Loading ...

Play interactive tourEdit tour

Analysis Report AWB# 9284730932.exe

Overview

General Information

Sample Name:AWB# 9284730932.exe
Analysis ID:320390
MD5:e69d0c42f97a007fb131b35cb8a4d7b8
SHA1:43ca208070bb88754a1d8626ea0ef596a6db1f72
SHA256:6e8b2b06ac2b8447aec7075c5c58edbe5a5377d74c9443e5caf9f379f53a8b6d
Tags:DHLexeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • AWB# 9284730932.exe (PID: 5536 cmdline: 'C:\Users\user\Desktop\AWB# 9284730932.exe' MD5: E69D0C42F97A007FB131B35CB8A4D7B8)
    • AWB# 9284730932.exe (PID: 6252 cmdline: 'C:\Users\user\Desktop\AWB# 9284730932.exe' MD5: E69D0C42F97A007FB131B35CB8A4D7B8)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6656 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 6676 cmdline: /c del 'C:\Users\user\Desktop\AWB# 9284730932.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 15 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: https://lifeandhealth.com.mx/graceofgod/floow_tAAkniYUly238.binAvira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted fileShow sources
      Source: AWB# 9284730932.exeVirustotal: Detection: 28%Perma Link
      Source: AWB# 9284730932.exeReversingLabs: Detection: 22%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,14_2_0016245C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,14_2_0015B89C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001668BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,14_2_001668BA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001731DC FindFirstFileW,FindNextFileW,FindClose,14_2_001731DC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001585EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,14_2_001585EA
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00569440 InternetReadFile,11_2_00569440
      Source: unknownDNS traffic detected: queries for: lifeandhealth.com.mx
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: AWB# 9284730932.exeString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/floow_tAAkniYUly238.bin
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
      Source: AWB# 9284730932.exe, 00000001.00000002.306925484.000000000072A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.500985638.000000000025D000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.503105850.000000000383F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 NtSetInformationThread,1_2_022D86B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D0782 EnumWindows,NtSetInformationThread,1_2_022D0782
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D0A8B NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,1_2_022D0A8B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D8E42 NtProtectVirtualMemory,1_2_022D8E42
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D365C NtWriteVirtualMemory,1_2_022D365C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9440 NtResumeThread,1_2_022D9440
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D23B6 NtSetInformationThread,1_2_022D23B6
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D80E3 NtWriteVirtualMemory,1_2_022D80E3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D082B NtSetInformationThread,1_2_022D082B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D085F NtSetInformationThread,1_2_022D085F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D08BB NtSetInformationThread,1_2_022D08BB
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D08FB NtSetInformationThread,1_2_022D08FB
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D0953 NtSetInformationThread,1_2_022D0953
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D4C71 NtWriteVirtualMemory,LoadLibraryA,1_2_022D4C71
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D963B NtResumeThread,1_2_022D963B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9607 NtResumeThread,1_2_022D9607
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D96DB NtResumeThread,1_2_022D96DB
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D36D3 NtWriteVirtualMemory,1_2_022D36D3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D977B NtResumeThread,1_2_022D977B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D974B NtResumeThread,1_2_022D974B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3754 NtWriteVirtualMemory,1_2_022D3754
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D37B8 NtWriteVirtualMemory,1_2_022D37B8
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D97B0 NtResumeThread,1_2_022D97B0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9473 NtResumeThread,1_2_022D9473
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D94D7 NtResumeThread,1_2_022D94D7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9567 NtResumeThread,1_2_022D9567
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3A90 NtWriteVirtualMemory,1_2_022D3A90
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3ADF NtWriteVirtualMemory,1_2_022D3ADF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3B4C NtWriteVirtualMemory,1_2_022D3B4C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D983B NtResumeThread,1_2_022D983B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3812 NtWriteVirtualMemory,1_2_022D3812
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3873 NtWriteVirtualMemory,1_2_022D3873
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D98B4 NtResumeThread,1_2_022D98B4
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D38B3 NtWriteVirtualMemory,1_2_022D38B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3914 NtWriteVirtualMemory,1_2_022D3914
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3978 NtWriteVirtualMemory,1_2_022D3978
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D99AF NtResumeThread,1_2_022D99AF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3C7F NtWriteVirtualMemory,1_2_022D3C7F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3CD7 NtWriteVirtualMemory,1_2_022D3CD7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3D87 NtWriteVirtualMemory,1_2_022D3D87
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,11_2_1E3E9A20
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,11_2_1E3E9A00
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_1E3E9660
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,11_2_1E3E9A50
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_1E3E96E0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,11_2_1E3E9710
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,11_2_1E3E97A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,11_2_1E3E9780
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,11_2_1E3E9860
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,11_2_1E3E9840
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,11_2_1E3E98F0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_1E3E9910
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9540 NtReadFile,LdrInitializeThunk,11_2_1E3E9540
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,11_2_1E3E99A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E95D0 NtClose,LdrInitializeThunk,11_2_1E3E95D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9610 NtEnumerateValueKey,11_2_1E3E9610
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A10 NtQuerySection,11_2_1E3E9A10
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9670 NtQueryInformationProcess,11_2_1E3E9670
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9650 NtQueryValueKey,11_2_1E3E9650
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A80 NtOpenDirectoryObject,11_2_1E3E9A80
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E96D0 NtCreateKey,11_2_1E3E96D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9730 NtQueryVirtualMemory,11_2_1E3E9730
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EA710 NtOpenProcessToken,11_2_1E3EA710
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9B00 NtSetValueKey,11_2_1E3E9B00
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9770 NtSetInformationFile,11_2_1E3E9770
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EA770 NtOpenThread,11_2_1E3EA770
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9760 NtOpenProcess,11_2_1E3E9760
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EA3B0 NtGetContextThread,11_2_1E3EA3B0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9FE0 NtCreateMutant,11_2_1E3E9FE0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9820 NtEnumerateKey,11_2_1E3E9820
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EB040 NtSuspendThread,11_2_1E3EB040
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E98A0 NtWriteVirtualMemory,11_2_1E3E98A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EAD30 NtSetContextThread,11_2_1E3EAD30
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9520 NtWaitForSingleObject,11_2_1E3E9520
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9560 NtWriteFile,11_2_1E3E9560
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9950 NtQueueApcThread,11_2_1E3E9950
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E95F0 NtQueryInformationFile,11_2_1E3E95F0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E99D0 NtCreateProcessEx,11_2_1E3E99D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00563104 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,11_2_00563104
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00563198 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,11_2_00563198
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056431B Sleep,NtProtectVirtualMemory,11_2_0056431B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056447A LdrInitializeThunk,NtProtectVirtualMemory,11_2_0056447A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00568E42 NtProtectVirtualMemory,11_2_00568E42
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056308C TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,11_2_0056308C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056318B LdrInitializeThunk,NtProtectVirtualMemory,11_2_0056318B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005643C6 NtProtectVirtualMemory,11_2_005643C6
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00564461 LdrInitializeThunk,NtProtectVirtualMemory,11_2_00564461
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00564469 LdrInitializeThunk,NtProtectVirtualMemory,11_2_00564469
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005644EF LdrInitializeThunk,NtProtectVirtualMemory,11_2_005644EF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005644B3 LdrInitializeThunk,NtProtectVirtualMemory,11_2_005644B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00564587 LdrInitializeThunk,NtProtectVirtualMemory,11_2_00564587
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,14_2_0015B42E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001584BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,14_2_001584BE
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001558A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,14_2_001558A4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B4C0 NtQueryInformationToken,14_2_0015B4C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B4F8 NtQueryInformationToken,NtQueryInformationToken,14_2_0015B4F8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00176D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,14_2_00176D90
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0017B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,14_2_0017B5E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00179AB4 NtSetInformationFile,14_2_00179AB4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001583F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,14_2_001583F2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9710 NtQueryInformationToken,LdrInitializeThunk,14_2_030F9710
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9780 NtMapViewOfSection,LdrInitializeThunk,14_2_030F9780
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9FE0 NtCreateMutant,LdrInitializeThunk,14_2_030F9FE0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A50 NtCreateFile,LdrInitializeThunk,14_2_030F9A50
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F96D0 NtCreateKey,LdrInitializeThunk,14_2_030F96D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F96E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_030F96E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_030F9910
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9540 NtReadFile,LdrInitializeThunk,14_2_030F9540
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F99A0 NtCreateSection,LdrInitializeThunk,14_2_030F99A0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F95D0 NtClose,LdrInitializeThunk,14_2_030F95D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9840 NtDelayExecution,LdrInitializeThunk,14_2_030F9840
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9860 NtQuerySystemInformation,LdrInitializeThunk,14_2_030F9860
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9B00 NtSetValueKey,14_2_030F9B00
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FA710 NtOpenProcessToken,14_2_030FA710
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EE730 NtQueryInformationProcess,14_2_030EE730
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9335 NtClose,NtClose,14_2_030B9335
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9730 NtQueryVirtualMemory,14_2_030F9730
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F7742 NtAllocateVirtualMemory,14_2_030F7742
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9760 NtOpenProcess,14_2_030F9760
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137365 NtQuerySystemInformation,14_2_03137365
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314176C NtWaitForSingleObject,NtClose,14_2_0314176C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317FF69 NtQueryVirtualMemory,14_2_0317FF69
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9770 NtSetInformationFile,14_2_030F9770
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FA770 NtOpenThread,14_2_030FA770
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C8F87 NtProtectVirtualMemory,NtProtectVirtualMemory,14_2_030C8F87
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0313FB88 NtProtectVirtualMemory,14_2_0313FB88
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F97A0 NtUnmapViewOfSection,14_2_030F97A0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BA7B0 NtClose,NtClose,14_2_030BA7B0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03185BA5 NtQueryInformationToken,14_2_03185BA5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FA3B0 NtGetContextThread,14_2_030FA3B0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317AFDE NtFreeVirtualMemory,14_2_0317AFDE
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317F7DD NtFreeVirtualMemory,14_2_0317F7DD
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BF7C0 NtClose,14_2_030BF7C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03166BEA NtQueryVirtualMemory,14_2_03166BEA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BC600 NtQueryValueKey,NtQueryValueKey,14_2_030BC600
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A00 NtProtectVirtualMemory,14_2_030F9A00
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F2E1C NtDelayExecution,14_2_030F2E1C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317F209 NtFreeVirtualMemory,NtFreeVirtualMemory,14_2_0317F209
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9610 NtEnumerateValueKey,14_2_030F9610
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A10 NtQuerySection,14_2_030F9A10
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BE620 NtClose,14_2_030BE620
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A20 NtResumeThread,14_2_030F9A20
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317EE22 NtFreeVirtualMemory,14_2_0317EE22
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9240 NtClose,NtClose,14_2_030B9240
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141242 NtUnmapViewOfSection,NtClose,NtClose,NtClose,NtClose,NtClose,14_2_03141242
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9650 NtQueryValueKey,14_2_030F9650
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EBE62 NtProtectVirtualMemory,14_2_030EBE62
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9660 NtAllocateVirtualMemory,14_2_030F9660
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137E63 NtProtectVirtualMemory,14_2_03137E63
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9670 NtQueryInformationProcess,14_2_030F9670
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316BE9B NtAllocateVirtualMemory,14_2_0316BE9B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A80 NtOpenDirectoryObject,14_2_030F9A80
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2E9F NtClose,14_2_030B2E9F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030ED294 NtClose,14_2_030ED294
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 NtClose,NtClose,NtClose,NtClose,14_2_030B52A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03180EA5 NtQueryVirtualMemory,14_2_03180EA5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141AD6 NtFreeVirtualMemory,14_2_03141AD6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 NtClose,14_2_030D4120
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9520 NtWaitForSingleObject,14_2_030F9520
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316FD22 NtQueryInformationProcess,14_2_0316FD22
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C9136 NtProtectVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,14_2_030C9136
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EC532 NtProtectVirtualMemory,14_2_030EC532
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FAD30 NtSetContextThread,14_2_030FAD30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E0548 NtQueryVirtualMemory,14_2_030E0548
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03181D55 NtFreeVirtualMemory,14_2_03181D55
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133540 NtQueryValueKey,NtClose,14_2_03133540
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9950 NtQueueApcThread,14_2_030F9950
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141570 NtQuerySystemInformation,NtClose,14_2_03141570
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9560 NtWriteFile,14_2_030F9560
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A NtWaitForSingleObject,14_2_030B2D8A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CDD80 NtQueryVirtualMemory,14_2_030CDD80
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031419C8 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,14_2_031419C8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F99D0 NtCreateProcessEx,14_2_030F99D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316BDFA NtAllocateVirtualMemory,14_2_0316BDFA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F95F0 NtQueryInformationFile,14_2_030F95F0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9820 NtEnumerateKey,14_2_030F9820
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314C450 NtAdjustPrivilegesToken,NtClose,NtClose,14_2_0314C450
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FB040 NtSuspendThread,14_2_030FB040
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141C49 NtQueryInformationProcess,14_2_03141C49
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D746D NtClose,14_2_030D746D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141C76 NtQueryInformationProcess,14_2_03141C76
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141879 NtAllocateVirtualMemory,14_2_03141879
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133884 NtQueryValueKey,NtQueryValueKey,14_2_03133884
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F98A0 NtWriteVirtualMemory,14_2_030F98A0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BDCA4 NtEnumerateKey,NtClose,NtClose,14_2_030BDCA4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EF0BF NtClose,NtClose,14_2_030EF0BF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,NtClose,NtClose,14_2_0314B8D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317F8C5 NtFreeVirtualMemory,14_2_0317F8C5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137CF9 NtQueryVirtualMemory,14_2_03137CF9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141CE4 NtQueryInformationProcess,14_2_03141CE4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C80FC NtMapViewOfSection,NtUnmapViewOfSection,14_2_030C80FC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F98F0 NtReadVirtualMemory,14_2_030F98F0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E80 NtClose,14_2_02F39E80
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E00 NtReadFile,14_2_02F39E00
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39D50 NtCreateFile,14_2_02F39D50
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E7B NtReadFile,14_2_02F39E7B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E7D NtClose,14_2_02F39E7D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39DA2 NtCreateFile,14_2_02F39DA2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00166550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,14_2_00166550
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,14_2_0016374E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C6E3011_2_1E3C6E30
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DEBB011_2_1E3DEBB0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B841F11_2_1E3B841F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E46100211_2_1E461002
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A011_2_1E3D20A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BB09011_2_1E3BB090
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E471D5511_2_1E471D55
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A0D2011_2_1E3A0D20
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C412011_2_1E3C4120
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AF90011_2_1E3AF900
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D258111_2_1E3D2581
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BD5E011_2_1E3BD5E0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008106911_2_00081069
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008986211_2_00089862
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008107211_2_00081072
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00082CEC11_2_00082CEC
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00082CF211_2_00082CF2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008813211_2_00088132
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008AA3211_2_0008AA32
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00085B1F11_2_00085B1F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00085B2211_2_00085B22
      Source: C:\Windows\explorer.exeCode function: 13_2_0674E07213_2_0674E072
      Source: C:\Windows\explorer.exeCode function: 13_2_0675686213_2_06756862
      Source: C:\Windows\explorer.exeCode function: 13_2_0675AA6F13_2_0675AA6F
      Source: C:\Windows\explorer.exeCode function: 13_2_0674E06913_2_0674E069
      Source: C:\Windows\explorer.exeCode function: 13_2_06757A3213_2_06757A32
      Source: C:\Windows\explorer.exeCode function: 13_2_0674FCF213_2_0674FCF2
      Source: C:\Windows\explorer.exeCode function: 13_2_0674FCEC13_2_0674FCEC
      Source: C:\Windows\explorer.exeCode function: 13_2_0675513213_2_06755132
      Source: C:\Windows\explorer.exeCode function: 13_2_06752B2213_2_06752B22
      Source: C:\Windows\explorer.exeCode function: 13_2_06752B1F13_2_06752B1F
      Source: C:\Windows\explorer.exeCode function: 13_2_0675AB0E13_2_0675AB0E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015D80314_2_0015D803
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015E04014_2_0015E040
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00159CF014_2_00159CF0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001548E614_2_001548E6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00175CEA14_2_00175CEA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0017350614_2_00173506
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016655014_2_00166550
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016196914_2_00161969
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015719014_2_00157190
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001731DC14_2_001731DC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015FA3014_2_0015FA30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015522614_2_00155226
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00155E7014_2_00155E70
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00158AD714_2_00158AD7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015CB4814_2_0015CB48
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00165FC814_2_00165FC8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00176FF014_2_00176FF0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EEBB014_2_030EEBB0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D6E3014_2_030D6E30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BF90014_2_030BF900
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B0D2014_2_030B0D20
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D412014_2_030D4120
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03181D5514_2_03181D55
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C841F14_2_030C841F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317100214_2_03171002
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CB09014_2_030CB090
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E19B14_2_02F3E19B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F29E4014_2_02F29E40
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F22FB014_2_02F22FB0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F22D9014_2_02F22D90
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E59714_2_02F3E597
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F22D8714_2_02F22D87
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: String function: 1E3AB150 appears 35 times
      Source: AWB# 9284730932.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: AWB# 9284730932.exe, 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMorgenkvisten.exe vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 00000001.00000002.306907514.0000000000700000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.368734106.00000000000ED000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000000.305549636.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMorgenkvisten.exe vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.373081614.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.373626759.000000001E62F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.373031499.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exeBinary or memory string: OriginalFilenameMorgenkvisten.exe vs AWB# 9284730932.exe
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.500985638.000000000025D000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.503105850.000000000383F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@4/2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,14_2_0015C5CA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0017A0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,14_2_0017A0D2
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
      Source: AWB# 9284730932.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: AWB# 9284730932.exeVirustotal: Detection: 28%
      Source: AWB# 9284730932.exeReversingLabs: Detection: 22%
      Source: unknownProcess created: C:\Users\user\Desktop\AWB# 9284730932.exe 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\AWB# 9284730932.exe 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess created: C:\Users\user\Desktop\AWB# 9284730932.exe 'C:\Users\user\Desktop\AWB# 9284730932.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AWB# 9284730932.exe'Jump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.350047860.0000000006FE0000.00000002.00000001.sdmp
      Source: Binary string: cmd.pdbUGP source: AWB# 9284730932.exe, 0000000B.00000002.373852934.000000001E7F0000.00000040.00000001.sdmp, cmd.exe, 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: AWB# 9284730932.exe, 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp, cmd.exe, 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: AWB# 9284730932.exe, cmd.exe
      Source: Binary string: cmd.pdb source: AWB# 9284730932.exe, 0000000B.00000002.373852934.000000001E7F0000.00000040.00000001.sdmp, cmd.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.350047860.0000000006FE0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 5536, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 6252, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 5536, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 6252, type: MEMORY
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_004126C5 push eax; ret 1_2_00412704
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3FD0D1 push ecx; ret 11_2_1E3FD0E4
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008E3E6 pushad ; ret 11_2_0008E3E7
      Source: C:\Windows\explorer.exeCode function: 13_2_0675B3E6 pushad ; ret 13_2_0675B3E7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001676BD push ecx; ret 14_2_001676D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001676D1 push ecx; ret 14_2_001676E4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0310D0D1 push ecx; ret 14_2_0310D0E4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3DA9C push ebx; ret 14_2_02F3DA9D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F2E3B0 push cs; iretd 14_2_02F2E3BC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E35B pushad ; ret 14_2_02F3E36C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F36835 push ds; ret 14_2_02F36847
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F37026 push cs; ret 14_2_02F37033
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CEF2 push eax; ret 14_2_02F3CEF8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CEFB push eax; ret 14_2_02F3CF62
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CEA5 push eax; ret 14_2_02F3CEF8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3C631 push cs; iretd 14_2_02F3C632
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CF5C push eax; ret 14_2_02F3CF62
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E41C push ebp; ret 14_2_02F3E41D

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000022D7DED second address: 00000000022D7DED instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA8D08F8CE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test dx, bx 0x00000022 jmp 00007FA8D08F8D12h 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 test ax, dx 0x0000002b dec dword ptr [ebp+000000F8h] 0x00000031 test ebx, edx 0x00000033 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000003a jne 00007FA8D08F8C8Eh 0x0000003c cmp ch, ch 0x0000003e call 00007FA8D08F8D70h 0x00000043 call 00007FA8D08F8CFAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: AWB# 9284730932.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: AWB# 9284730932.exe, 00000001.00000002.306937352.0000000000741000.00000004.00000020.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000022D7DED second address: 00000000022D7DED instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA8D08F8CE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test dx, bx 0x00000022 jmp 00007FA8D08F8D12h 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 test ax, dx 0x0000002b dec dword ptr [ebp+000000F8h] 0x00000031 test ebx, edx 0x00000033 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000003a jne 00007FA8D08F8C8Eh 0x0000003c cmp ch, ch 0x0000003e call 00007FA8D08F8D70h 0x00000043 call 00007FA8D08F8CFAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000022D7E3F second address: 00000000022D7E3F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA8D0EDC089h 0x0000001f popad 0x00000020 call 00007FA8D0EDBB1Dh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 0000000000567E3F second address: 0000000000567E3F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA8D08F93E9h 0x0000001f popad 0x00000020 call 00007FA8D08F8E7Dh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000002F298E4 second address: 0000000002F298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000002F29B5E second address: 0000000002F29B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 rdtsc 1_2_022D86B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exe TID: 6652Thread sleep count: 192 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exe TID: 6660Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,14_2_0016245C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,14_2_0015B89C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001668BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,14_2_001668BA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001731DC FindFirstFileW,FindNextFileW,FindClose,14_2_001731DC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001585EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,14_2_001585EA
      Source: explorer.exe, 0000000D.00000000.352943196.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 0000000D.00000002.507702732.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 0000000D.00000000.333225749.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
      Source: explorer.exe, 0000000D.00000000.352996598.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
      Source: explorer.exe, 0000000D.00000000.347256531.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: AWB# 9284730932.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 0000000D.00000000.352996598.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
      Source: AWB# 9284730932.exe, 00000001.00000002.306937352.0000000000741000.00000004.00000020.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,000000001_2_022D86B3
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 rdtsc 1_2_022D86B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D562F LdrInitializeThunk,1_2_022D562F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00172258 IsDebuggerPresent,14_2_00172258
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 mov eax, dword ptr fs:[00000030h]1_2_022D86B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D23B6 mov eax, dword ptr fs:[00000030h]1_2_022D23B6
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D41B2 mov eax, dword ptr fs:[00000030h]1_2_022D41B2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86DF mov eax, dword ptr fs:[00000030h]1_2_022D86DF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D874B mov eax, dword ptr fs:[00000030h]1_2_022D874B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D878B mov eax, dword ptr fs:[00000030h]1_2_022D878B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D2B4E mov eax, dword ptr fs:[00000030h]1_2_022D2B4E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D2EF7 mov eax, dword ptr fs:[00000030h]1_2_022D2EF7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D2EC7 mov eax, dword ptr fs:[00000030h]1_2_022D2EC7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D6D7F mov eax, dword ptr fs:[00000030h]1_2_022D6D7F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D7955 mov eax, dword ptr fs:[00000030h]1_2_022D7955
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]11_2_1E3E4A2C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]11_2_1E3E4A2C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E434257 mov eax, dword ptr fs:[00000030h]11_2_1E434257
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AE620 mov eax, dword ptr fs:[00000030h]11_2_1E3AE620
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]11_2_1E3C3A1C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA61C mov eax, dword ptr fs:[00000030h]11_2_1E3DA61C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA61C mov eax, dword ptr fs:[00000030h]11_2_1E3DA61C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45B260 mov eax, dword ptr fs:[00000030h]11_2_1E45B260
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45B260 mov eax, dword ptr fs:[00000030h]11_2_1E45B260
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478A62 mov eax, dword ptr fs:[00000030h]11_2_1E478A62
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov eax, dword ptr fs:[00000030h]11_2_1E3A5210
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]11_2_1E3A5210
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov eax, dword ptr fs:[00000030h]11_2_1E3A5210
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov eax, dword ptr fs:[00000030h]11_2_1E3A5210
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]11_2_1E3AAA16
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]11_2_1E3AAA16
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]11_2_1E3B8A0A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AC600 mov eax, dword ptr fs:[00000030h]11_2_1E3AC600
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AC600 mov eax, dword ptr fs:[00000030h]11_2_1E3AC600
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AC600 mov eax, dword ptr fs:[00000030h]11_2_1E3AC600
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]11_2_1E3D8E00
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E927A mov eax, dword ptr fs:[00000030h]11_2_1E3E927A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461608 mov eax, dword ptr fs:[00000030h]11_2_1E461608
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]11_2_1E3CAE73
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]11_2_1E3CAE73
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]11_2_1E3CAE73
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]11_2_1E3CAE73
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]11_2_1E3CAE73
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B766D mov eax, dword ptr fs:[00000030h]11_2_1E3B766D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]11_2_1E3A9240
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]11_2_1E3A9240
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]11_2_1E3A9240
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]11_2_1E3A9240
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45FE3F mov eax, dword ptr fs:[00000030h]11_2_1E45FE3F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]11_2_1E45FEC0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]11_2_1E3BAAB0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]11_2_1E3BAAB0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]11_2_1E3DFAB0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478ED6 mov eax, dword ptr fs:[00000030h]11_2_1E478ED6
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]11_2_1E3A52A5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]11_2_1E3A52A5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]11_2_1E3A52A5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]11_2_1E3A52A5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]11_2_1E3A52A5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DD294 mov eax, dword ptr fs:[00000030h]11_2_1E3DD294
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DD294 mov eax, dword ptr fs:[00000030h]11_2_1E3DD294
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43FE87 mov eax, dword ptr fs:[00000030h]11_2_1E43FE87
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]11_2_1E3B76E2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]11_2_1E3D2AE4
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]11_2_1E3D16E0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E470EA5 mov eax, dword ptr fs:[00000030h]11_2_1E470EA5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E470EA5 mov eax, dword ptr fs:[00000030h]11_2_1E470EA5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E470EA5 mov eax, dword ptr fs:[00000030h]11_2_1E470EA5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4246A7 mov eax, dword ptr fs:[00000030h]11_2_1E4246A7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D36CC mov eax, dword ptr fs:[00000030h]11_2_1E3D36CC
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]11_2_1E3D2ACB
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]11_2_1E3E8EC7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DE730 mov eax, dword ptr fs:[00000030h]11_2_1E3DE730
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]11_2_1E3A4F2E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]11_2_1E3A4F2E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478B58 mov eax, dword ptr fs:[00000030h]11_2_1E478B58
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CF716 mov eax, dword ptr fs:[00000030h]11_2_1E3CF716
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478F6A mov eax, dword ptr fs:[00000030h]11_2_1E478F6A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA70E mov eax, dword ptr fs:[00000030h]11_2_1E3DA70E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA70E mov eax, dword ptr fs:[00000030h]11_2_1E3DA70E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]11_2_1E3D3B7A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]11_2_1E3D3B7A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47070D mov eax, dword ptr fs:[00000030h]11_2_1E47070D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47070D mov eax, dword ptr fs:[00000030h]11_2_1E47070D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43FF10 mov eax, dword ptr fs:[00000030h]11_2_1E43FF10
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43FF10 mov eax, dword ptr fs:[00000030h]11_2_1E43FF10
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]11_2_1E3ADB60
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]11_2_1E3BFF60
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E46131B mov eax, dword ptr fs:[00000030h]11_2_1E46131B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AF358 mov eax, dword ptr fs:[00000030h]11_2_1E3AF358
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]11_2_1E3ADB40
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]11_2_1E3BEF40
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4253CA mov eax, dword ptr fs:[00000030h]11_2_1E4253CA
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4253CA mov eax, dword ptr fs:[00000030h]11_2_1E4253CA
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]11_2_1E3D4BAD
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]11_2_1E3D4BAD
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]11_2_1E3D4BAD
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2397 mov eax, dword ptr fs:[00000030h]11_2_1E3D2397
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DB390 mov eax, dword ptr fs:[00000030h]11_2_1E3DB390
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B8794 mov eax, dword ptr fs:[00000030h]11_2_1E3B8794
      Source: C:\Users\user\Des