializeThunk,3_2_015D9A50
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_015D9A00
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9A20 NtResumeThread,LdrInitializeThunk,3_2_015D9A20
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9540 NtReadFile,LdrInitializeThunk,3_2_015D9540
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D95D0 NtClose,LdrInitializeThunk,3_2_015D95D0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9710 NtQueryInformationToken,LdrInitializeThunk,3_2_015D9710
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9780 NtMapViewOfSection,LdrInitializeThunk,3_2_015D9780
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_015D97A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_015D9660
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_015D96E0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9950 NtQueueApcThread,3_2_015D9950
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D99D0 NtCreateProcessEx,3_2_015D99D0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015DB040 NtSuspendThread,3_2_015DB040
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9820 NtEnumerateKey,3_2_015D9820
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D98A0 NtWriteVirtualMemory,3_2_015D98A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9B00 NtSetValueKey,3_2_015D9B00
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015DA3B0 NtGetContextThread,3_2_015DA3B0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9A10 NtQuerySection,3_2_015D9A10
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9A80 NtOpenDirectoryObject,3_2_015D9A80
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9560 NtWriteFile,3_2_015D9560
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015DAD30 NtSetContextThread,3_2_015DAD30
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9520 NtWaitForSingleObject,3_2_015D9520
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D95F0 NtQueryInformationFile,3_2_015D95F0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015DA770 NtOpenThread,3_2_015DA770
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9770 NtSetInformationFile,3_2_015D9770
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9760 NtOpenProcess,3_2_015D9760
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015DA710 NtOpenProcessToken,3_2_015DA710
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9730 NtQueryVirtualMemory,3_2_015D9730
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9FE0 NtCreateMutant,3_2_015D9FE0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9650 NtQueryValueKey,3_2_015D9650
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9670 NtQueryInformationProcess,3_2_015D9670
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D9610 NtEnumerateValueKey,3_2_015D9610
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D96D0 NtCreateKey,3_2_015D96D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789540 NtReadFile,LdrInitializeThunk,18_2_04789540
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047895D0 NtClose,LdrInitializeThunk,18_2_047895D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_04789660
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789650 NtQueryValueKey,LdrInitializeThunk,18_2_04789650
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047896E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_047896E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047896D0 NtCreateKey,LdrInitializeThunk,18_2_047896D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789710 NtQueryInformationToken,LdrInitializeThunk,18_2_04789710
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789FE0 NtCreateMutant,LdrInitializeThunk,18_2_04789FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789780 NtMapViewOfSection,LdrInitializeThunk,18_2_04789780
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789860 NtQuerySystemInformation,LdrInitializeThunk,18_2_04789860
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789840 NtDelayExecution,LdrInitializeThunk,18_2_04789840
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_04789910
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047899A0 NtCreateSection,LdrInitializeThunk,18_2_047899A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789A50 NtCreateFile,LdrInitializeThunk,18_2_04789A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789560 NtWriteFile,18_2_04789560
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0478AD30 NtSetContextThread,18_2_0478AD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789520 NtWaitForSingleObject,18_2_04789520
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047895F0 NtQueryInformationFile,18_2_047895F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789670 NtQueryInformationProcess,18_2_04789670
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789610 NtEnumerateValueKey,18_2_04789610
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0478A770 NtOpenThread,18_2_0478A770
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789770 NtSetInformationFile,18_2_04789770
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789760 NtOpenProcess,18_2_04789760
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789730 NtQueryVirtualMemory,18_2_04789730
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0478A710 NtOpenProcessToken,18_2_0478A710
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047897A0 NtUnmapViewOfSection,18_2_047897A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0478B040 NtSuspendThread,18_2_0478B040
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789820 NtEnumerateKey,18_2_04789820
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047898F0 NtReadVirtualMemory,18_2_047898F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047898A0 NtWriteVirtualMemory,18_2_047898A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789950 NtQueueApcThread,18_2_04789950
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047899D0 NtCreateProcessEx,18_2_047899D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789A20 NtResumeThread,18_2_04789A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789A10 NtQuerySection,18_2_04789A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789A00 NtProtectVirtualMemory,18_2_04789A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789A80 NtOpenDirectoryObject,18_2_04789A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04789B00 NtSetValueKey,18_2_04789B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0478A3B0 NtGetContextThread,18_2_0478A3B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_00539830 NtCreateFile,18_2_00539830
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_005398E0 NtReadFile,18_2_005398E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_00539960 NtClose,18_2_00539960
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_00539A10 NtAllocateVirtualMemory,18_2_00539A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053982D NtCreateFile,18_2_0053982D
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_005398DA NtReadFile,18_2_005398DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_00539883 NtReadFile,18_2_00539883
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053995A NtClose,18_2_0053995A
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_00539A0B NtAllocateVirtualMemory,18_2_00539A0B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_00973A8C2_2_00973A8C
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_00976D4F2_2_00976D4F
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_009777F52_2_009777F5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_013860002_2_01386000
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_0138EBB82_2_0138EBB8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_013870B02_2_013870B0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_013873D82_2_013873D8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_0138D6782_2_0138D678
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_013858102_2_01385810
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_013861EA2_2_013861EA
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_013860352_2_01386035
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_0138620A2_2_0138620A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_013864E52_2_013864E5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_013871512_2_01387151
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_0138D0802_2_0138D080
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_01385C282_2_01385C28
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_01385FF02_2_01385FF0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D717F82_2_05D717F8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D721D02_2_05D721D0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D7A1F82_2_05D7A1F8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D730C82_2_05D730C8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D710582_2_05D71058
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D789A02_2_05D789A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D758082_2_05D75808
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D7BA982_2_05D7BA98
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D757F82_2_05D757F8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D717E82_2_05D717E8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D756102_2_05D75610
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D756022_2_05D75602
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D721C02_2_05D721C0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D7E1502_2_05D7E150
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D730452_2_05D73045
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D700402_2_05D70040
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D7C0682_2_05D7C068
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D710122_2_05D71012
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D700062_2_05D70006
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D7302F2_2_05D7302F
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D753502_2_05D75350
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D753602_2_05D75360
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D762E02_2_05D762E0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D762592_2_05D76259
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D71C982_2_05D71C98
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D71CA82_2_05D71CA8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D78C482_2_05D78C48
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D78C382_2_05D78C38
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D72FD02_2_05D72FD0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D73F982_2_05D73F98
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D73F882_2_05D73F88
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D7AEE82_2_05D7AEE8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D789902_2_05D78990
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D74B802_2_05D74B80
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D79B802_2_05D79B80
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D74B722_2_05D74B72
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D7DB602_2_05D7DB60
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041D9F93_2_0041D9F9
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041C9813_2_0041C981
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041DA6F3_2_0041DA6F
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041CAB73_2_0041CAB7
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041DB433_2_0041DB43
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041DDC93_2_0041DDC9
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041D5AD3_2_0041D5AD
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00409F5E3_2_00409F5E
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00409F603_2_00409F60
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041CFCE3_2_0041CFCE
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00A53A8C3_2_00A53A8C
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00A56D4F3_2_00A56D4F
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00A577F53_2_00A577F5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159F9003_2_0159F900
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B41203_2_015B4120
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0166E8243_2_0166E824
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016510023_2_01651002
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA8303_2_015BA830
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016628EC3_2_016628EC
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015AB0903_2_015AB090
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016620A83_2_016620A8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C20A03_2_015C20A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BAB403_2_015BAB40
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0163CB4F3_2_0163CB4F
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01662B283_2_01662B28
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA3093_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CABD83_2_015CABD8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016423E33_2_016423E3
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165DBD23_2_0165DBD2
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016503DA3_2_016503DA
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BEB9A3_2_015BEB9A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C138B3_2_015C138B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CEBB03_2_015CEBB0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0164FA2B3_2_0164FA2B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB2363_2_015BB236
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016622AE3_2_016622AE
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01661D553_2_01661D55
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01662D073_2_01662D07
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01590D203_2_01590D20
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015AD5E03_2_015AD5E0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016625DD3_2_016625DD
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C25813_2_015C2581
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01652D823_2_01652D82
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165D4663_2_0165D466
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB4773_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A841F3_2_015A841F
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016544963_2_01654496
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01661FF13_2_01661FF1
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0166DFCE3_2_0166DFCE
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B56003_2_015B5600
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B6E303_2_015B6E30
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165D6163_2_0165D616
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01662EF73_2_01662EF7
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01641EB63_2_01641EB6
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0476B47718_2_0476B477
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0480449618_2_04804496
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0475841F18_2_0475841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0480D46618_2_0480D466
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04802D8218_2_04802D82
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04740D2018_2_04740D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_048125DD18_2_048125DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04812D0718_2_04812D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0475D5E018_2_0475D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04811D5518_2_04811D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0477258118_2_04772581
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04766E3018_2_04766E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04812EF718_2_04812EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0476560018_2_04765600
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0480D61618_2_0480D616
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047F1EB618_2_047F1EB6
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0481DFCE18_2_0481DFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04811FF118_2_04811FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_048120A818_2_048120A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0476A83018_2_0476A830
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_048128EC18_2_048128EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0480100218_2_04801002
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0481E82418_2_0481E824
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047720A018_2_047720A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0475B09018_2_0475B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0476412018_2_04764120
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0474F90018_2_0474F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047699BF18_2_047699BF
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_048122AE18_2_048122AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0476B23618_2_0476B236
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047FFA2B18_2_047FFA2B
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04804AEF18_2_04804AEF
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047ECB4F18_2_047ECB4F
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0476AB4018_2_0476AB40
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0480DBD218_2_0480DBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_048003DA18_2_048003DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0476A30918_2_0476A309
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_047F23E318_2_047F23E3
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_04812B2818_2_04812B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0477ABD818_2_0477ABD8
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0477EBB018_2_0477EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0476EB9A18_2_0476EB9A
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0477138B18_2_0477138B
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053D9F918_2_0053D9F9
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053C98118_2_0053C981
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053DA6F18_2_0053DA6F
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053CAB718_2_0053CAB7
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053DB4318_2_0053DB43
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053DDC918_2_0053DDC9
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_00522D9018_2_00522D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_00529F5E18_2_00529F5E
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_00529F6018_2_00529F60
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053CFCE18_2_0053CFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_00522FB018_2_00522FB0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: String function: 0159B150 appears 145 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0474B150 appears 145 times
          Source: CopyMX2N79.exe, 00000002.00000002.369393672.0000000000A0C000.00000002.00020000.sdmpBinary or memory string: OriginalFilename0dj.exe: vs CopyMX2N79.exe
          Source: CopyMX2N79.exe, 00000002.00000002.373041556.0000000003C99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs CopyMX2N79.exe
          Source: CopyMX2N79.exe, 00000003.00000002.426101784.000000000181F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CopyMX2N79.exe
          Source: CopyMX2N79.exe, 00000003.00000002.425317510.0000000000AEC000.00000002.00020000.sdmpBinary or memory string: OriginalFilename0dj.exe: vs CopyMX2N79.exe
          Source: CopyMX2N79.exe, 00000003.00000002.428402805.00000000032E5000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs CopyMX2N79.exe
          Source: CopyMX2N79.exeBinary or memory string: OriginalFilename0dj.exe: vs CopyMX2N79.exe
          Source: 00000012.00000002.629860804.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.629860804.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.631108329.00000000044E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.631108329.00000000044E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.373041556.0000000003C99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.373041556.0000000003C99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.425130944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.425130944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.629275388.0000000000520000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.629275388.0000000000520000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.428338140.0000000003239000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.428338140.0000000003239000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.425450015.0000000000FF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.425450015.0000000000FF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.425405260.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.425405260.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.CopyMX2N79.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.CopyMX2N79.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.CopyMX2N79.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.CopyMX2N79.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: CopyMX2N79.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@0/0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CopyMX2N79.exe.logJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeMutant created: \Sessions\1\BaseNamedObjects\LRFtCXWxSpyZeCJPALEODHPUbra
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_01
          Source: CopyMX2N79.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\CopyMX2N79.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\SysWOW64\control.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: CopyMX2N79.exeVirustotal: Detection: 34%
          Source: CopyMX2N79.exeReversingLabs: Detection: 27%
          Source: unknownProcess created: C:\Users\user\Desktop\CopyMX2N79.exe 'C:\Users\user\Desktop\CopyMX2N79.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\CopyMX2N79.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\CopyMX2N79.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess created: C:\Users\user\Desktop\CopyMX2N79.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\CopyMX2N79.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: CopyMX2N79.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: CopyMX2N79.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.385576643.0000000007640000.00000002.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000005.00000000.389074388.000000000E1D0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: CopyMX2N79.exe, 00000003.00000002.425750614.0000000001570000.00000040.00000001.sdmp, control.exe, 00000012.00000002.631195205.0000000004720000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: CopyMX2N79.exe, 00000003.00000002.428383876.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: CopyMX2N79.exe, control.exe
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000005.00000000.389074388.000000000E1D0000.00000004.00000001.sdmp
          Source: Binary string: control.pdbUGP source: CopyMX2N79.exe, 00000003.00000002.428383876.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.385576643.0000000007640000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: CopyMX2N79.exe, u0003u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.CopyMX2N79.exe.970000.0.unpack, u0003u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.CopyMX2N79.exe.970000.0.unpack, u0003u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.CopyMX2N79.exe.a50000.0.unpack, u0003u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.CopyMX2N79.exe.a50000.1.unpack, u0003u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D70DF3 push C800005Eh; retf 2_2_05D70DF9
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D70DE3 push 8C00005Eh; retf 2_2_05D70DE9
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D72D48 push ebx; retf 2_2_05D72D49
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D7CA48 pushfd ; iretd 2_2_05D7CB62
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D76A73 push esp; ret 2_2_05D76A77
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_05D76A7D push esp; ret 2_2_05D76A81
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00408047 push FFFFFF9Fh; iretd 3_2_0040804A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_004182EB push ds; retf 3_2_004182EE
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041DC8C push ebx; ret 3_2_0041DD55
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041DD56 push ebx; ret 3_2_0041DD55
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_004165F7 push BC1E6DA9h; retf 3_2_004165FC
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041CE19 push edx; ret 3_2_0041CF3C
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041C6F2 push eax; ret 3_2_0041C6F8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041C6FB push eax; ret 3_2_0041C762
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041C6A5 push eax; ret 3_2_0041C6F8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0041C75C push eax; ret 3_2_0041C762
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015ED0D1 push ecx; ret 3_2_015ED0E4
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0479D0D1 push ecx; ret 18_2_0479D0E4
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_00528047 push FFFFFF9Fh; iretd 18_2_0052804A
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_005382EB push ds; retf 18_2_005382EE
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053DC8C push ebx; ret 18_2_0053DD55
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053DD56 push ebx; ret 18_2_0053DD55
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_005365F7 push BC1E6DA9h; retf 18_2_005365FC
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053CE19 push edx; ret 18_2_0053CF3C
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053C6F2 push eax; ret 18_2_0053C6F8
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053C6FB push eax; ret 18_2_0053C762
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053C6A5 push eax; ret 18_2_0053C6F8
          Source: C:\Windows\SysWOW64\control.exeCode function: 18_2_0053C75C push eax; ret 18_2_0053C762
          Source: initial sampleStatic PE information: section name: .text entropy: 7.49585744718
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: Process Memory Space: CopyMX2N79.exe PID: 7052, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: CopyMX2N79.exe, 00000002.00000002.372694885.00000000034EE000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: CopyMX2N79.exe, 00000002.00000002.372694885.00000000034EE000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\CopyMX2N79.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\CopyMX2N79.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000005298B4 second address: 00000000005298BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000000529B1E second address: 0000000000529B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00409A50 rdtsc 3_2_00409A50
          Source: C:\Users\user\Desktop\CopyMX2N79.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exe TID: 7056Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exe TID: 7104Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\control.exe TID: 868Thread sleep time: -65000s >= -30000sJump to behavior
          Source: explorer.exe, 00000005.00000000.385977764.0000000007BBC000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.386435414.0000000007F40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: CopyMX2N79.exe, 00000002.00000002.372694885.00000000034EE000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000003.551455449.00000000044F6000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lo
          Source: CopyMX2N79.exe, 00000002.00000002.372694885.00000000034EE000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000005.00000000.385977764.0000000007BBC000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: CopyMX2N79.exe, 00000002.00000002.372694885.00000000034EE000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.385907309.0000000007B29000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}T7
          Source: explorer.exe, 00000005.00000000.386435414.0000000007F40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: CopyMX2N79.exe, 00000002.00000002.372694885.00000000034EE000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: CopyMX2N79.exe, 00000002.00000002.372694885.00000000034EE000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: CopyMX2N79.exe, 00000002.00000002.372694885.00000000034EE000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000005.00000000.385907309.0000000007B29000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.386034702.0000000007C3C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00$
          Source: explorer.exe, 00000005.00000000.385907309.0000000007B29000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: CopyMX2N79.exe, 00000002.00000002.372694885.00000000034EE000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000005.00000000.386034702.0000000007C3C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0s_
          Source: CopyMX2N79.exe, 00000002.00000002.372694885.00000000034EE000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000005.00000000.386089071.0000000007C99000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&
          Source: explorer.exe, 00000005.00000000.386435414.0000000007F40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.385907309.0000000007B29000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}6B
          Source: explorer.exe, 00000005.00000000.373858848.0000000000A78000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
          Source: explorer.exe, 00000005.00000000.385977764.0000000007BBC000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.386435414.0000000007F40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging:

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 2_2_0138FCF8 CheckRemoteDebuggerPresent,2_2_0138FCF8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_00409A50 rdtsc 3_2_00409A50
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0040ADF0 LdrLoadDll,3_2_0040ADF0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB944 mov eax, dword ptr fs:[00000030h]3_2_015BB944
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB944 mov eax, dword ptr fs:[00000030h]3_2_015BB944
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159B171 mov eax, dword ptr fs:[00000030h]3_2_0159B171
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159B171 mov eax, dword ptr fs:[00000030h]3_2_0159B171
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159C962 mov eax, dword ptr fs:[00000030h]3_2_0159C962
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01599100 mov eax, dword ptr fs:[00000030h]3_2_01599100
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01599100 mov eax, dword ptr fs:[00000030h]3_2_01599100
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01599100 mov eax, dword ptr fs:[00000030h]3_2_01599100
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C513A mov eax, dword ptr fs:[00000030h]3_2_015C513A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C513A mov eax, dword ptr fs:[00000030h]3_2_015C513A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B4120 mov eax, dword ptr fs:[00000030h]3_2_015B4120
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B4120 mov eax, dword ptr fs:[00000030h]3_2_015B4120
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B4120 mov eax, dword ptr fs:[00000030h]3_2_015B4120
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B4120 mov eax, dword ptr fs:[00000030h]3_2_015B4120
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B4120 mov ecx, dword ptr fs:[00000030h]3_2_015B4120
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016241E8 mov eax, dword ptr fs:[00000030h]3_2_016241E8
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159B1E1 mov eax, dword ptr fs:[00000030h]3_2_0159B1E1
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159B1E1 mov eax, dword ptr fs:[00000030h]3_2_0159B1E1
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159B1E1 mov eax, dword ptr fs:[00000030h]3_2_0159B1E1
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016549A4 mov eax, dword ptr fs:[00000030h]3_2_016549A4
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016549A4 mov eax, dword ptr fs:[00000030h]3_2_016549A4
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016549A4 mov eax, dword ptr fs:[00000030h]3_2_016549A4
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016549A4 mov eax, dword ptr fs:[00000030h]3_2_016549A4
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016169A6 mov eax, dword ptr fs:[00000030h]3_2_016169A6
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C2990 mov eax, dword ptr fs:[00000030h]3_2_015C2990
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C4190 mov eax, dword ptr fs:[00000030h]3_2_015C4190
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BC182 mov eax, dword ptr fs:[00000030h]3_2_015BC182
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CA185 mov eax, dword ptr fs:[00000030h]3_2_015CA185
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016151BE mov eax, dword ptr fs:[00000030h]3_2_016151BE
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016151BE mov eax, dword ptr fs:[00000030h]3_2_016151BE
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016151BE mov eax, dword ptr fs:[00000030h]3_2_016151BE
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016151BE mov eax, dword ptr fs:[00000030h]3_2_016151BE
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov ecx, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov ecx, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov eax, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov ecx, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov ecx, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov eax, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov ecx, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov ecx, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov eax, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov ecx, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov ecx, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B99BF mov eax, dword ptr fs:[00000030h]3_2_015B99BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C61A0 mov eax, dword ptr fs:[00000030h]3_2_015C61A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C61A0 mov eax, dword ptr fs:[00000030h]3_2_015C61A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B0050 mov eax, dword ptr fs:[00000030h]3_2_015B0050
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B0050 mov eax, dword ptr fs:[00000030h]3_2_015B0050
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01661074 mov eax, dword ptr fs:[00000030h]3_2_01661074
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01652073 mov eax, dword ptr fs:[00000030h]3_2_01652073
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651843 mov eax, dword ptr fs:[00000030h]3_2_01651843
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA830 mov eax, dword ptr fs:[00000030h]3_2_015BA830
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA830 mov eax, dword ptr fs:[00000030h]3_2_015BA830
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA830 mov eax, dword ptr fs:[00000030h]3_2_015BA830
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA830 mov eax, dword ptr fs:[00000030h]3_2_015BA830
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015AB02A mov eax, dword ptr fs:[00000030h]3_2_015AB02A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015AB02A mov eax, dword ptr fs:[00000030h]3_2_015AB02A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015AB02A mov eax, dword ptr fs:[00000030h]3_2_015AB02A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015AB02A mov eax, dword ptr fs:[00000030h]3_2_015AB02A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C002D mov eax, dword ptr fs:[00000030h]3_2_015C002D
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C002D mov eax, dword ptr fs:[00000030h]3_2_015C002D
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C002D mov eax, dword ptr fs:[00000030h]3_2_015C002D
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C002D mov eax, dword ptr fs:[00000030h]3_2_015C002D
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C002D mov eax, dword ptr fs:[00000030h]3_2_015C002D
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01664015 mov eax, dword ptr fs:[00000030h]3_2_01664015
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01664015 mov eax, dword ptr fs:[00000030h]3_2_01664015
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01617016 mov eax, dword ptr fs:[00000030h]3_2_01617016
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01617016 mov eax, dword ptr fs:[00000030h]3_2_01617016
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01617016 mov eax, dword ptr fs:[00000030h]3_2_01617016
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016518CA mov eax, dword ptr fs:[00000030h]3_2_016518CA
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0162B8D0 mov eax, dword ptr fs:[00000030h]3_2_0162B8D0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0162B8D0 mov ecx, dword ptr fs:[00000030h]3_2_0162B8D0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0162B8D0 mov eax, dword ptr fs:[00000030h]3_2_0162B8D0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0162B8D0 mov eax, dword ptr fs:[00000030h]3_2_0162B8D0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0162B8D0 mov eax, dword ptr fs:[00000030h]3_2_0162B8D0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0162B8D0 mov eax, dword ptr fs:[00000030h]3_2_0162B8D0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015958EC mov eax, dword ptr fs:[00000030h]3_2_015958EC
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015940E1 mov eax, dword ptr fs:[00000030h]3_2_015940E1
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015940E1 mov eax, dword ptr fs:[00000030h]3_2_015940E1
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015940E1 mov eax, dword ptr fs:[00000030h]3_2_015940E1
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB8E4 mov eax, dword ptr fs:[00000030h]3_2_015BB8E4
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB8E4 mov eax, dword ptr fs:[00000030h]3_2_015BB8E4
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01599080 mov eax, dword ptr fs:[00000030h]3_2_01599080
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CF0BF mov ecx, dword ptr fs:[00000030h]3_2_015CF0BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CF0BF mov eax, dword ptr fs:[00000030h]3_2_015CF0BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CF0BF mov eax, dword ptr fs:[00000030h]3_2_015CF0BF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01613884 mov eax, dword ptr fs:[00000030h]3_2_01613884
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01613884 mov eax, dword ptr fs:[00000030h]3_2_01613884
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D90AF mov eax, dword ptr fs:[00000030h]3_2_015D90AF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C20A0 mov eax, dword ptr fs:[00000030h]3_2_015C20A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C20A0 mov eax, dword ptr fs:[00000030h]3_2_015C20A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C20A0 mov eax, dword ptr fs:[00000030h]3_2_015C20A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C20A0 mov eax, dword ptr fs:[00000030h]3_2_015C20A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C20A0 mov eax, dword ptr fs:[00000030h]3_2_015C20A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C20A0 mov eax, dword ptr fs:[00000030h]3_2_015C20A0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159F358 mov eax, dword ptr fs:[00000030h]3_2_0159F358
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159DB40 mov eax, dword ptr fs:[00000030h]3_2_0159DB40
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C3B7A mov eax, dword ptr fs:[00000030h]3_2_015C3B7A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C3B7A mov eax, dword ptr fs:[00000030h]3_2_015C3B7A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159DB60 mov ecx, dword ptr fs:[00000030h]3_2_0159DB60
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01668B58 mov eax, dword ptr fs:[00000030h]3_2_01668B58
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA309 mov eax, dword ptr fs:[00000030h]3_2_015BA309
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165131B mov eax, dword ptr fs:[00000030h]3_2_0165131B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016423E3 mov ecx, dword ptr fs:[00000030h]3_2_016423E3
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016423E3 mov ecx, dword ptr fs:[00000030h]3_2_016423E3
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016423E3 mov eax, dword ptr fs:[00000030h]3_2_016423E3
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C53C5 mov eax, dword ptr fs:[00000030h]3_2_015C53C5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016153CA mov eax, dword ptr fs:[00000030h]3_2_016153CA
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016153CA mov eax, dword ptr fs:[00000030h]3_2_016153CA
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BDBE9 mov eax, dword ptr fs:[00000030h]3_2_015BDBE9
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C03E2 mov eax, dword ptr fs:[00000030h]3_2_015C03E2
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C03E2 mov eax, dword ptr fs:[00000030h]3_2_015C03E2
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C03E2 mov eax, dword ptr fs:[00000030h]3_2_015C03E2
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C03E2 mov eax, dword ptr fs:[00000030h]3_2_015C03E2
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C03E2 mov eax, dword ptr fs:[00000030h]3_2_015C03E2
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C03E2 mov eax, dword ptr fs:[00000030h]3_2_015C03E2
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BEB9A mov eax, dword ptr fs:[00000030h]3_2_015BEB9A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BEB9A mov eax, dword ptr fs:[00000030h]3_2_015BEB9A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01665BA5 mov eax, dword ptr fs:[00000030h]3_2_01665BA5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C2397 mov eax, dword ptr fs:[00000030h]3_2_015C2397
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CB390 mov eax, dword ptr fs:[00000030h]3_2_015CB390
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A1B8F mov eax, dword ptr fs:[00000030h]3_2_015A1B8F
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A1B8F mov eax, dword ptr fs:[00000030h]3_2_015A1B8F
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C138B mov eax, dword ptr fs:[00000030h]3_2_015C138B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C138B mov eax, dword ptr fs:[00000030h]3_2_015C138B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C138B mov eax, dword ptr fs:[00000030h]3_2_015C138B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0164D380 mov ecx, dword ptr fs:[00000030h]3_2_0164D380
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165138A mov eax, dword ptr fs:[00000030h]3_2_0165138A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C4BAD mov eax, dword ptr fs:[00000030h]3_2_015C4BAD
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C4BAD mov eax, dword ptr fs:[00000030h]3_2_015C4BAD
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C4BAD mov eax, dword ptr fs:[00000030h]3_2_015C4BAD
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0164B260 mov eax, dword ptr fs:[00000030h]3_2_0164B260
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0164B260 mov eax, dword ptr fs:[00000030h]3_2_0164B260
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01668A62 mov eax, dword ptr fs:[00000030h]3_2_01668A62
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01599240 mov eax, dword ptr fs:[00000030h]3_2_01599240
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01599240 mov eax, dword ptr fs:[00000030h]3_2_01599240
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01599240 mov eax, dword ptr fs:[00000030h]3_2_01599240
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01599240 mov eax, dword ptr fs:[00000030h]3_2_01599240
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D927A mov eax, dword ptr fs:[00000030h]3_2_015D927A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165EA55 mov eax, dword ptr fs:[00000030h]3_2_0165EA55
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D5A69 mov eax, dword ptr fs:[00000030h]3_2_015D5A69
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D5A69 mov eax, dword ptr fs:[00000030h]3_2_015D5A69
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D5A69 mov eax, dword ptr fs:[00000030h]3_2_015D5A69
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01624257 mov eax, dword ptr fs:[00000030h]3_2_01624257
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B3A1C mov eax, dword ptr fs:[00000030h]3_2_015B3A1C
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01595210 mov eax, dword ptr fs:[00000030h]3_2_01595210
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01595210 mov ecx, dword ptr fs:[00000030h]3_2_01595210
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01595210 mov eax, dword ptr fs:[00000030h]3_2_01595210
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01595210 mov eax, dword ptr fs:[00000030h]3_2_01595210
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651229 mov eax, dword ptr fs:[00000030h]3_2_01651229
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159AA16 mov eax, dword ptr fs:[00000030h]3_2_0159AA16
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159AA16 mov eax, dword ptr fs:[00000030h]3_2_0159AA16
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A8A0A mov eax, dword ptr fs:[00000030h]3_2_015A8A0A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB236 mov eax, dword ptr fs:[00000030h]3_2_015BB236
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB236 mov eax, dword ptr fs:[00000030h]3_2_015BB236
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB236 mov eax, dword ptr fs:[00000030h]3_2_015BB236
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB236 mov eax, dword ptr fs:[00000030h]3_2_015BB236
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB236 mov eax, dword ptr fs:[00000030h]3_2_015BB236
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB236 mov eax, dword ptr fs:[00000030h]3_2_015BB236
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D4A2C mov eax, dword ptr fs:[00000030h]3_2_015D4A2C
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D4A2C mov eax, dword ptr fs:[00000030h]3_2_015D4A2C
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA229 mov eax, dword ptr fs:[00000030h]3_2_015BA229
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA229 mov eax, dword ptr fs:[00000030h]3_2_015BA229
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA229 mov eax, dword ptr fs:[00000030h]3_2_015BA229
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA229 mov eax, dword ptr fs:[00000030h]3_2_015BA229
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA229 mov eax, dword ptr fs:[00000030h]3_2_015BA229
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA229 mov eax, dword ptr fs:[00000030h]3_2_015BA229
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA229 mov eax, dword ptr fs:[00000030h]3_2_015BA229
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA229 mov eax, dword ptr fs:[00000030h]3_2_015BA229
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BA229 mov eax, dword ptr fs:[00000030h]3_2_015BA229
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165AA16 mov eax, dword ptr fs:[00000030h]3_2_0165AA16
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165AA16 mov eax, dword ptr fs:[00000030h]3_2_0165AA16
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01654AEF mov eax, dword ptr fs:[00000030h]3_2_01654AEF
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C2ACB mov eax, dword ptr fs:[00000030h]3_2_015C2ACB
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C2AE4 mov eax, dword ptr fs:[00000030h]3_2_015C2AE4
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CD294 mov eax, dword ptr fs:[00000030h]3_2_015CD294
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CD294 mov eax, dword ptr fs:[00000030h]3_2_015CD294
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015AAAB0 mov eax, dword ptr fs:[00000030h]3_2_015AAAB0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015AAAB0 mov eax, dword ptr fs:[00000030h]3_2_015AAAB0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CFAB0 mov eax, dword ptr fs:[00000030h]3_2_015CFAB0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015952A5 mov eax, dword ptr fs:[00000030h]3_2_015952A5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015952A5 mov eax, dword ptr fs:[00000030h]3_2_015952A5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015952A5 mov eax, dword ptr fs:[00000030h]3_2_015952A5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015952A5 mov eax, dword ptr fs:[00000030h]3_2_015952A5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015952A5 mov eax, dword ptr fs:[00000030h]3_2_015952A5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B7D50 mov eax, dword ptr fs:[00000030h]3_2_015B7D50
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015D3D43 mov eax, dword ptr fs:[00000030h]3_2_015D3D43
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01613540 mov eax, dword ptr fs:[00000030h]3_2_01613540
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01643D40 mov eax, dword ptr fs:[00000030h]3_2_01643D40
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BC577 mov eax, dword ptr fs:[00000030h]3_2_015BC577
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BC577 mov eax, dword ptr fs:[00000030h]3_2_015BC577
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B8D76 mov eax, dword ptr fs:[00000030h]3_2_015B8D76
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B8D76 mov eax, dword ptr fs:[00000030h]3_2_015B8D76
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B8D76 mov eax, dword ptr fs:[00000030h]3_2_015B8D76
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B8D76 mov eax, dword ptr fs:[00000030h]3_2_015B8D76
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B8D76 mov eax, dword ptr fs:[00000030h]3_2_015B8D76
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01668D34 mov eax, dword ptr fs:[00000030h]3_2_01668D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0161A537 mov eax, dword ptr fs:[00000030h]3_2_0161A537
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165E539 mov eax, dword ptr fs:[00000030h]3_2_0165E539
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C4D3B mov eax, dword ptr fs:[00000030h]3_2_015C4D3B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C4D3B mov eax, dword ptr fs:[00000030h]3_2_015C4D3B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C4D3B mov eax, dword ptr fs:[00000030h]3_2_015C4D3B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0159AD30 mov eax, dword ptr fs:[00000030h]3_2_0159AD30
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015A3D34 mov eax, dword ptr fs:[00000030h]3_2_015A3D34
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CF527 mov eax, dword ptr fs:[00000030h]3_2_015CF527
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CF527 mov eax, dword ptr fs:[00000030h]3_2_015CF527
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CF527 mov eax, dword ptr fs:[00000030h]3_2_015CF527
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165FDE2 mov eax, dword ptr fs:[00000030h]3_2_0165FDE2
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165FDE2 mov eax, dword ptr fs:[00000030h]3_2_0165FDE2
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165FDE2 mov eax, dword ptr fs:[00000030h]3_2_0165FDE2
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0165FDE2 mov eax, dword ptr fs:[00000030h]3_2_0165FDE2
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01648DF1 mov eax, dword ptr fs:[00000030h]3_2_01648DF1
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01616DC9 mov eax, dword ptr fs:[00000030h]3_2_01616DC9
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01616DC9 mov eax, dword ptr fs:[00000030h]3_2_01616DC9
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01616DC9 mov eax, dword ptr fs:[00000030h]3_2_01616DC9
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01616DC9 mov ecx, dword ptr fs:[00000030h]3_2_01616DC9
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01616DC9 mov eax, dword ptr fs:[00000030h]3_2_01616DC9
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01616DC9 mov eax, dword ptr fs:[00000030h]3_2_01616DC9
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015AD5E0 mov eax, dword ptr fs:[00000030h]3_2_015AD5E0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015AD5E0 mov eax, dword ptr fs:[00000030h]3_2_015AD5E0
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CFD9B mov eax, dword ptr fs:[00000030h]3_2_015CFD9B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CFD9B mov eax, dword ptr fs:[00000030h]3_2_015CFD9B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016605AC mov eax, dword ptr fs:[00000030h]3_2_016605AC
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_016605AC mov eax, dword ptr fs:[00000030h]3_2_016605AC
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01592D8A mov eax, dword ptr fs:[00000030h]3_2_01592D8A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01592D8A mov eax, dword ptr fs:[00000030h]3_2_01592D8A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01592D8A mov eax, dword ptr fs:[00000030h]3_2_01592D8A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01592D8A mov eax, dword ptr fs:[00000030h]3_2_01592D8A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01592D8A mov eax, dword ptr fs:[00000030h]3_2_01592D8A
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C2581 mov eax, dword ptr fs:[00000030h]3_2_015C2581
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C2581 mov eax, dword ptr fs:[00000030h]3_2_015C2581
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C2581 mov eax, dword ptr fs:[00000030h]3_2_015C2581
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C2581 mov eax, dword ptr fs:[00000030h]3_2_015C2581
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01652D82 mov eax, dword ptr fs:[00000030h]3_2_01652D82
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01652D82 mov eax, dword ptr fs:[00000030h]3_2_01652D82
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01652D82 mov eax, dword ptr fs:[00000030h]3_2_01652D82
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01652D82 mov eax, dword ptr fs:[00000030h]3_2_01652D82
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01652D82 mov eax, dword ptr fs:[00000030h]3_2_01652D82
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01652D82 mov eax, dword ptr fs:[00000030h]3_2_01652D82
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01652D82 mov eax, dword ptr fs:[00000030h]3_2_01652D82
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C1DB5 mov eax, dword ptr fs:[00000030h]3_2_015C1DB5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C1DB5 mov eax, dword ptr fs:[00000030h]3_2_015C1DB5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C1DB5 mov eax, dword ptr fs:[00000030h]3_2_015C1DB5
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C35A1 mov eax, dword ptr fs:[00000030h]3_2_015C35A1
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CA44B mov eax, dword ptr fs:[00000030h]3_2_015CA44B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CAC7B mov eax, dword ptr fs:[00000030h]3_2_015CAC7B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CAC7B mov eax, dword ptr fs:[00000030h]3_2_015CAC7B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CAC7B mov eax, dword ptr fs:[00000030h]3_2_015CAC7B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CAC7B mov eax, dword ptr fs:[00000030h]3_2_015CAC7B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CAC7B mov eax, dword ptr fs:[00000030h]3_2_015CAC7B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CAC7B mov eax, dword ptr fs:[00000030h]3_2_015CAC7B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CAC7B mov eax, dword ptr fs:[00000030h]3_2_015CAC7B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CAC7B mov eax, dword ptr fs:[00000030h]3_2_015CAC7B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CAC7B mov eax, dword ptr fs:[00000030h]3_2_015CAC7B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CAC7B mov eax, dword ptr fs:[00000030h]3_2_015CAC7B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015CAC7B mov eax, dword ptr fs:[00000030h]3_2_015CAC7B
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015BB477 mov eax, dword ptr fs:[00000030h]3_2_015BB477
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0162C450 mov eax, dword ptr fs:[00000030h]3_2_0162C450
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_0162C450 mov eax, dword ptr fs:[00000030h]3_2_0162C450
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015B746D mov eax, dword ptr fs:[00000030h]3_2_015B746D
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C3C3E mov eax, dword ptr fs:[00000030h]3_2_015C3C3E
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C3C3E mov eax, dword ptr fs:[00000030h]3_2_015C3C3E
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_015C3C3E mov eax, dword ptr fs:[00000030h]3_2_015C3C3E
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          Source: C:\Users\user\Desktop\CopyMX2N79.exeCode function: 3_2_01651C06 mov eax, dword ptr fs:[00000030h]3_2_01651C06
          <