Loading ...

Play interactive tourEdit tour

Analysis Report AWB# 9284730932.exe

Overview

General Information

Sample Name:AWB# 9284730932.exe
Analysis ID:320390
MD5:e69d0c42f97a007fb131b35cb8a4d7b8
SHA1:43ca208070bb88754a1d8626ea0ef596a6db1f72
SHA256:6e8b2b06ac2b8447aec7075c5c58edbe5a5377d74c9443e5caf9f379f53a8b6d
Tags:DHLexeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • AWB# 9284730932.exe (PID: 5536 cmdline: 'C:\Users\user\Desktop\AWB# 9284730932.exe' MD5: E69D0C42F97A007FB131B35CB8A4D7B8)
    • AWB# 9284730932.exe (PID: 6252 cmdline: 'C:\Users\user\Desktop\AWB# 9284730932.exe' MD5: E69D0C42F97A007FB131B35CB8A4D7B8)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6656 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 6676 cmdline: /c del 'C:\Users\user\Desktop\AWB# 9284730932.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 15 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: https://lifeandhealth.com.mx/graceofgod/floow_tAAkniYUly238.binAvira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted fileShow sources
      Source: AWB# 9284730932.exeVirustotal: Detection: 28%Perma Link
      Source: AWB# 9284730932.exeReversingLabs: Detection: 22%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001668BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001731DC FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001585EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00569440 InternetReadFile,
      Source: unknownDNS traffic detected: queries for: lifeandhealth.com.mx
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: AWB# 9284730932.exeString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/floow_tAAkniYUly238.bin
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
      Source: AWB# 9284730932.exe, 00000001.00000002.306925484.000000000072A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.500985638.000000000025D000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.503105850.000000000383F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 NtSetInformationThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D0782 EnumWindows,NtSetInformationThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D0A8B NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D8E42 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D365C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9440 NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D23B6 NtSetInformationThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D80E3 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D082B NtSetInformationThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D085F NtSetInformationThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D08BB NtSetInformationThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D08FB NtSetInformationThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D0953 NtSetInformationThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D4C71 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D963B NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9607 NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D96DB NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D36D3 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D977B NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D974B NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3754 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D37B8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D97B0 NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9473 NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D94D7 NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9567 NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3A90 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3ADF NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3B4C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D983B NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3812 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3873 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D98B4 NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D38B3 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3914 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3978 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D99AF NtResumeThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3C7F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3CD7 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3D87 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E95D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A10 NtQuerySection,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E96D0 NtCreateKey,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EA710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EA770 NtOpenThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9760 NtOpenProcess,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EA3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9FE0 NtCreateMutant,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EB040 NtSuspendThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E98A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EAD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9560 NtWriteFile,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E95F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E99D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00563104 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00563198 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056431B Sleep,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056447A LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00568E42 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056308C TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056318B LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005643C6 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00564461 LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00564469 LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005644EF LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005644B3 LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00564587 LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001584BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001558A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B4C0 NtQueryInformationToken,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B4F8 NtQueryInformationToken,NtQueryInformationToken,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00176D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0017B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00179AB4 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001583F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F96D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F95D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FA710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EE730 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9335 NtClose,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F7742 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137365 NtQuerySystemInformation,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314176C NtWaitForSingleObject,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317FF69 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FA770 NtOpenThread,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C8F87 NtProtectVirtualMemory,NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0313FB88 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F97A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BA7B0 NtClose,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03185BA5 NtQueryInformationToken,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FA3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317AFDE NtFreeVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317F7DD NtFreeVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BF7C0 NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03166BEA NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BC600 NtQueryValueKey,NtQueryValueKey,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F2E1C NtDelayExecution,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317F209 NtFreeVirtualMemory,NtFreeVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BE620 NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317EE22 NtFreeVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9240 NtClose,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141242 NtUnmapViewOfSection,NtClose,NtClose,NtClose,NtClose,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9650 NtQueryValueKey,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EBE62 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9660 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137E63 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316BE9B NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2E9F NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030ED294 NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 NtClose,NtClose,NtClose,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03180EA5 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141AD6 NtFreeVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316FD22 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C9136 NtProtectVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EC532 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FAD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E0548 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03181D55 NtFreeVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133540 NtQueryValueKey,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141570 NtQuerySystemInformation,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9560 NtWriteFile,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CDD80 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031419C8 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F99D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316BDFA NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F95F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314C450 NtAdjustPrivilegesToken,NtClose,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FB040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141C49 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D746D NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141C76 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141879 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133884 NtQueryValueKey,NtQueryValueKey,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F98A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BDCA4 NtEnumerateKey,NtClose,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EF0BF NtClose,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,NtClose,NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317F8C5 NtFreeVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137CF9 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141CE4 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C80FC NtMapViewOfSection,NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F98F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E80 NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E00 NtReadFile,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39D50 NtCreateFile,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E7B NtReadFile,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E7D NtClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39DA2 NtCreateFile,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00166550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C6E30
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DEBB0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B841F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461002
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BB090
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E471D55
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A0D20
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C4120
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AF900
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2581
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BD5E0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00081069
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00089862
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00081072
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00082CEC
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00082CF2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00088132
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008AA32
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00085B1F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00085B22
      Source: C:\Windows\explorer.exeCode function: 13_2_0674E072
      Source: C:\Windows\explorer.exeCode function: 13_2_06756862
      Source: C:\Windows\explorer.exeCode function: 13_2_0675AA6F
      Source: C:\Windows\explorer.exeCode function: 13_2_0674E069
      Source: C:\Windows\explorer.exeCode function: 13_2_06757A32
      Source: C:\Windows\explorer.exeCode function: 13_2_0674FCF2
      Source: C:\Windows\explorer.exeCode function: 13_2_0674FCEC
      Source: C:\Windows\explorer.exeCode function: 13_2_06755132
      Source: C:\Windows\explorer.exeCode function: 13_2_06752B22
      Source: C:\Windows\explorer.exeCode function: 13_2_06752B1F
      Source: C:\Windows\explorer.exeCode function: 13_2_0675AB0E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015D803
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015E040
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00159CF0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001548E6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00175CEA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00173506
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00166550
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00161969
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00157190
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001731DC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015FA30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00155226
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00155E70
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00158AD7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015CB48
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00165FC8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00176FF0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EEBB0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D6E30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BF900
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B0D20
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03181D55
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C841F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171002
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CB090
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E19B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F29E40
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F22FB0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F22D90
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E597
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F22D87
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: String function: 1E3AB150 appears 35 times
      Source: AWB# 9284730932.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: AWB# 9284730932.exe, 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMorgenkvisten.exe vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 00000001.00000002.306907514.0000000000700000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.368734106.00000000000ED000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000000.305549636.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMorgenkvisten.exe vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.373081614.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.373626759.000000001E62F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.373031499.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exeBinary or memory string: OriginalFilenameMorgenkvisten.exe vs AWB# 9284730932.exe
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.500985638.000000000025D000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.503105850.000000000383F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@4/2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0017A0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
      Source: AWB# 9284730932.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: AWB# 9284730932.exeVirustotal: Detection: 28%
      Source: AWB# 9284730932.exeReversingLabs: Detection: 22%
      Source: unknownProcess created: C:\Users\user\Desktop\AWB# 9284730932.exe 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\AWB# 9284730932.exe 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess created: C:\Users\user\Desktop\AWB# 9284730932.exe 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.350047860.0000000006FE0000.00000002.00000001.sdmp
      Source: Binary string: cmd.pdbUGP source: AWB# 9284730932.exe, 0000000B.00000002.373852934.000000001E7F0000.00000040.00000001.sdmp, cmd.exe, 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: AWB# 9284730932.exe, 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp, cmd.exe, 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: AWB# 9284730932.exe, cmd.exe
      Source: Binary string: cmd.pdb source: AWB# 9284730932.exe, 0000000B.00000002.373852934.000000001E7F0000.00000040.00000001.sdmp, cmd.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.350047860.0000000006FE0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 5536, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 6252, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 5536, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 6252, type: MEMORY
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_004126C5 push eax; ret
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3FD0D1 push ecx; ret
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008E3E6 pushad ; ret
      Source: C:\Windows\explorer.exeCode function: 13_2_0675B3E6 pushad ; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001676BD push ecx; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001676D1 push ecx; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0310D0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3DA9C push ebx; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F2E3B0 push cs; iretd
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E35B pushad ; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F36835 push ds; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F37026 push cs; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CEF2 push eax; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CEFB push eax; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CEA5 push eax; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3C631 push cs; iretd
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CF5C push eax; ret
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E41C push ebp; ret

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000022D7DED second address: 00000000022D7DED instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA8D08F8CE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test dx, bx 0x00000022 jmp 00007FA8D08F8D12h 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 test ax, dx 0x0000002b dec dword ptr [ebp+000000F8h] 0x00000031 test ebx, edx 0x00000033 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000003a jne 00007FA8D08F8C8Eh 0x0000003c cmp ch, ch 0x0000003e call 00007FA8D08F8D70h 0x00000043 call 00007FA8D08F8CFAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: AWB# 9284730932.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: AWB# 9284730932.exe, 00000001.00000002.306937352.0000000000741000.00000004.00000020.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000022D7DED second address: 00000000022D7DED instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA8D08F8CE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test dx, bx 0x00000022 jmp 00007FA8D08F8D12h 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 test ax, dx 0x0000002b dec dword ptr [ebp+000000F8h] 0x00000031 test ebx, edx 0x00000033 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000003a jne 00007FA8D08F8C8Eh 0x0000003c cmp ch, ch 0x0000003e call 00007FA8D08F8D70h 0x00000043 call 00007FA8D08F8CFAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000022D7E3F second address: 00000000022D7E3F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA8D0EDC089h 0x0000001f popad 0x00000020 call 00007FA8D0EDBB1Dh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 0000000000567E3F second address: 0000000000567E3F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA8D08F93E9h 0x0000001f popad 0x00000020 call 00007FA8D08F8E7Dh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000002F298E4 second address: 0000000002F298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000002F29B5E second address: 0000000002F29B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exe TID: 6652Thread sleep count: 192 > 30
      Source: C:\Windows\SysWOW64\cmd.exe TID: 6660Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001668BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001731DC FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001585EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,
      Source: explorer.exe, 0000000D.00000000.352943196.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 0000000D.00000002.507702732.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 0000000D.00000000.333225749.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
      Source: explorer.exe, 0000000D.00000000.352996598.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
      Source: explorer.exe, 0000000D.00000000.347256531.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: AWB# 9284730932.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 0000000D.00000000.352996598.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
      Source: AWB# 9284730932.exe, 00000001.00000002.306937352.0000000000741000.00000004.00000020.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D562F LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00172258 IsDebuggerPresent,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D23B6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D41B2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86DF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D874B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D878B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D2B4E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D2EF7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D2EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D6D7F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D7955 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E434257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4246A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CF716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E46131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AF358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4253CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4253CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DB390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E46138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E475BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E471074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E462073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E474015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E474015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4614FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E423884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E423884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E423540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E42A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4341E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E458DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4269A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4705AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4705AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005641AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005686DF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005686B3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056874B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056878B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00567955 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00566D7F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0017B5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BDB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BF358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BDB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EB390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03185BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030ED294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030ED294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031346A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03180EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03180EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03180EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EFAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03168DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03184015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03184015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03172073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03181074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031714FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015AC30 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00563198 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00167310 SetUnhandledExceptionFilter,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00166FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 103.53.126.132 80
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread register set: target process: 3472
      Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3472
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 150000
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess created: C:\Users\user\Desktop\AWB# 9284730932.exe 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: explorer.exe, 0000000D.00000002.515396011.0000000005EA0000.00000004.00000001.sdmp, cmd.exe, 0000000E.00000002.503256494.0000000004210000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 0000000D.00000002.502206843.0000000001640000.00000002.00000001.sdmp, cmd.exe, 0000000E.00000002.503256494.0000000004210000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 0000000D.00000002.502206843.0000000001640000.00000002.00000001.sdmp, cmd.exe, 0000000E.00000002.503256494.0000000004210000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: explorer.exe, 0000000D.00000000.333135184.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
      Source: explorer.exe, 0000000D.00000002.502206843.0000000001640000.00000002.00000001.sdmp, cmd.exe, 0000000E.00000002.503256494.0000000004210000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: explorer.exe, 0000000D.00000002.502206843.0000000001640000.00000002.00000001.sdmp, cmd.exe, 0000000E.00000002.503256494.0000000004210000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00173C49 GetSystemTime,SystemTimeToFileTime,
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015443C GetVersion,

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 6656, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 6252, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1Shared Modules1Valid Accounts1Valid Accounts1Rootkit1Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsAccess Token Manipulation1Valid Accounts1Input Capture1Security Software Discovery641Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection512Access Token Manipulation1Security Account ManagerVirtualization/Sandbox Evasion22SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion22NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery214Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320390 Sample: AWB# 9284730932.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 29 www.algulmotors.com 2->29 31 algulmotors.com 2->31 37 Potential malicious icon found 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 10 other signatures 2->43 11 AWB# 9284730932.exe 2->11         started        signatures3 process4 signatures5 53 Tries to detect Any.run 11->53 55 Hides threads from debuggers 11->55 14 AWB# 9284730932.exe 6 11->14         started        process6 dnsIp7 35 lifeandhealth.com.mx 192.185.170.106, 443, 49720 UNIFIEDLAYER-AS-1US United States 14->35 57 Modifies the context of a thread in another process (thread injection) 14->57 59 Tries to detect Any.run 14->59 61 Maps a DLL or memory area into another process 14->61 63 3 other signatures 14->63 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 33 www.baizhan180.xyz 103.53.126.132, 80 CHINATELECOM-JIANGSU-YANGZHOU-IDCCHINATELECOMJiangSuYangZ China 18->33 45 System process connects to network (likely due to code injection or exploit) 18->45 22 cmd.exe 18->22         started        signatures11 process12 signatures13 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      AWB# 9284730932.exe28%VirustotalBrowse
      AWB# 9284730932.exe23%ReversingLabsWin32.Trojan.Generic

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      lifeandhealth.com.mx0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      https://lifeandhealth.com.mx/graceofgod/floow_tAAkniYUly238.bin100%Avira URL Cloudmalware
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      lifeandhealth.com.mx
      192.185.170.106
      truefalseunknown
      algulmotors.com
      94.237.90.68
      truefalse
        unknown
        www.baizhan180.xyz
        103.53.126.132
        truetrue
          unknown
          www.algulmotors.com
          unknown
          unknowntrue
            unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
              high
              http://www.fontbureau.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                high
                http://www.fontbureau.com/designersGexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                  high
                  http://www.fontbureau.com/designers/?explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                    high
                    http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers?explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                      high
                      http://www.tiro.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://lifeandhealth.com.mx/graceofgod/floow_tAAkniYUly238.binAWB# 9284730932.exetrue
                      • Avira URL Cloud: malware
                      unknown
                      http://www.fontbureau.com/designersexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                        high
                        http://www.goodfont.co.krexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.carterandcone.comlexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.sajatypeworks.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.typography.netDexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://fontfabrik.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.founder.com.cn/cnexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                            high
                            http://www.jiyu-kobo.co.jp/explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers8explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                              high
                              http://www.fonts.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                                high
                                http://www.sandoll.co.krexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.urwpp.deDPleaseexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.zhongyicts.com.cnexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.sakkal.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                192.185.170.106
                                unknownUnited States
                                46606UNIFIEDLAYER-AS-1USfalse
                                103.53.126.132
                                unknownChina
                                137697CHINATELECOM-JIANGSU-YANGZHOU-IDCCHINATELECOMJiangSuYangZtrue

                                General Information

                                Joe Sandbox Version:31.0.0 Red Diamond
                                Analysis ID:320390
                                Start date:19.11.2020
                                Start time:10:14:10
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 9m 15s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:AWB# 9284730932.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:21
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.evad.winEXE@7/0@4/2
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 14.5% (good quality ratio 12.9%)
                                • Quality average: 72.5%
                                • Quality standard deviation: 31.8%
                                HCA Information:
                                • Successful, ratio: 63%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                • TCP Packets have been reduced to 100
                                • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.255.188.83, 168.61.161.212, 23.54.113.104, 51.104.139.180, 51.103.5.186, 23.0.174.185, 23.0.174.200, 20.54.26.129
                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, client.wns.windows.com, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, par02p.wns.notify.windows.com.akadns.net, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                UNIFIEDLAYER-AS-1USDocument3327.xlsbGet hashmaliciousBrowse
                                • 198.57.244.39
                                POSH XANADU Order-SP-20093000-xlxs.xlsxGet hashmaliciousBrowse
                                • 192.185.144.204
                                dVcML4Zl0J.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                JTWtIx6ADf.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                yrV5qWOmi3.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                bGtm3bQKUj.exeGet hashmaliciousBrowse
                                • 192.185.41.224
                                http://sanwhyl.seclenght.ml/whelst/8728WKEE_773_JDG833.htmlGet hashmaliciousBrowse
                                • 162.214.72.58
                                https://app.box.com/s/frm9cufh9ljwjmsdcrv6gioilzlttstrGet hashmaliciousBrowse
                                • 162.241.41.34
                                https://pornshare.cyou/mnbvcgh/loiuhgf/Get hashmaliciousBrowse
                                • 162.241.143.221
                                Invoice_99012_476904.xlsmGet hashmaliciousBrowse
                                • 192.232.229.53
                                Invoice_37081_761967.xlsmGet hashmaliciousBrowse
                                • 162.241.44.26
                                https://juicytatesful.com/re/Get hashmaliciousBrowse
                                • 162.241.126.121
                                https://damartex-my.sharepoint.com/:o:/g/personal/gvernon_damart_com/EiJSECE48EZEjXDMHc8NQJgBxBqgSsD-ZFrLB4gCHeMTJA?e=FDTAvaGet hashmaliciousBrowse
                                • 162.241.127.155
                                https://rb.gy/pt1wisGet hashmaliciousBrowse
                                • 192.254.234.249
                                https://finnhammars-my.sharepoint.com/:o:/g/personal/erica_roempke_finnhammars_se/Ej-Z4o-5sm9DnKA3qpnhRyYBtAZylN4t5DisuS7MSGCA_g?e=BQY0iuGet hashmaliciousBrowse
                                • 162.241.116.106
                                https://finnhammars-my.sharepoint.com/:o:/g/personal/erica_roempke_finnhammars_se/Ej-Z4o-5sm9DnKA3qpnhRyYBtAZylN4t5DisuS7MSGCA_g?e=BQY0iuGet hashmaliciousBrowse
                                • 162.241.116.106
                                BL, Invoices.exeGet hashmaliciousBrowse
                                • 162.241.230.107
                                JmuEmJ4T4r5bc8S.exeGet hashmaliciousBrowse
                                • 192.185.5.77
                                Invoice_043866_370540.xlsmGet hashmaliciousBrowse
                                • 192.232.229.53
                                PO.no.12.exeGet hashmaliciousBrowse
                                • 192.185.165.195
                                CHINATELECOM-JIANGSU-YANGZHOU-IDCCHINATELECOMJiangSuYangZhttp://u5211565.ct.sendgrid.net/ls/click?upn=WMyH9YN8LdKDieVpBZafOAkyXJmwjIodeD89r6jXhi6WE1kr-2Fs2aN9q8T-2BZZFRV6682zZEeStREygPngvBuFdg-3D-3DcJ4Z_xK1japI3Lshn3uPvI4t5LvKvla0O3p8IBpVMjoMpI9l7u2DlehHWWkACqnJ0Msh7ts3W7Y7EcTH19d3-2BhLEFHddky9huDGJDs5LkRUgj2LnbhIz-2BbIp5VMZCwIMGV8rbg9rIVINs4f7mWj9dYoFwUuGqG2k06xIXROBZ-2B0vP7BO5EMP6Xax1f3K9LawJpqk-2BXhpbyhByUn-2B5jPzqG2wtuzatFicfKTfp8Ahf6HPW6qk-3DGet hashmaliciousBrowse
                                • 103.60.165.118
                                https://u2867613.ct.sendgrid.net/ls/click?upn=xIoWet-2BTMg-2BVfl4m7Gz858a6bYE3yZGH61RmRbvDHYhDUUyAr1Khjkxjj-2BCUfZyREJKkLWm9kXM9xf2kpkPym7RRw-2FwPrffbBsg-2F9xfKVDnOmgo93gbmBWdQlqyAyP6o2T8m_UI-2Fa1HdcsOvWi0gT08Rm2AqxEWew-2BvQc9v-2FOJ0CFs-2Fqmzwsz0zZu1Q-2BhEiFDm76OxMI40TkUvAXI0PiE1M2-2FS3oBYErkDgrtvY8yQsueuZcmX1DOoK-2FGmjPfEq0WBdYkjBYItiWl4s0ifjNMViDKhI9pbY0wredclLKDY7HERPktB19FV8A6-2BUXfbzMfngXRV255yqgwGHIOt9NkZc15pe89ff-2FrtjvpWWMIjahF0XA-3DGet hashmaliciousBrowse
                                • 103.60.165.118

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                37f463bf4616ecd445d4a1937da06e19https://www.canva.com/design/DAENqED8UzU/0m_RcAQIILTwa79MyPG8KA/view?utm_content=DAENqED8UzU&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://akljsdhfas.selz.com/?Get hashmaliciousBrowse
                                • 192.185.170.106
                                doc2227740.xlsGet hashmaliciousBrowse
                                • 192.185.170.106
                                d11311145.xlsGet hashmaliciousBrowse
                                • 192.185.170.106
                                Original Shipment Document.exeGet hashmaliciousBrowse
                                • 192.185.170.106
                                PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                • 192.185.170.106
                                MV GRAN LOBO 008.xlsxGet hashmaliciousBrowse
                                • 192.185.170.106
                                http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examplesGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://app.archbee.io/doc/wjFBJ1IQgNqcYtxyaUfi5/V9dqJTS3iO58EgXIT7wr1Get hashmaliciousBrowse
                                • 192.185.170.106
                                https://lfonoumkgl.zizera.com/FXGet hashmaliciousBrowse
                                • 192.185.170.106
                                ACH WlRE PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://view.publitas.com/ipinsurance/demers-beaulne-inc/Get hashmaliciousBrowse
                                • 192.185.170.106
                                ACH - WlRE PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://t.co/DmCKxDTz1SGet hashmaliciousBrowse
                                • 192.185.170.106
                                http://customer.cartech.com/inventory_manufacturing.cfmGet hashmaliciousBrowse
                                • 192.185.170.106
                                ACHWlRE REMlTTANCE ADVlCE..xlsxGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://www.canva.com/design/DAEN4Gk1aAs/uErgK6sn3gPozGMXWtYgqA/view?utm_content=DAEN4Gk1aAs&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                • 192.185.170.106
                                win_encryptor.exeGet hashmaliciousBrowse
                                • 192.185.170.106
                                ACH WlRE REMlTTANCE PAYMENT.xlsxGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://www.google.com/url?q=https://sedgefuneralplan.com/pinafore.php&sa=D&ust=1605725146740000&usg=AOvVaw1JCRUh1siinDauICG91nF3Get hashmaliciousBrowse
                                • 192.185.170.106

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):5.439880208207643
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.15%
                                • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:AWB# 9284730932.exe
                                File size:86016
                                MD5:e69d0c42f97a007fb131b35cb8a4d7b8
                                SHA1:43ca208070bb88754a1d8626ea0ef596a6db1f72
                                SHA256:6e8b2b06ac2b8447aec7075c5c58edbe5a5377d74c9443e5caf9f379f53a8b6d
                                SHA512:634db71b4126d06a4fe0686b700d85d71781b952da07419d00e46c9193f5fdadc8d4f533c918dd9db2dcbcd97f3bbe3cb018b6a57dc7ea78835f89bf369b4d6c
                                SSDEEP:1536:Z7Y8d0PEBgVvVwZw9TPz2CN2a85ZTqetgD/k:BSVvVPTaCNEZTG/k
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......_................. ...0...............0....@................

                                File Icon

                                Icon Hash:20047c7c70f0e004

                                Static PE Info

                                General

                                Entrypoint:0x4016d8
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                DLL Characteristics:
                                Time Stamp:0x5FB5ED8C [Thu Nov 19 03:59:08 2020 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:1df1cc653eca0e7ef0f1b96ca8b2c716

                                Entrypoint Preview

                                Instruction
                                push 004017ECh
                                call 00007FA8D096B103h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                inc eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [esp+eax*2+7Dh], ah

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x127b40x28.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x150000x8f8.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x148.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x11d040x12000False0.408949110243data5.87781768033IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .data0x130000x11f80x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rsrc0x150000x8f80x1000False0.166748046875data1.94865951116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x157c80x130data
                                RT_ICON0x154e00x2e8data
                                RT_ICON0x153b80x128GLS_BINARY_LSB_FIRST
                                RT_GROUP_ICON0x153880x30data
                                RT_VERSION0x151500x238dataItalianItaly

                                Imports

                                DLLImport
                                MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaI2I4, __vbaObjVar, __vbaCastObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaI2Var, _CIlog, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaVarSetObj, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaVarLateMemCallLd, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                Version Infos

                                DescriptionData
                                Translation0x0410 0x04b0
                                InternalNameMorgenkvisten
                                FileVersion2.00
                                CompanyNameKTS Division
                                ProductNameKTS Division
                                ProductVersion2.00
                                OriginalFilenameMorgenkvisten.exe

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                ItalianItaly

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                11/19/20-10:16:51.777947ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 19, 2020 10:15:47.001530886 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.146100998 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.146208048 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.184855938 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.329006910 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.330713987 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.330746889 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.330766916 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.330816031 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.330847025 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.456859112 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.601548910 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.602027893 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.627974987 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.778048992 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778078079 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778137922 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778153896 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778189898 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.778192997 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778209925 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778227091 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778245926 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778254032 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.778264999 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778280973 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778286934 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.778382063 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.778390884 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.922759056 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.922785044 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.922801971 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.922817945 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.922827959 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.922863960 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.922902107 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.922985077 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923032999 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923104048 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923193932 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923460960 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923476934 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923517942 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923540115 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923583031 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923706055 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923737049 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923753023 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923753977 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923774004 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923804998 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923814058 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923823118 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923831940 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923883915 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923908949 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923969984 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923984051 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.924040079 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.924041033 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.924062014 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.924087048 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.924113989 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067143917 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067167044 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067183971 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067198992 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067218065 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067234993 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067251921 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067301035 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067307949 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067317963 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067333937 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067349911 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067349911 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067365885 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067397118 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067409992 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067435980 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067454100 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068613052 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068633080 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068648100 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068717957 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068734884 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068739891 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068799019 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068799973 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068816900 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068840981 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068878889 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068918943 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068938017 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068953037 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068985939 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068994999 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069025993 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069034100 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069046974 CET44349720192.185.170.106192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 19, 2020 10:14:57.672523022 CET5959653192.168.2.58.8.8.8
                                Nov 19, 2020 10:14:57.684814930 CET53595968.8.8.8192.168.2.5
                                Nov 19, 2020 10:14:58.504379988 CET6529653192.168.2.58.8.8.8
                                Nov 19, 2020 10:14:58.517632008 CET53652968.8.8.8192.168.2.5
                                Nov 19, 2020 10:14:59.227814913 CET6318353192.168.2.58.8.8.8
                                Nov 19, 2020 10:14:59.240803957 CET53631838.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:00.080413103 CET6015153192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:00.092885971 CET53601518.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:03.358402014 CET5696953192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:03.371630907 CET53569698.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:04.305349112 CET5516153192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:04.317756891 CET53551618.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:06.250655890 CET5475753192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:06.263612986 CET53547578.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:20.313951015 CET4999253192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:20.332675934 CET53499928.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:22.679122925 CET6007553192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:22.692229033 CET53600758.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:46.817104101 CET5501653192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:46.964602947 CET53550168.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:47.210824013 CET6434553192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:47.230686903 CET53643458.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:47.268902063 CET5712853192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:47.287764072 CET53571288.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:47.325210094 CET5479153192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:47.344552994 CET53547918.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:47.786919117 CET5046353192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:47.821305990 CET53504638.8.8.8192.168.2.5
                                Nov 19, 2020 10:16:23.870322943 CET5039453192.168.2.58.8.8.8
                                Nov 19, 2020 10:16:23.883050919 CET53503948.8.8.8192.168.2.5
                                Nov 19, 2020 10:16:24.474883080 CET5853053192.168.2.58.8.8.8
                                Nov 19, 2020 10:16:24.490516901 CET53585308.8.8.8192.168.2.5
                                Nov 19, 2020 10:16:50.356683969 CET5381353192.168.2.58.8.8.8
                                Nov 19, 2020 10:16:51.350296974 CET5381353192.168.2.58.8.8.8
                                Nov 19, 2020 10:16:51.677045107 CET53538138.8.8.8192.168.2.5
                                Nov 19, 2020 10:16:51.777789116 CET53538138.8.8.8192.168.2.5
                                Nov 19, 2020 10:17:14.765675068 CET6373253192.168.2.58.8.8.8
                                Nov 19, 2020 10:17:14.790375948 CET53637328.8.8.8192.168.2.5

                                ICMP Packets

                                TimestampSource IPDest IPChecksumCodeType
                                Nov 19, 2020 10:16:51.777946949 CET192.168.2.58.8.8.8d007(Port unreachable)Destination Unreachable

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Nov 19, 2020 10:15:46.817104101 CET192.168.2.58.8.8.80x133dStandard query (0)lifeandhealth.com.mxA (IP address)IN (0x0001)
                                Nov 19, 2020 10:16:50.356683969 CET192.168.2.58.8.8.80x9784Standard query (0)www.baizhan180.xyzA (IP address)IN (0x0001)
                                Nov 19, 2020 10:16:51.350296974 CET192.168.2.58.8.8.80x9784Standard query (0)www.baizhan180.xyzA (IP address)IN (0x0001)
                                Nov 19, 2020 10:17:14.765675068 CET192.168.2.58.8.8.80xc6b1Standard query (0)www.algulmotors.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Nov 19, 2020 10:15:46.964602947 CET8.8.8.8192.168.2.50x133dNo error (0)lifeandhealth.com.mx192.185.170.106A (IP address)IN (0x0001)
                                Nov 19, 2020 10:16:51.677045107 CET8.8.8.8192.168.2.50x9784No error (0)www.baizhan180.xyz103.53.126.132A (IP address)IN (0x0001)
                                Nov 19, 2020 10:16:51.777789116 CET8.8.8.8192.168.2.50x9784No error (0)www.baizhan180.xyz103.53.126.132A (IP address)IN (0x0001)
                                Nov 19, 2020 10:17:14.790375948 CET8.8.8.8192.168.2.50xc6b1No error (0)www.algulmotors.comalgulmotors.comCNAME (Canonical name)IN (0x0001)
                                Nov 19, 2020 10:17:14.790375948 CET8.8.8.8192.168.2.50xc6b1No error (0)algulmotors.com94.237.90.68A (IP address)IN (0x0001)

                                HTTPS Packets

                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                Nov 19, 2020 10:15:47.330766916 CET192.185.170.106443192.168.2.549720CN=webdisk.lifeandhealth.com.mx CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri Nov 06 17:15:38 CET 2020 Thu Mar 17 17:40:46 CET 2016Thu Feb 04 17:15:38 CET 2021 Wed Mar 17 17:40:46 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021

                                Code Manipulations

                                User Modules

                                Hook Summary

                                Function NameHook TypeActive in Processes
                                PeekMessageAINLINEexplorer.exe
                                PeekMessageWINLINEexplorer.exe
                                GetMessageWINLINEexplorer.exe
                                GetMessageAINLINEexplorer.exe

                                Processes

                                Process: explorer.exe, Module: user32.dll
                                Function NameHook TypeNew Data
                                PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE0
                                PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE0
                                GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE0
                                GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE0

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Start time:10:15:02
                                Start date:19/11/2020
                                Path:C:\Users\user\Desktop\AWB# 9284730932.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\AWB# 9284730932.exe'
                                Imagebase:0x400000
                                File size:86016 bytes
                                MD5 hash:E69D0C42F97A007FB131B35CB8A4D7B8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Visual Basic
                                Reputation:low

                                General

                                Start time:10:15:36
                                Start date:19/11/2020
                                Path:C:\Users\user\Desktop\AWB# 9284730932.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\AWB# 9284730932.exe'
                                Imagebase:0x400000
                                File size:86016 bytes
                                MD5 hash:E69D0C42F97A007FB131B35CB8A4D7B8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                General

                                Start time:10:15:49
                                Start date:19/11/2020
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:
                                Imagebase:0x7ff693d90000
                                File size:3933184 bytes
                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Start time:10:16:02
                                Start date:19/11/2020
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\cmd.exe
                                Imagebase:0x150000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000E.00000002.500985638.000000000025D000.00000004.00000020.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000E.00000002.503105850.000000000383F000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                General

                                Start time:10:16:07
                                Start date:19/11/2020
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del 'C:\Users\user\Desktop\AWB# 9284730932.exe'
                                Imagebase:0x150000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Start time:10:16:07
                                Start date:19/11/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7ecfc0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Disassembly

                                Code Analysis

                                Reset < >