Loading ...

Play interactive tourEdit tour

Analysis Report payment receipt#4635.scr

Overview

General Information

Sample Name:payment receipt#4635.scr (renamed file extension from scr to exe)
Analysis ID:299169
MD5:2b6936345d7c15ee613fb73328759f62
SHA1:58858cc9b061900468e0aa63f2d1db5192374fa4
SHA256:e0d73a9ec5eae9ad50f9c82237810cabb2717e0e48351ca30e56043acc1264e1
Tags:scr

Most interesting Screenshot:

Detection

Remcos GuLoader
Score:90
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Sigma detected: Remcos
Yara detected GuLoader
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected VB6 Downloader Generic
Allocates a big amount of memory (probably used for heap spraying)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file contains strange resources
Potential browser exploit detected (process start blacklist hit)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • payment receipt#4635.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\payment receipt#4635.exe' MD5: 2B6936345D7C15EE613FB73328759F62)
    • payment receipt#4635.exe (PID: 6884 cmdline: 'C:\Users\user\Desktop\payment receipt#4635.exe' MD5: 2B6936345D7C15EE613FB73328759F62)
      • wscript.exe (PID: 5756 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • cos.exe (PID: 5960 cmdline: 'C:\Users\user\AppData\Roaming\Frist\cos.exe' MD5: 2B6936345D7C15EE613FB73328759F62)
    • cos.exe (PID: 4680 cmdline: 'C:\Users\user\AppData\Roaming\Frist\cos.exe' MD5: 2B6936345D7C15EE613FB73328759F62)
      • iexplore.exe (PID: 2792 cmdline: C:\Program Files (x86)\Internet Explorer\iexplore.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 5416 cmdline: C:\Program Files (x86)\Internet Explorer\iexplore.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
          • wscript.exe (PID: 2540 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • cos.exe (PID: 3016 cmdline: 'C:\Users\user\AppData\Roaming\Frist\cos.exe' MD5: 2B6936345D7C15EE613FB73328759F62)
    • cos.exe (PID: 5392 cmdline: 'C:\Users\user\AppData\Roaming\Frist\cos.exe' MD5: 2B6936345D7C15EE613FB73328759F62)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: cos.exe PID: 5960JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: cos.exe PID: 5960JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: payment receipt#4635.exe PID: 6884JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
        Process Memory Space: payment receipt#4635.exe PID: 6884JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: payment receipt#4635.exe PID: 6708JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
            Click to see the 7 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RemcosShow sources
            Source: Registry Key setAuthor: Joe Security: Data: Details: 60 28 9C 2A 48 1F BB C6 A8 87 DF 51 05 FB A0 F8 A2 A8 97 ED E8 B6 32 4D 9E D7 A2 9F 69 20 A9 0F CC 3E DE E3 40 55 FB 36 96 51 73 70 D3 1C B5 08 04 9A 5B 04 93 FF 89 4B D1 8C B0 50 FF BE D5 E5 56 91 3D 8F 29 10 47 5C CD CF E3 E2 73 7B D2 8F A2 9B 93 04 FA 41 A7 C2 51 63 , EventID: 13, Image: C:\Users\user\AppData\Roaming\Frist\cos.exe, ProcessId: 4680, TargetObject: HKEY_CURRENT_USER\Software\Remcos-02BN05\exepath

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: https://mscni.org/cos_SfvxT237.binAvira URL Cloud: Label: malware
            Source: iexplore.exeMemory has grown: Private usage: 0MB later: 439MB
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
            Source: Joe Sandbox ViewIP Address: 198.54.116.78 198.54.116.78
            Source: Joe Sandbox ViewJA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS traffic detected: queries for: mscni.org
            Source: payment receipt#4635.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: payment receipt#4635.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: payment receipt#4635.exe, 00000002.00000002.267627935.0000000000963000.00000004.00000020.sdmp, cos.exe, 00000010.00000002.357462763.000000000071B000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: payment receipt#4635.exe, 00000002.00000002.267627935.0000000000963000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: payment receipt#4635.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: payment receipt#4635.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: payment receipt#4635.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: payment receipt#4635.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: payment receipt#4635.exe, 00000002.00000002.267591216.0000000000918000.00000004.00000020.sdmp, cos.exe, 00000010.00000002.357462763.000000000071B000.00000004.00000020.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
            Source: payment receipt#4635.exe, 00000002.00000003.264877873.0000000000963000.00000004.00000001.sdmpString found in binary or memory: http://ocrp.u
            Source: payment receipt#4635.exe, 00000002.00000002.267627935.0000000000963000.00000004.00000020.sdmp, cos.exe, 00000010.00000002.357462763.000000000071B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: payment receipt#4635.exeString found in binary or memory: http://ocsp.digicert.com0C
            Source: payment receipt#4635.exeString found in binary or memory: http://ocsp.digicert.com0O
            Source: payment receipt#4635.exe, 00000002.00000002.267591216.0000000000918000.00000004.00000020.sdmp, cos.exe, 00000010.00000002.357462763.000000000071B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sectigo.com0#
            Source: payment receipt#4635.exe, 00000002.00000002.267591216.0000000000918000.00000004.00000020.sdmpString found in binary or memory: https://mscni.org/
            Source: payment receipt#4635.exe, 00000002.00000002.267591216.0000000000918000.00000004.00000020.sdmpString found in binary or memory: https://mscni.org/-
            Source: payment receipt#4635.exe, 00000002.00000002.267591216.0000000000918000.00000004.00000020.sdmp, cos.exe, 00000010.00000002.351573449.0000000000560000.00000040.00000001.sdmp, cos.exe, 00000011.00000002.362057890.0000000000560000.00000040.00000001.sdmp, iexplore.exe, 00000013.00000002.394229888.0000000003140000.00000040.00000001.sdmpString found in binary or memory: https://mscni.org/cos_SfvxT237.bin
            Source: payment receipt#4635.exe, 00000002.00000002.267591216.0000000000918000.00000004.00000020.sdmp, cos.exe, 00000010.00000002.357462763.000000000071B000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: payment receipt#4635.exeString found in binary or memory: https://www.digicert.com/CPS0
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734

            System Summary:

            barindex
            Executable has a suspicious name (potential lure to open the executable)Show sources
            Source: payment receipt#4635.exeStatic file information: Suspicious name
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: payment receipt#4635.exe
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_022102B5 EnumWindows,NtSetInformationThread,0_2_022102B5
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_022142F6 NtSetInformationThread,0_2_022142F6
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02214B1D NtResumeThread,0_2_02214B1D
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_0221417A NtSetInformationThread,0_2_0221417A
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02212675 NtWriteVirtualMemory,LdrInitializeThunk,0_2_02212675
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_022146F4 NtProtectVirtualMemory,0_2_022146F4
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02213710 NtWriteVirtualMemory,LoadLibraryA,0_2_02213710
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_022102F5 NtSetInformationThread,0_2_022102F5
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02214B42 NtResumeThread,0_2_02214B42
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02214B92 NtResumeThread,0_2_02214B92
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02214BE6 NtResumeThread,0_2_02214BE6
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02214BC2 NtResumeThread,0_2_02214BC2
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02212618 NtWriteVirtualMemory,0_2_02212618
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02212766 NtWriteVirtualMemory,0_2_02212766
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02214C36 NtResumeThread,0_2_02214C36
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02211C82 NtWriteVirtualMemory,0_2_02211C82
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02214C8A NtResumeThread,0_2_02214C8A
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02213510 NtSetInformationThread,0_2_02213510
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02211D46 NtWriteVirtualMemory,0_2_02211D46
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02214D4A NtResumeThread,0_2_02214D4A
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_005618BB RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,2_2_005618BB
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_0056417A NtSetInformationThread,2_2_0056417A
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_005642F6 NtSetInformationThread,LdrInitializeThunk,2_2_005642F6
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_005602B5 EnumWindows,NtSetInformationThread,2_2_005602B5
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00562358 NtProtectVirtualMemory,2_2_00562358
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00564B1D NtQueryInformationProcess,2_2_00564B1D
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_005646F4 NtProtectVirtualMemory,2_2_005646F4
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00561871 NtProtectVirtualMemory,2_2_00561871
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_005608E2 NtProtectVirtualMemory,2_2_005608E2
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_005608B8 NtProtectVirtualMemory,2_2_005608B8
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_005602F5 NtSetInformationThread,2_2_005602F5
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00564B42 NtQueryInformationProcess,2_2_00564B42
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_0056234C NtProtectVirtualMemory,2_2_0056234C
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00564BC2 NtQueryInformationProcess,2_2_00564BC2
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00564BE6 NtQueryInformationProcess,2_2_00564BE6
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00564B92 NtQueryInformationProcess,2_2_00564B92
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00564C36 NtQueryInformationProcess,2_2_00564C36
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00564C8A NtQueryInformationProcess,2_2_00564C8A
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00564D4A NtQueryInformationProcess,2_2_00564D4A
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00563510 NtSetInformationThread,2_2_00563510
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_021802B5 EnumWindows,NtSetInformationThread,14_2_021802B5
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_021842F6 NtSetInformationThread,14_2_021842F6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02184B1D NtSetContextThread,14_2_02184B1D
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_0218417A NtSetInformationThread,14_2_0218417A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02182675 NtWriteVirtualMemory,LdrInitializeThunk,14_2_02182675
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_021846F4 NtProtectVirtualMemory,14_2_021846F4
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02183710 NtWriteVirtualMemory,LoadLibraryA,14_2_02183710
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_021802F5 NtSetInformationThread,14_2_021802F5
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02184B42 NtSetContextThread,14_2_02184B42
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02184B92 NtSetContextThread,14_2_02184B92
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02184BC2 NtSetContextThread,14_2_02184BC2
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02184BE6 NtSetContextThread,14_2_02184BE6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02182618 NtWriteVirtualMemory,14_2_02182618
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02182766 NtWriteVirtualMemory,14_2_02182766
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02184C36 NtSetContextThread,14_2_02184C36
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02184C8A NtSetContextThread,14_2_02184C8A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02181C82 NtWriteVirtualMemory,14_2_02181C82
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02183510 NtSetInformationThread,14_2_02183510
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02184D4A NtSetContextThread,14_2_02184D4A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02181D46 NtWriteVirtualMemory,14_2_02181D46
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E02B5 EnumWindows,NtSetInformationThread,15_2_020E02B5
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E42F6 NtSetInformationThread,15_2_020E42F6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E4B1D NtResumeThread,15_2_020E4B1D
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E417A NtSetInformationThread,15_2_020E417A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E2675 NtWriteVirtualMemory,LdrInitializeThunk,15_2_020E2675
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E46F4 NtProtectVirtualMemory,15_2_020E46F4
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E3710 NtWriteVirtualMemory,LoadLibraryA,15_2_020E3710
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E02F5 NtSetInformationThread,15_2_020E02F5
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E4B42 NtResumeThread,15_2_020E4B42
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E4B92 NtResumeThread,15_2_020E4B92
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E4BC2 NtResumeThread,15_2_020E4BC2
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E4BE6 NtResumeThread,15_2_020E4BE6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E2618 NtWriteVirtualMemory,15_2_020E2618
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E2766 NtWriteVirtualMemory,15_2_020E2766
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E4C36 NtResumeThread,15_2_020E4C36
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E4C8A NtResumeThread,15_2_020E4C8A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E1C82 NtWriteVirtualMemory,15_2_020E1C82
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E3510 NtSetInformationThread,15_2_020E3510
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E4D4A NtResumeThread,15_2_020E4D4A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E1D46 NtWriteVirtualMemory,15_2_020E1D46
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_005618BB RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,16_2_005618BB
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_0056417A NtSetInformationThread,16_2_0056417A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_005642F6 NtSetInformationThread,LdrInitializeThunk,16_2_005642F6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_005602B5 EnumWindows,NtSetInformationThread,16_2_005602B5
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00562358 NtProtectVirtualMemory,16_2_00562358
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00564B1D NtQueryInformationProcess,16_2_00564B1D
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_005646F4 NtProtectVirtualMemory,16_2_005646F4
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00561871 NtProtectVirtualMemory,16_2_00561871
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_005608E2 NtProtectVirtualMemory,16_2_005608E2
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_005608B8 NtProtectVirtualMemory,16_2_005608B8
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_005602F5 NtSetInformationThread,16_2_005602F5
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00564B42 NtQueryInformationProcess,16_2_00564B42
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_0056234C NtProtectVirtualMemory,16_2_0056234C
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00564BC2 NtQueryInformationProcess,16_2_00564BC2
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00564BE6 NtQueryInformationProcess,16_2_00564BE6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00564B92 NtQueryInformationProcess,16_2_00564B92
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00564C36 NtQueryInformationProcess,16_2_00564C36
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00564C8A NtQueryInformationProcess,16_2_00564C8A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00564D4A NtQueryInformationProcess,16_2_00564D4A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00563510 NtSetInformationThread,16_2_00563510
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005618BB RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,17_2_005618BB
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_0056417A NtSetInformationThread,17_2_0056417A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005642F6 NtSetInformationThread,LdrInitializeThunk,17_2_005642F6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005602B5 EnumWindows,NtSetInformationThread,17_2_005602B5
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00562358 NtProtectVirtualMemory,17_2_00562358
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564B1D NtSetInformationThread,17_2_00564B1D
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005646F4 NtProtectVirtualMemory,17_2_005646F4
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00561871 NtProtectVirtualMemory,17_2_00561871
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005608E2 NtProtectVirtualMemory,17_2_005608E2
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005608B8 NtProtectVirtualMemory,17_2_005608B8
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005602F5 NtSetInformationThread,17_2_005602F5
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564B42 NtSetInformationThread,17_2_00564B42
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_0056234C NtProtectVirtualMemory,17_2_0056234C
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564BC2 NtSetInformationThread,17_2_00564BC2
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564BE6 NtSetInformationThread,17_2_00564BE6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564B92 NtSetInformationThread,17_2_00564B92
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564C36 NtSetInformationThread,17_2_00564C36
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564C8A NtSetInformationThread,17_2_00564C8A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00564D4A NtSetInformationThread,17_2_00564D4A
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00563510 NtSetInformationThread,17_2_00563510
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB2675 NtWriteVirtualMemory,LdrInitializeThunk,18_2_04FB2675
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB3710 NtWriteVirtualMemory,LoadLibraryA,18_2_04FB3710
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB42F6 NtSetInformationThread,18_2_04FB42F6
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB02B5 EnumWindows,NtSetInformationThread,18_2_04FB02B5
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB4B1D NtSetContextThread,18_2_04FB4B1D
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB4C8A NtSetContextThread,18_2_04FB4C8A
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB1C82 NtWriteVirtualMemory,18_2_04FB1C82
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB4C36 NtSetContextThread,18_2_04FB4C36
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB4D4A NtSetContextThread,18_2_04FB4D4A
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB1D46 NtWriteVirtualMemory,18_2_04FB1D46
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB3510 NtSetInformationThread,18_2_04FB3510
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB2618 NtWriteVirtualMemory,18_2_04FB2618
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB2766 NtWriteVirtualMemory,18_2_04FB2766
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB417A NtSetInformationThread,18_2_04FB417A
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB02F5 NtSetInformationThread,18_2_04FB02F5
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB4BE6 NtSetContextThread,18_2_04FB4BE6
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB4BC2 NtSetContextThread,18_2_04FB4BC2
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB4B92 NtSetContextThread,18_2_04FB4B92
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB4B42 NtSetContextThread,18_2_04FB4B42
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_031402B5 EnumWindows,NtSetInformationThread,19_2_031402B5
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_031442F6 NtSetInformationThread,LdrInitializeThunk,19_2_031442F6
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_031402F5 NtSetInformationThread,19_2_031402F5
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_0314417A NtSetInformationThread,19_2_0314417A
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_03143510 NtSetInformationThread,19_2_03143510
            Source: payment receipt#4635.exeStatic PE information: invalid certificate
            Source: payment receipt#4635.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cos.exe.19.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: payment receipt#4635.exeBinary or memory string: OriginalFilename vs payment receipt#4635.exe
            Source: payment receipt#4635.exe, 00000000.00000002.238749318.0000000002990000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCance7.exeFE2XVerge vs payment receipt#4635.exe
            Source: payment receipt#4635.exe, 00000000.00000002.238380328.00000000020C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs payment receipt#4635.exe
            Source: payment receipt#4635.exe, 00000000.00000002.238179296.0000000000426000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCance7.exe vs payment receipt#4635.exe
            Source: payment receipt#4635.exe, 00000002.00000002.267661687.0000000000996000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs payment receipt#4635.exe
            Source: payment receipt#4635.exe, 00000002.00000002.271363045.000000001DEC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs payment receipt#4635.exe
            Source: payment receipt#4635.exe, 00000002.00000002.271394508.000000001E010000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs payment receipt#4635.exe
            Source: payment receipt#4635.exe, 00000002.00000000.237394077.0000000000426000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCance7.exe vs payment receipt#4635.exe
            Source: payment receipt#4635.exe, 00000002.00000002.271548610.000000001E2E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs payment receipt#4635.exe
            Source: payment receipt#4635.exe, 00000002.00000002.271917128.000000001E3E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs payment receipt#4635.exe
            Source: payment receipt#4635.exe, 00000002.00000002.271917128.000000001E3E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs payment receipt#4635.exe
            Source: payment receipt#4635.exe, 00000002.00000003.264847663.0000000000997000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCance7.exex vs payment receipt#4635.exe
            Source: payment receipt#4635.exeBinary or memory string: OriginalFilenameCance7.exex vs payment receipt#4635.exe
            Source: classification engineClassification label: mal90.troj.evad.winEXE@17/5@4/1
            Source: C:\Users\user\Desktop\payment receipt#4635.exeFile created: C:\Users\user\AppData\Roaming\FristJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-02BN05
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos_Mutex_Inj
            Source: C:\Users\user\Desktop\payment receipt#4635.exeFile created: C:\Users\user\AppData\Local\Temp\~DF95EDAE2D84034FA7.TMPJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: payment receipt#4635.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\payment receipt#4635.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeFile read: C:\Users\user\Desktop\payment receipt#4635.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\payment receipt#4635.exe 'C:\Users\user\Desktop\payment receipt#4635.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\payment receipt#4635.exe 'C:\Users\user\Desktop\payment receipt#4635.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe'
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess created: C:\Users\user\Desktop\payment receipt#4635.exe 'C:\Users\user\Desktop\payment receipt#4635.exe' Jump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess created: C:\Users\user\AppData\Roaming\Frist\cos.exe 'C:\Users\user\AppData\Roaming\Frist\cos.exe' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exeJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exeJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\wscript.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Binary string: iexplore.pdbUGP source: cos.exe.19.dr
            Source: Binary string: iexplore.pdb source: cos.exe.19.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: Process Memory Space: cos.exe PID: 5960, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: payment receipt#4635.exe PID: 6884, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: payment receipt#4635.exe PID: 6708, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: cos.exe PID: 5392, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: cos.exe PID: 3016, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: cos.exe PID: 4680, type: MEMORY
            Binary contains a suspicious time stampShow sources
            Source: initial sampleStatic PE information: 0x6639744D [Tue May 7 00:22:37 2024 UTC]
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: cos.exe PID: 5960, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: payment receipt#4635.exe PID: 6884, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: payment receipt#4635.exe PID: 6708, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: cos.exe PID: 5392, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: cos.exe PID: 3016, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: cos.exe PID: 4680, type: MEMORY
            Source: cos.exe.19.drStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_00418D59 push dword ptr [ecx-3C004E4Fh]; ret 0_2_00418D69
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Roaming\Frist\cos.exeJump to dropped file

            Boot Survival:

            barindex
            Creates an undocumented autostart registry key Show sources
            Source: C:\Users\user\Desktop\payment receipt#4635.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run RemcosJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RemcosJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RemcosJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\payment receipt#4635.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: payment receipt#4635.exe, 00000000.00000002.238420499.0000000002210000.00000040.00000001.sdmp, payment receipt#4635.exe, 00000002.00000002.267456311.0000000000560000.00000040.00000001.sdmp, cos.exe, 0000000E.00000002.316779451.0000000002180000.00000040.00000001.sdmp, cos.exe, 0000000F.00000002.343821909.00000000020E0000.00000040.00000001.sdmp, cos.exe, 00000010.00000002.351573449.0000000000560000.00000040.00000001.sdmp, cos.exe, 00000011.00000002.362057890.0000000000560000.00000040.00000001.sdmp, iexplore.exe, 00000012.00000002.371386605.0000000004FB0000.00000040.00000001.sdmp, iexplore.exe, 00000013.00000002.394229888.0000000003140000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: C:\Users\user\Desktop\payment receipt#4635.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_022142F6 rdtsc 0_2_022142F6
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: payment receipt#4635.exe, 00000002.00000002.267627935.0000000000963000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWen-USnuA
            Source: payment receipt#4635.exe, 00000002.00000002.267591216.0000000000918000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: payment receipt#4635.exe, 00000000.00000002.238420499.0000000002210000.00000040.00000001.sdmp, payment receipt#4635.exe, 00000002.00000002.267456311.0000000000560000.00000040.00000001.sdmp, cos.exe, 0000000E.00000002.316779451.0000000002180000.00000040.00000001.sdmp, cos.exe, 0000000F.00000002.343821909.00000000020E0000.00000040.00000001.sdmp, cos.exe, 00000010.00000002.351573449.0000000000560000.00000040.00000001.sdmp, cos.exe, 00000011.00000002.362057890.0000000000560000.00000040.00000001.sdmp, iexplore.exe, 00000012.00000002.371386605.0000000004FB0000.00000040.00000001.sdmp, iexplore.exe, 00000013.00000002.394229888.0000000003140000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_022102B5 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02210359,00000000,00000000,00000000,000000000_2_022102B5
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\payment receipt#4635.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_022142F6 rdtsc 0_2_022142F6
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02212675 NtWriteVirtualMemory,LdrInitializeThunk,0_2_02212675
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_022142F6 mov eax, dword ptr fs:[00000030h]0_2_022142F6
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02213A28 mov eax, dword ptr fs:[00000030h]0_2_02213A28
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_022142A8 mov eax, dword ptr fs:[00000030h]0_2_022142A8
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_0221111E mov eax, dword ptr fs:[00000030h]0_2_0221111E
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_022121D2 mov eax, dword ptr fs:[00000030h]0_2_022121D2
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_022136EF mov eax, dword ptr fs:[00000030h]0_2_022136EF
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 0_2_02211764 mov eax, dword ptr fs:[00000030h]0_2_02211764
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_005642F6 mov eax, dword ptr fs:[00000030h]2_2_005642F6
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00561764 mov eax, dword ptr fs:[00000030h]2_2_00561764
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_0056111E mov eax, dword ptr fs:[00000030h]2_2_0056111E
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_005621D2 mov eax, dword ptr fs:[00000030h]2_2_005621D2
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_00563A28 mov eax, dword ptr fs:[00000030h]2_2_00563A28
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_005642A8 mov eax, dword ptr fs:[00000030h]2_2_005642A8
            Source: C:\Users\user\Desktop\payment receipt#4635.exeCode function: 2_2_005636EF mov eax, dword ptr fs:[00000030h]2_2_005636EF
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_021842F6 mov eax, dword ptr fs:[00000030h]14_2_021842F6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02183A28 mov eax, dword ptr fs:[00000030h]14_2_02183A28
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_021842A8 mov eax, dword ptr fs:[00000030h]14_2_021842A8
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_0218111E mov eax, dword ptr fs:[00000030h]14_2_0218111E
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_021821D2 mov eax, dword ptr fs:[00000030h]14_2_021821D2
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_021836EF mov eax, dword ptr fs:[00000030h]14_2_021836EF
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 14_2_02181764 mov eax, dword ptr fs:[00000030h]14_2_02181764
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E42F6 mov eax, dword ptr fs:[00000030h]15_2_020E42F6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E3A28 mov eax, dword ptr fs:[00000030h]15_2_020E3A28
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E42A8 mov eax, dword ptr fs:[00000030h]15_2_020E42A8
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E111E mov eax, dword ptr fs:[00000030h]15_2_020E111E
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E21D2 mov eax, dword ptr fs:[00000030h]15_2_020E21D2
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E36EF mov eax, dword ptr fs:[00000030h]15_2_020E36EF
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 15_2_020E1764 mov eax, dword ptr fs:[00000030h]15_2_020E1764
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_005642F6 mov eax, dword ptr fs:[00000030h]16_2_005642F6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00561764 mov eax, dword ptr fs:[00000030h]16_2_00561764
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_0056111E mov eax, dword ptr fs:[00000030h]16_2_0056111E
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_005621D2 mov eax, dword ptr fs:[00000030h]16_2_005621D2
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_00563A28 mov eax, dword ptr fs:[00000030h]16_2_00563A28
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_005642A8 mov eax, dword ptr fs:[00000030h]16_2_005642A8
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 16_2_005636EF mov eax, dword ptr fs:[00000030h]16_2_005636EF
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005642F6 mov eax, dword ptr fs:[00000030h]17_2_005642F6
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00561764 mov eax, dword ptr fs:[00000030h]17_2_00561764
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_0056111E mov eax, dword ptr fs:[00000030h]17_2_0056111E
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005621D2 mov eax, dword ptr fs:[00000030h]17_2_005621D2
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_00563A28 mov eax, dword ptr fs:[00000030h]17_2_00563A28
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005642A8 mov eax, dword ptr fs:[00000030h]17_2_005642A8
            Source: C:\Users\user\AppData\Roaming\Frist\cos.exeCode function: 17_2_005636EF mov eax, dword ptr fs:[00000030h]17_2_005636EF
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB42F6 mov eax, dword ptr fs:[00000030h]18_2_04FB42F6
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB36EF mov eax, dword ptr fs:[00000030h]18_2_04FB36EF
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB1764 mov eax, dword ptr fs:[00000030h]18_2_04FB1764
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB21D2 mov eax, dword ptr fs:[00000030h]18_2_04FB21D2
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB111E mov eax, dword ptr fs:[00000030h]18_2_04FB111E
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB42A8 mov eax, dword ptr fs:[00000030h]18_2_04FB42A8
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 18_2_04FB3A28 mov eax, dword ptr fs:[00000030h]18_2_04FB3A28
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_031442F6 mov eax, dword ptr fs:[00000030h]19_2_031442F6
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_03141764 mov eax, dword ptr fs:[00000030h]19_2_03141764
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_03143A28 mov eax, dword ptr fs:[00000030h]19_2_03143A28
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_031442A8 mov eax, dword ptr fs:[00000030h]19_2_031442A8
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_0314111E mov eax, dword ptr fs:[00000030h]19_2_0314111E
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_031421D2 mov eax, dword ptr fs:[00000030h]19_2_031421D2
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 19_2_031436EF mov eax, dword ptr fs:[00000030h]19_2_031436EF