Loading ...

Play interactive tourEdit tour

Analysis Report payment receipt#4630.exe

Overview

General Information

Sample Name:payment receipt#4630.exe
Analysis ID:299140
MD5:ce66c1a1d4e070172bc0c8334b71d990
SHA1:6523c8255c3793ea3a03cec671fcd18fdef73d37
SHA256:209280cbe0960634238fd3363bf0f311fe8620c7a38ba06e12c23b6614cdc67b
Tags:exe

Most interesting Screenshot:

Detection

Remcos GuLoader
Score:90
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Yara detected GuLoader
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • payment receipt#4630.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\payment receipt#4630.exe' MD5: CE66C1A1D4E070172BC0C8334B71D990)
    • payment receipt#4630.exe (PID: 6616 cmdline: 'C:\Users\user\Desktop\payment receipt#4630.exe' MD5: CE66C1A1D4E070172BC0C8334B71D990)
      • wscript.exe (PID: 7148 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • cos.exe (PID: 4572 cmdline: 'C:\Users\user\AppData\Roaming\Frist\cos.exe' MD5: CE66C1A1D4E070172BC0C8334B71D990)
    • cos.exe (PID: 4144 cmdline: 'C:\Users\user\AppData\Roaming\Frist\cos.exe' MD5: CE66C1A1D4E070172BC0C8334B71D990)
      • iexplore.exe (PID: 6928 cmdline: C:\Program Files (x86)\Internet Explorer\iexplore.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cos.exe (PID: 5536 cmdline: 'C:\Users\user\AppData\Roaming\Frist\cos.exe' MD5: CE66C1A1D4E070172BC0C8334B71D990)
    • cos.exe (PID: 6688 cmdline: 'C:\Users\user\AppData\Roaming\Frist\cos.exe' MD5: CE66C1A1D4E070172BC0C8334B71D990)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000003.346338619.000000001DF11000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x1515:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: cos.exe PID: 5536JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: cos.exe PID: 5536JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: payment receipt#4630.exe PID: 6616JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
        Process Memory Space: payment receipt#4630.exe PID: 6616JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Click to see the 8 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: RemcosShow sources
          Source: Registry Key setAuthor: Joe Security: Data: Details: 60 28 9C 2A 48 1F BB C6 A8 87 DF 51 05 FB A0 F8 A2 A8 97 ED E8 B6 32 4D 9E D7 A2 9F 69 20 A9 0F CC 3E DE E3 40 55 FB 36 96 51 73 70 D3 1C B5 08 04 9A 5B 04 93 FF 89 4B D1 8C B0 50 FF BE D5 E5 56 91 3D 8F 29 10 47 5C CD CF E3 E2 73 7B D2 8F A2 9B 93 04 FA 41 A7 C2 51 63 , EventID: 13, Image: C:\Users\user\AppData\Roaming\Frist\cos.exe, ProcessId: 4144, TargetObject: HKEY_CURRENT_USER\Software\Remcos-02BN05\exepath

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: https://mscni.org/cos_SfvxT237.binAvira URL Cloud: Label: malware

          Networking:

          barindex
          Connects to many ports of the same IP (likely port scanning)Show sources
          Source: global trafficTCP traffic: 193.161.193.99 ports 40698,0,4,6,8,9
          Source: global trafficTCP traffic: 192.168.2.3:49744 -> 193.161.193.99:40698
          Source: Joe Sandbox ViewIP Address: 193.161.193.99 193.161.193.99
          Source: Joe Sandbox ViewASN Name: BITREE-ASRU BITREE-ASRU
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00565332 InternetReadFile,18_2_00565332
          Source: unknownDNS traffic detected: queries for: mscni.org
          Source: cos.exe, 00000011.00000003.346463701.000000001DF37000.00000004.00000001.sdmp, payment receipt#4630.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: payment receipt#4630.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: payment receipt#4630.exe, 00000002.00000002.267944634.00000000008D0000.00000004.00000020.sdmp, cos.exe, 00000011.00000002.489352755.0000000000846000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
          Source: payment receipt#4630.exe, 00000002.00000002.267944634.00000000008D0000.00000004.00000020.sdmp, cos.exe, 00000011.00000002.489302073.0000000000836000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: cos.exe, 00000011.00000003.346463701.000000001DF37000.00000004.00000001.sdmp, payment receipt#4630.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: payment receipt#4630.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: cos.exe, 00000011.00000003.346463701.000000001DF37000.00000004.00000001.sdmp, payment receipt#4630.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: payment receipt#4630.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: cos.exe, 00000011.00000002.489352755.0000000000846000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidation(
          Source: payment receipt#4630.exe, 00000002.00000002.267944634.00000000008D0000.00000004.00000020.sdmp, cos.exe, 00000011.00000002.489302073.0000000000836000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
          Source: payment receipt#4630.exe, 00000002.00000002.267944634.00000000008D0000.00000004.00000020.sdmp, cos.exe, 00000011.00000002.489352755.0000000000846000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: payment receipt#4630.exe, 00000002.00000002.268031154.00000000008F4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com
          Source: cos.exe, 00000011.00000003.346463701.000000001DF37000.00000004.00000001.sdmp, payment receipt#4630.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: cos.exe, 00000011.00000003.346463701.000000001DF37000.00000004.00000001.sdmp, payment receipt#4630.exeString found in binary or memory: http://ocsp.digicert.com0O
          Source: payment receipt#4630.exe, 00000002.00000002.267944634.00000000008D0000.00000004.00000020.sdmp, cos.exe, 00000011.00000002.489352755.0000000000846000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sectigo.com0#
          Source: payment receipt#4630.exe, 00000002.00000002.267832553.00000000008A7000.00000004.00000020.sdmp, cos.exe, 00000011.00000002.488228089.0000000000560000.00000040.00000001.sdmp, cos.exe, 00000011.00000002.489277080.0000000000821000.00000004.00000020.sdmp, cos.exe, 00000012.00000002.361249426.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://mscni.org/cos_SfvxT237.bin
          Source: payment receipt#4630.exe, 00000002.00000002.267832553.00000000008A7000.00000004.00000020.sdmpString found in binary or memory: https://mscni.org/cos_SfvxT237.binn?
          Source: payment receipt#4630.exe, 00000002.00000002.267944634.00000000008D0000.00000004.00000020.sdmp, cos.exe, 00000011.00000002.489302073.0000000000836000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
          Source: payment receipt#4630.exeString found in binary or memory: https://www.digicert.com/CPS0
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: payment receipt#4630.exe, 00000000.00000002.241800048.00000000006EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000011.00000003.346338619.000000001DF11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: payment receipt#4630.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: payment receipt#4630.exe
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00674910 NtSetInformationThread,0_2_00674910
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_006702E2 EnumWindows,NtSetInformationThread,0_2_006702E2
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00675332 NtResumeThread,0_2_00675332
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00671BB8 NtSetInformationThread,NtWriteVirtualMemory,0_2_00671BB8
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00670E19 NtWriteVirtualMemory,TerminateProcess,0_2_00670E19
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00674F07 NtProtectVirtualMemory,0_2_00674F07
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_006720AA NtWriteVirtualMemory,0_2_006720AA
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_0067216A NtWriteVirtualMemory,0_2_0067216A
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00672233 NtWriteVirtualMemory,0_2_00672233
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00670342 NtSetInformationThread,0_2_00670342
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00670320 NtSetInformationThread,0_2_00670320
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_0067533A NtResumeThread,0_2_0067533A
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_0067230B NtWriteVirtualMemory,0_2_0067230B
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_006753E6 NtResumeThread,0_2_006753E6
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_006753C2 NtResumeThread,0_2_006753C2
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_006723A7 NtWriteVirtualMemory,0_2_006723A7
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00672384 NtWriteVirtualMemory,0_2_00672384
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00675396 NtResumeThread,0_2_00675396
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00675476 NtResumeThread,0_2_00675476
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_0067540E NtResumeThread,0_2_0067540E
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_0067553A NtResumeThread,0_2_0067553A
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00671F07 NtSetInformationThread,0_2_00671F07
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00564910 NtSetInformationThread,2_2_00564910
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00561D89 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,LoadLibraryA,2_2_00561D89
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_005602E2 EnumWindows,NtSetInformationThread,2_2_005602E2
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00564F07 NtProtectVirtualMemory,2_2_00564F07
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00565332 NtQueryInformationProcess,2_2_00565332
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00561BB8 NtSetInformationThread,LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,2_2_00561BB8
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00562848 NtProtectVirtualMemory,2_2_00562848
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00565476 NtQueryInformationProcess,2_2_00565476
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_0056540E NtQueryInformationProcess,2_2_0056540E
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_005628B2 NtProtectVirtualMemory,2_2_005628B2
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00561D0F NtProtectVirtualMemory,2_2_00561D0F
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_0056553A NtQueryInformationProcess,2_2_0056553A
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00561D9F NtProtectVirtualMemory,2_2_00561D9F
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00560342 NtSetInformationThread,2_2_00560342
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00561F07 NtSetInformationThread,2_2_00561F07
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_0056533A NtQueryInformationProcess,2_2_0056533A
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00560320 NtSetInformationThread,2_2_00560320
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_005653C2 NtQueryInformationProcess,2_2_005653C2
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00560BFE NtProtectVirtualMemory,2_2_00560BFE
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_005653E6 NtQueryInformationProcess,2_2_005653E6
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00560BE0 NtProtectVirtualMemory,2_2_00560BE0
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00565396 NtQueryInformationProcess,2_2_00565396
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00560BBD NtProtectVirtualMemory,2_2_00560BBD
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00560BB8 NtProtectVirtualMemory,2_2_00560BB8
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B902E2 EnumWindows,NtSetInformationThread,14_2_02B902E2
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B90E19 NtWriteVirtualMemory,TerminateProcess,14_2_02B90E19
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B91BB8 NtSetInformationThread,NtWriteVirtualMemory,14_2_02B91BB8
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B95332 NtResumeThread,14_2_02B95332
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B94F07 NtProtectVirtualMemory,14_2_02B94F07
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B94910 NtSetInformationThread,14_2_02B94910
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B92233 NtWriteVirtualMemory,14_2_02B92233
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B923A7 NtWriteVirtualMemory,14_2_02B923A7
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B95396 NtResumeThread,14_2_02B95396
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B92384 NtWriteVirtualMemory,14_2_02B92384
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B953E6 NtResumeThread,14_2_02B953E6
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B953C2 NtResumeThread,14_2_02B953C2
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B9533A NtResumeThread,14_2_02B9533A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B90320 NtSetInformationThread,14_2_02B90320
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B9230B NtWriteVirtualMemory,14_2_02B9230B
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B91F07 NtSetInformationThread,14_2_02B91F07
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B90342 NtSetInformationThread,14_2_02B90342
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B920AA NtWriteVirtualMemory,14_2_02B920AA
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B9540E NtResumeThread,14_2_02B9540E
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B95476 NtResumeThread,14_2_02B95476
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B9553A NtResumeThread,14_2_02B9553A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B9216A NtWriteVirtualMemory,14_2_02B9216A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C02E2 EnumWindows,NtSetInformationThread,16_2_029C02E2
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C0E19 NtWriteVirtualMemory,TerminateProcess,16_2_029C0E19
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C1BB8 NtSetInformationThread,NtWriteVirtualMemory,16_2_029C1BB8
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C4F07 NtProtectVirtualMemory,16_2_029C4F07
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C4910 NtSetInformationThread,16_2_029C4910
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C2233 NtWriteVirtualMemory,16_2_029C2233
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C2384 NtWriteVirtualMemory,16_2_029C2384
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C23A7 NtWriteVirtualMemory,16_2_029C23A7
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C230B NtWriteVirtualMemory,16_2_029C230B
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C1F07 NtSetInformationThread,16_2_029C1F07
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C0320 NtSetInformationThread,16_2_029C0320
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C0342 NtSetInformationThread,16_2_029C0342
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C20AA NtWriteVirtualMemory,16_2_029C20AA
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C216A NtWriteVirtualMemory,16_2_029C216A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564910 NtSetInformationThread,17_2_00564910
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00561D0F CreateThread,TerminateThread,NtProtectVirtualMemory,17_2_00561D0F
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00561D89 NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,17_2_00561D89
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005602E2 EnumWindows,NtSetInformationThread,17_2_005602E2
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00562771 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,17_2_00562771
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564F07 NtProtectVirtualMemory,17_2_00564F07
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005628B2 NtProtectVirtualMemory,17_2_005628B2
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00561D9F LdrInitializeThunk,NtProtectVirtualMemory,17_2_00561D9F
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00560E19 NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,17_2_00560E19
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00560342 NtSetInformationThread,17_2_00560342
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00561F07 NtSetInformationThread,17_2_00561F07
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00560320 NtSetInformationThread,17_2_00560320
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005627E7 NtProtectVirtualMemory,17_2_005627E7
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005627BC LdrInitializeThunk,NtProtectVirtualMemory,17_2_005627BC
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00564910 NtSetInformationThread,18_2_00564910
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00561D89 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,LoadLibraryA,18_2_00561D89
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_005602E2 EnumWindows,NtSetInformationThread,18_2_005602E2
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00564F07 NtProtectVirtualMemory,18_2_00564F07
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00561BB8 NtSetInformationThread,LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,18_2_00561BB8
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00562848 NtProtectVirtualMemory,18_2_00562848
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_005628B2 NtProtectVirtualMemory,18_2_005628B2
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00561D0F NtProtectVirtualMemory,18_2_00561D0F
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00561D9F NtProtectVirtualMemory,18_2_00561D9F
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00560342 NtSetInformationThread,18_2_00560342
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00561F07 NtSetInformationThread,18_2_00561F07
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00560320 NtSetInformationThread,18_2_00560320
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00560BFE NtProtectVirtualMemory,18_2_00560BFE
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00560BE0 NtProtectVirtualMemory,18_2_00560BE0
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00560BBD NtProtectVirtualMemory,18_2_00560BBD
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00560BB8 NtProtectVirtualMemory,18_2_00560BB8
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_004016740_2_00401674
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_004016C10_2_004016C1
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00562AB617_2_00562AB6
          Source: payment receipt#4630.exeStatic PE information: invalid certificate
          Source: payment receipt#4630.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: cos.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: payment receipt#4630.exeBinary or memory string: OriginalFilename vs payment receipt#4630.exe
          Source: payment receipt#4630.exe, 00000000.00000002.241676728.0000000000640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs payment receipt#4630.exe
          Source: payment receipt#4630.exe, 00000000.00000002.243330148.0000000002AF0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStnkpro.exeFE2XVerge vs payment receipt#4630.exe
          Source: payment receipt#4630.exe, 00000000.00000002.241227190.0000000000427000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStnkpro.exe vs payment receipt#4630.exe
          Source: payment receipt#4630.exe, 00000002.00000002.268319520.00000000023A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs payment receipt#4630.exe
          Source: payment receipt#4630.exe, 00000002.00000000.240290327.0000000000427000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStnkpro.exe vs payment receipt#4630.exe
          Source: payment receipt#4630.exe, 00000002.00000002.273344940.000000001DD90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs payment receipt#4630.exe
          Source: payment receipt#4630.exe, 00000002.00000002.273412679.000000001E060000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs payment receipt#4630.exe
          Source: payment receipt#4630.exe, 00000002.00000002.268031154.00000000008F4000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs payment receipt#4630.exe
          Source: payment receipt#4630.exe, 00000002.00000002.268031154.00000000008F4000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs payment receipt#4630.exe
          Source: payment receipt#4630.exe, 00000002.00000002.273483042.000000001E0C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs payment receipt#4630.exe
          Source: payment receipt#4630.exe, 00000002.00000002.273483042.000000001E0C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs payment receipt#4630.exe
          Source: payment receipt#4630.exeBinary or memory string: OriginalFilenameStnkpro.exe` vs payment receipt#4630.exe
          Source: 00000011.00000003.346338619.000000001DF11000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: classification engineClassification label: mal90.troj.evad.winEXE@13/4@4/2
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile created: C:\Users\user\AppData\Roaming\FristJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-02BN05
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos_Mutex_Inj
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC2E5169BAC38DEA0.TMPJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
          Source: payment receipt#4630.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\payment receipt#4630.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile read: C:\Users\user\Desktop\payment receipt#4630.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\payment receipt#4630.exe 'C:\Users\user\Desktop\payment receipt#4630.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\payment receipt#4630.exe 'C:\Users\user\Desktop\payment receipt#4630.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe'
          Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess created: C:\Users\user\Desktop\payment receipt#4630.exe 'C:\Users\user\Desktop\payment receipt#4630.exe' Jump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe' Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe' Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
          Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
          Source: Window RecorderWindow detected: More than 3 window changes detected

          Data Obfuscation:

          barindex
          Yara detected GuLoaderShow sources
          Source: Yara matchFile source: Process Memory Space: cos.exe PID: 5536, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment receipt#4630.exe PID: 6616, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cos.exe PID: 4144, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cos.exe PID: 4572, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment receipt#4630.exe PID: 6424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cos.exe PID: 6688, type: MEMORY
          Yara detected VB6 Downloader GenericShow sources
          Source: Yara matchFile source: Process Memory Space: cos.exe PID: 5536, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment receipt#4630.exe PID: 6616, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cos.exe PID: 4144, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cos.exe PID: 4572, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment receipt#4630.exe PID: 6424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cos.exe PID: 6688, type: MEMORY
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_004196E9 push dword ptr [ecx-3C004E4Fh]; ret 0_2_004196F9
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile created: C:\Users\user\AppData\Roaming\Frist\cos.exeJump to dropped file

          Boot Survival:

          barindex
          Creates an undocumented autostart registry key Show sources
          Source: C:\Users\user\Desktop\payment receipt#4630.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run RemcosJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RemcosJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RemcosJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect Any.runShow sources
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: cos.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\payment receipt#4630.exeRDTSC instruction interceptor: First address: 0000000000673CA4 second address: 0000000000673D23 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 5FBFF0FBh 0x00000008 jmp 00007FAC98373382h 0x0000000a test cx, cx 0x0000000d call 00007FAC98373398h 0x00000012 test dh, ch 0x00000014 mov dword ptr [ebp+04h], eax 0x00000017 mov ebx, dword ptr [eax+3Ch] 0x0000001a cld 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 test dx, cx 0x00000023 mov eax, dword ptr [ebp+04h] 0x00000026 pushad 0x00000027 mov edx, 000000B0h 0x0000002c rdtsc
          Source: C:\Users\user\Desktop\payment receipt#4630.exeRDTSC instruction interceptor: First address: 0000000000673D23 second address: 0000000000673D54 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ecx, dword ptr [eax+18h] 0x00000008 cmp cl, al 0x0000000a mov dword ptr [ebp+08h], ecx 0x0000000d test al, bl 0x0000000f mov ecx, dword ptr [eax+1Ch] 0x00000012 cmp bx, cx 0x00000015 mov dword ptr [ebp+14h], ecx 0x00000018 mov ecx, dword ptr [eax+24h] 0x0000001b mov dword ptr [ebp+10h], ecx 0x0000001e mov esi, dword ptr [eax+20h] 0x00000021 add esi, dword ptr [ebp+04h] 0x00000024 xor ecx, ecx 0x00000026 test edx, ecx 0x00000028 test dx, cx 0x0000002b pushad 0x0000002c mov edx, 000000C4h 0x00000031 rdtsc
          Source: C:\Users\user\Desktop\payment receipt#4630.exeRDTSC instruction interceptor: First address: 0000000000563CA4 second address: 0000000000563D23 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 5FBFF0FBh 0x00000008 jmp 00007FAC98373382h 0x0000000a test cx, cx 0x0000000d call 00007FAC98373398h 0x00000012 test dh, ch 0x00000014 mov dword ptr [ebp+04h], eax 0x00000017 mov ebx, dword ptr [eax+3Ch] 0x0000001a cld 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 test dx, cx 0x00000023 mov eax, dword ptr [ebp+04h] 0x00000026 pushad 0x00000027 mov edx, 000000B0h 0x0000002c rdtsc
          Source: C:\Users\user\Desktop\payment receipt#4630.exeRDTSC instruction interceptor: First address: 0000000000563D23 second address: 0000000000563D54 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ecx, dword ptr [eax+18h] 0x00000008 cmp cl, al 0x0000000a mov dword ptr [ebp+08h], ecx 0x0000000d test al, bl 0x0000000f mov ecx, dword ptr [eax+1Ch] 0x00000012 cmp bx, cx 0x00000015 mov dword ptr [ebp+14h], ecx 0x00000018 mov ecx, dword ptr [eax+24h] 0x0000001b mov dword ptr [ebp+10h], ecx 0x0000001e mov esi, dword ptr [eax+20h] 0x00000021 add esi, dword ptr [ebp+04h] 0x00000024 xor ecx, ecx 0x00000026 test edx, ecx 0x00000028 test dx, cx 0x0000002b pushad 0x0000002c mov edx, 000000C4h 0x00000031 rdtsc
          Source: C:\Users\user\Desktop\payment receipt#4630.exeRDTSC instruction interceptor: First address: 0000000000563F4C second address: 0000000000563F4C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp bx, 5A4Dh 0x00000008 je 00007FAC9837336Dh 0x0000000a cmp cl, al 0x0000000c inc cx 0x0000000e jmp 00007FAC98373333h 0x00000010 test dh, ch 0x00000012 mov eax, dword ptr [ebp+64h] 0x00000015 mov bx, word ptr [edx+00010040h] 0x0000001c mov ax, word ptr [eax] 0x0000001f cld 0x00000020 xor ax, cx 0x00000023 test dx, cx 0x00000026 xor bx, ax 0x00000029 pushad 0x0000002a mov edx, 00000075h 0x0000002f rdtsc
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeRDTSC instruction interceptor: First address: 0000000002B93CA4 second address: 0000000002B93D23 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 5FBFF0FBh 0x00000008 jmp 00007FAC98F3C4E2h 0x0000000a test cx, cx 0x0000000d call 00007FAC98F3C4F8h 0x00000012 test dh, ch 0x00000014 mov dword ptr [ebp+04h], eax 0x00000017 mov ebx, dword ptr [eax+3Ch] 0x0000001a cld 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 test dx, cx 0x00000023 mov eax, dword ptr [ebp+04h] 0x00000026 pushad 0x00000027 mov edx, 000000B0h 0x0000002c rdtsc
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeRDTSC instruction interceptor: First address: 0000000002B93D23 second address: 0000000002B93D54 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ecx, dword ptr [eax+18h] 0x00000008 cmp cl, al 0x0000000a mov dword ptr [ebp+08h], ecx 0x0000000d test al, bl 0x0000000f mov ecx, dword ptr [eax+1Ch] 0x00000012 cmp bx, cx 0x00000015 mov dword ptr [ebp+14h], ecx 0x00000018 mov ecx, dword ptr [eax+24h] 0x0000001b mov dword ptr [ebp+10h], ecx 0x0000001e mov esi, dword ptr [eax+20h] 0x00000021 add esi, dword ptr [ebp+04h] 0x00000024 xor ecx, ecx 0x00000026 test edx, ecx 0x00000028 test dx, cx 0x0000002b pushad 0x0000002c mov edx, 000000C4h 0x00000031 rdtsc
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeRDTSC instruction interceptor: First address: 00000000029C3CA4 second address: 00000000029C3D23 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 5FBFF0FBh 0x00000008 jmp 00007FAC98F3C4E2h 0x0000000a test cx, cx 0x0000000d call 00007FAC98F3C4F8h 0x00000012 test dh, ch 0x00000014 mov dword ptr [ebp+04h], eax 0x00000017 mov ebx, dword ptr [eax+3Ch] 0x0000001a cld 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 test dx, cx 0x00000023 mov eax, dword ptr [ebp+04h] 0x00000026 pushad 0x00000027 mov edx, 000000B0h 0x0000002c rdtsc
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeRDTSC instruction interceptor: First address: 00000000029C3D23 second address: 00000000029C3D54 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ecx, dword ptr [eax+18h] 0x00000008 cmp cl, al 0x0000000a mov dword ptr [ebp+08h], ecx 0x0000000d test al, bl 0x0000000f mov ecx, dword ptr [eax+1Ch] 0x00000012 cmp bx, cx 0x00000015 mov dword ptr [ebp+14h], ecx 0x00000018 mov ecx, dword ptr [eax+24h] 0x0000001b mov dword ptr [ebp+10h], ecx 0x0000001e mov esi, dword ptr [eax+20h] 0x00000021 add esi, dword ptr [ebp+04h] 0x00000024 xor ecx, ecx 0x00000026 test edx, ecx 0x00000028 test dx, cx 0x0000002b pushad 0x0000002c mov edx, 000000C4h 0x00000031 rdtsc
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeRDTSC instruction interceptor: First address: 0000000000563CA4 second address: 0000000000563D23 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 5FBFF0FBh 0x00000008 jmp 00007FAC98F3C4E2h 0x0000000a test cx, cx 0x0000000d call 00007FAC98F3C4F8h 0x00000012 test dh, ch 0x00000014 mov dword ptr [ebp+04h], eax 0x00000017 mov ebx, dword ptr [eax+3Ch] 0x0000001a cld 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 test dx, cx 0x00000023 mov eax, dword ptr [ebp+04h] 0x00000026 pushad 0x00000027 mov edx, 000000B0h 0x0000002c rdtsc
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeRDTSC instruction interceptor: First address: 0000000000563D23 second address: 0000000000563D54 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add eax, ebx 0x00000005 mov ecx, dword ptr [eax+18h] 0x00000008 cmp cl, al 0x0000000a mov dword ptr [ebp+08h], ecx 0x0000000d test al, bl 0x0000000f mov ecx, dword ptr [eax+1Ch] 0x00000012 cmp bx, cx 0x00000015 mov dword ptr [ebp+14h], ecx 0x00000018 mov ecx, dword ptr [eax+24h] 0x0000001b mov dword ptr [ebp+10h], ecx 0x0000001e mov esi, dword ptr [eax+20h] 0x00000021 add esi, dword ptr [ebp+04h] 0x00000024 xor ecx, ecx 0x00000026 test edx, ecx 0x00000028 test dx, cx 0x0000002b pushad 0x0000002c mov edx, 000000C4h 0x00000031 rdtsc
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeRDTSC instruction interceptor: First address: 0000000000563F4C second address: 0000000000563F4C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp bx, 5A4Dh 0x00000008 je 00007FAC98F3C4CDh 0x0000000a cmp cl, al 0x0000000c inc cx 0x0000000e jmp 00007FAC98F3C493h 0x00000010 test dh, ch 0x00000012 mov eax, dword ptr [ebp+64h] 0x00000015 mov bx, word ptr [edx+00010040h] 0x0000001c mov ax, word ptr [eax] 0x0000001f cld 0x00000020 xor ax, cx 0x00000023 test dx, cx 0x00000026 xor bx, ax 0x00000029 pushad 0x0000002a mov edx, 00000075h 0x0000002f rdtsc
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeRDTSC instruction interceptor: First address: 0000000000563F4C second address: 0000000000563F4C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp bx, 5A4Dh 0x00000008 je 00007FAC9837336Dh 0x0000000a cmp cl, al 0x0000000c inc cx 0x0000000e jmp 00007FAC98373333h 0x00000010 test dh, ch 0x00000012 mov eax, dword ptr [ebp+64h] 0x00000015 mov bx, word ptr [edx+00010040h] 0x0000001c mov ax, word ptr [eax] 0x0000001f cld 0x00000020 xor ax, cx 0x00000023 test dx, cx 0x00000026 xor bx, ax 0x00000029 pushad 0x0000002a mov edx, 00000075h 0x0000002f rdtsc
          Source: C:\Users\user\Desktop\payment receipt#4630.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00671BB8 rdtsc 0_2_00671BB8
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: EnumServicesStatusA,17_2_00565332
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: EnumServicesStatusA,17_2_00565476
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: EnumServicesStatusA,17_2_0056540E
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: EnumServicesStatusA,17_2_0056553A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: EnumServicesStatusA,17_2_0056533A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: EnumServicesStatusA,17_2_00565396
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeWindow / User API: threadDelayed 3027Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exe TID: 6980Thread sleep time: -70000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exe TID: 6188Thread sleep count: 3027 > 30Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread sleep count: Count: 3027 delay: -5Jump to behavior
          Source: payment receipt#4630.exe, 00000002.00000002.267879640.00000000008B8000.00000004.00000020.sdmp, cos.exe, 00000011.00000002.489352755.0000000000846000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: cos.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: payment receipt#4630.exe, 00000002.00000002.268031154.00000000008F4000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy

          Anti Debugging:

          barindex
          Contains functionality to hide a thread from the debuggerShow sources
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00674910 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000000_2_00674910
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\payment receipt#4630.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00671BB8 rdtsc 0_2_00671BB8
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_0067313F LdrInitializeThunk,0_2_0067313F
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00671BB8 mov eax, dword ptr fs:[00000030h]0_2_00671BB8
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00674059 mov eax, dword ptr fs:[00000030h]0_2_00674059
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_006719C2 mov eax, dword ptr fs:[00000030h]0_2_006719C2
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_006719AD mov eax, dword ptr fs:[00000030h]0_2_006719AD
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00671988 mov eax, dword ptr fs:[00000030h]0_2_00671988
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00674A4A mov eax, dword ptr fs:[00000030h]0_2_00674A4A
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00674A8A mov eax, dword ptr fs:[00000030h]0_2_00674A8A
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00671BE6 mov eax, dword ptr fs:[00000030h]0_2_00671BE6
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00673C12 mov eax, dword ptr fs:[00000030h]0_2_00673C12
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_00671555 mov eax, dword ptr fs:[00000030h]0_2_00671555
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 0_2_0067269E mov eax, dword ptr fs:[00000030h]0_2_0067269E
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00561BB8 mov eax, dword ptr fs:[00000030h]2_2_00561BB8
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00564059 mov eax, dword ptr fs:[00000030h]2_2_00564059
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00563C12 mov eax, dword ptr fs:[00000030h]2_2_00563C12
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00561555 mov eax, dword ptr fs:[00000030h]2_2_00561555
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_005619C2 mov eax, dword ptr fs:[00000030h]2_2_005619C2
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00561988 mov eax, dword ptr fs:[00000030h]2_2_00561988
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_005619AD mov eax, dword ptr fs:[00000030h]2_2_005619AD
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00564A4A mov eax, dword ptr fs:[00000030h]2_2_00564A4A
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_0056269E mov eax, dword ptr fs:[00000030h]2_2_0056269E
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00564A8A mov eax, dword ptr fs:[00000030h]2_2_00564A8A
          Source: C:\Users\user\Desktop\payment receipt#4630.exeCode function: 2_2_00561BE6 mov eax, dword ptr fs:[00000030h]2_2_00561BE6
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B91BB8 mov eax, dword ptr fs:[00000030h]14_2_02B91BB8
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B9269E mov eax, dword ptr fs:[00000030h]14_2_02B9269E
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B94A8A mov eax, dword ptr fs:[00000030h]14_2_02B94A8A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B94A4A mov eax, dword ptr fs:[00000030h]14_2_02B94A4A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B91BE6 mov eax, dword ptr fs:[00000030h]14_2_02B91BE6
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B93C12 mov eax, dword ptr fs:[00000030h]14_2_02B93C12
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B94059 mov eax, dword ptr fs:[00000030h]14_2_02B94059
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B919AD mov eax, dword ptr fs:[00000030h]14_2_02B919AD
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B91988 mov eax, dword ptr fs:[00000030h]14_2_02B91988
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B919C2 mov eax, dword ptr fs:[00000030h]14_2_02B919C2
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02B91555 mov eax, dword ptr fs:[00000030h]14_2_02B91555
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C1BB8 mov eax, dword ptr fs:[00000030h]16_2_029C1BB8
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C269E mov eax, dword ptr fs:[00000030h]16_2_029C269E
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C4A8A mov eax, dword ptr fs:[00000030h]16_2_029C4A8A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C4A4A mov eax, dword ptr fs:[00000030h]16_2_029C4A4A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C1BE6 mov eax, dword ptr fs:[00000030h]16_2_029C1BE6
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C3C12 mov eax, dword ptr fs:[00000030h]16_2_029C3C12
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C4059 mov eax, dword ptr fs:[00000030h]16_2_029C4059
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C1988 mov eax, dword ptr fs:[00000030h]16_2_029C1988
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C19AD mov eax, dword ptr fs:[00000030h]16_2_029C19AD
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C19C2 mov eax, dword ptr fs:[00000030h]16_2_029C19C2
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_029C1555 mov eax, dword ptr fs:[00000030h]16_2_029C1555
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00561BB8 mov eax, dword ptr fs:[00000030h]17_2_00561BB8
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564059 mov eax, dword ptr fs:[00000030h]17_2_00564059
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00563C12 mov eax, dword ptr fs:[00000030h]17_2_00563C12
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00561555 mov eax, dword ptr fs:[00000030h]17_2_00561555
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005619C2 mov eax, dword ptr fs:[00000030h]17_2_005619C2
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00561988 mov eax, dword ptr fs:[00000030h]17_2_00561988
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005619AD mov eax, dword ptr fs:[00000030h]17_2_005619AD
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564A4A mov eax, dword ptr fs:[00000030h]17_2_00564A4A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_0056269E mov eax, dword ptr fs:[00000030h]17_2_0056269E
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564A8A mov eax, dword ptr fs:[00000030h]17_2_00564A8A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00561BE6 mov eax, dword ptr fs:[00000030h]17_2_00561BE6
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00561BB8 mov eax, dword ptr fs:[00000030h]18_2_00561BB8
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00564059 mov eax, dword ptr fs:[00000030h]18_2_00564059
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00563C12 mov eax, dword ptr fs:[00000030h]18_2_00563C12
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00561555 mov eax, dword ptr fs:[00000030h]18_2_00561555
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_005619C2 mov eax, dword ptr fs:[00000030h]18_2_005619C2
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00561988 mov eax, dword ptr fs:[00000030h]18_2_00561988
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_005619AD mov eax, dword ptr fs:[00000030h]18_2_005619AD
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_00564A4A mov eax, dword ptr fs:[00000030h]18_2_00564A4A
          Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 18_2_0056269E mov eax, dword ptr fs:[00000030h]18_2_0056269E
          Source: