Analysis Report 2eD17GZuWs.exe

Overview

General Information

Sample Name: 2eD17GZuWs.exe
Analysis ID: 320425
MD5: c05eee88f0b57e853996957d6523397b
SHA1: fc16fa4ab9a88f7e2405eb9a77d168d9c1b7c8d3
SHA256: 7e70e44956cdb045fd7b5c66eca50996900059fd8851aa76be19a5dd492c6918
Tags: exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE file contains strange resources
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 2eD17GZuWs.exe Virustotal: Detection: 25% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop esi 13_2_01117295
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop esi 13_2_011172A5

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.4:49756 -> 103.125.191.5:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 103.125.191.5
Source: global traffic HTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
Source: 2eD17GZuWs.exe, 00000001.00000002.928458563.000000000093D000.00000004.00000020.sdmp String found in binary or memory: http://103.125.191.5/
Source: 2eD17GZuWs.exe String found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.bin
Source: 2eD17GZuWs.exe, 00000001.00000002.928446229.0000000000924000.00000004.00000020.sdmp String found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binY
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000000A.00000002.935388452.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 2eD17GZuWs.exe, 00000001.00000002.928394579.00000000008F7000.00000004.00000020.sdmp String found in binary or memory: https://in_xMjelaYnr43.bin

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D5A6C NtProtectVirtualMemory, 0_2_021D5A6C
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D06B1 NtSetInformationThread,TerminateProcess,CreateFileA, 0_2_021D06B1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D5336 NtSetInformationThread,LoadLibraryA, 0_2_021D5336
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D232A NtWriteVirtualMemory, 0_2_021D232A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D5F9F NtResumeThread, 0_2_021D5F9F
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D078C NtWriteVirtualMemory,TerminateProcess, 0_2_021D078C
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D044B EnumWindows,NtSetInformationThread, 0_2_021D044B
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D54F4 NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA, 0_2_021D54F4
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D260D NtWriteVirtualMemory, 0_2_021D260D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D6239 NtResumeThread, 0_2_021D6239
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D62C5 NtResumeThread, 0_2_021D62C5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D2705 NtWriteVirtualMemory, 0_2_021D2705
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D6325 NtResumeThread, 0_2_021D6325
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D0F7D NtWriteVirtualMemory, 0_2_021D0F7D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D276A NtWriteVirtualMemory, 0_2_021D276A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D23D5 NtWriteVirtualMemory, 0_2_021D23D5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D5FC1 NtResumeThread, 0_2_021D5FC1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D47EF NtSetInformationThread, 0_2_021D47EF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D5FE5 NtResumeThread, 0_2_021D5FE5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D6015 NtResumeThread, 0_2_021D6015
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D6039 NtResumeThread, 0_2_021D6039
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D5435 NtWriteVirtualMemory, 0_2_021D5435
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D2455 NtWriteVirtualMemory, 0_2_021D2455
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D6089 NtResumeThread, 0_2_021D6089
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D24BD NtWriteVirtualMemory, 0_2_021D24BD
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D04B2 NtSetInformationThread, 0_2_021D04B2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D60D1 NtResumeThread, 0_2_021D60D1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D04CD NtSetInformationThread, 0_2_021D04CD
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D0516 NtSetInformationThread, 0_2_021D0516
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D6106 NtResumeThread, 0_2_021D6106
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D0537 NtSetInformationThread, 0_2_021D0537
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D2531 NtWriteVirtualMemory, 0_2_021D2531
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D059D NtSetInformationThread, 0_2_021D059D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D05D9 NtSetInformationThread, 0_2_021D05D9
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D61ED NtResumeThread, 0_2_021D61ED
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_1E189660
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1896E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_1E1896E0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189710 NtQueryInformationToken,LdrInitializeThunk, 1_2_1E189710
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189780 NtMapViewOfSection,LdrInitializeThunk, 1_2_1E189780
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1897A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_1E1897A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189540 NtReadFile,LdrInitializeThunk, 1_2_1E189540
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1895D0 NtClose,LdrInitializeThunk, 1_2_1E1895D0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_1E189A00
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189A20 NtResumeThread,LdrInitializeThunk, 1_2_1E189A20
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189A50 NtCreateFile,LdrInitializeThunk, 1_2_1E189A50
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189840 NtDelayExecution,LdrInitializeThunk, 1_2_1E189840
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_1E189860
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1898F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_1E1898F0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_1E189910
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1899A0 NtCreateSection,LdrInitializeThunk, 1_2_1E1899A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189610 NtEnumerateValueKey, 1_2_1E189610
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189650 NtQueryValueKey, 1_2_1E189650
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189670 NtQueryInformationProcess, 1_2_1E189670
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1896D0 NtCreateKey, 1_2_1E1896D0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E18A710 NtOpenProcessToken, 1_2_1E18A710
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189730 NtQueryVirtualMemory, 1_2_1E189730
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E18A770 NtOpenThread, 1_2_1E18A770
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189770 NtSetInformationFile, 1_2_1E189770
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189760 NtOpenProcess, 1_2_1E189760
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189FE0 NtCreateMutant, 1_2_1E189FE0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E18AD30 NtSetContextThread, 1_2_1E18AD30
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189520 NtWaitForSingleObject, 1_2_1E189520
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189560 NtWriteFile, 1_2_1E189560
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1895F0 NtQueryInformationFile, 1_2_1E1895F0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189A10 NtQuerySection, 1_2_1E189A10
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189A80 NtOpenDirectoryObject, 1_2_1E189A80
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189B00 NtSetValueKey, 1_2_1E189B00
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E18A3B0 NtGetContextThread, 1_2_1E18A3B0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189820 NtEnumerateKey, 1_2_1E189820
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E18B040 NtSuspendThread, 1_2_1E18B040
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1898A0 NtWriteVirtualMemory, 1_2_1E1898A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E189950 NtQueueApcThread, 1_2_1E189950
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1899D0 NtCreateProcessEx, 1_2_1E1899D0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00565A6C NtProtectVirtualMemory, 1_2_00565A6C
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00565F9F NtSetInformationThread, 1_2_00565F9F
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00566015 NtSetInformationThread, 1_2_00566015
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00566039 NtSetInformationThread, 1_2_00566039
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_005660D1 NtSetInformationThread, 1_2_005660D1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00566089 NtSetInformationThread, 1_2_00566089
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00566106 NtSetInformationThread, 1_2_00566106
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_005661ED NtSetInformationThread, 1_2_005661ED
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00566239 NtSetInformationThread, 1_2_00566239
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_005662C5 NtSetInformationThread, 1_2_005662C5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00566325 NtSetInformationThread, 1_2_00566325
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00565FC1 NtSetInformationThread, 1_2_00565FC1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00565FE5 NtSetInformationThread, 1_2_00565FE5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119540 NtReadFile,LdrInitializeThunk, 13_2_05119540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051195D0 NtClose,LdrInitializeThunk, 13_2_051195D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119FE0 NtCreateMutant,LdrInitializeThunk, 13_2_05119FE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119660 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_05119660
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051196E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_051196E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_05119910
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_05119860
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119A50 NtCreateFile,LdrInitializeThunk, 13_2_05119A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0511AD30 NtSetContextThread, 13_2_0511AD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119520 NtWaitForSingleObject, 13_2_05119520
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119560 NtWriteFile, 13_2_05119560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051195F0 NtQueryInformationFile, 13_2_051195F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0511A710 NtOpenProcessToken, 13_2_0511A710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119710 NtQueryInformationToken, 13_2_05119710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119730 NtQueryVirtualMemory, 13_2_05119730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0511A770 NtOpenThread, 13_2_0511A770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119770 NtSetInformationFile, 13_2_05119770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119760 NtOpenProcess, 13_2_05119760
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119780 NtMapViewOfSection, 13_2_05119780
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051197A0 NtUnmapViewOfSection, 13_2_051197A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119610 NtEnumerateValueKey, 13_2_05119610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119650 NtQueryValueKey, 13_2_05119650
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119670 NtQueryInformationProcess, 13_2_05119670
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051196D0 NtCreateKey, 13_2_051196D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119950 NtQueueApcThread, 13_2_05119950
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051199A0 NtCreateSection, 13_2_051199A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051199D0 NtCreateProcessEx, 13_2_051199D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119820 NtEnumerateKey, 13_2_05119820
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0511B040 NtSuspendThread, 13_2_0511B040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119840 NtDelayExecution, 13_2_05119840
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051198A0 NtWriteVirtualMemory, 13_2_051198A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051198F0 NtReadVirtualMemory, 13_2_051198F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119B00 NtSetValueKey, 13_2_05119B00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0511A3B0 NtGetContextThread, 13_2_0511A3B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119A10 NtQuerySection, 13_2_05119A10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119A00 NtProtectVirtualMemory, 13_2_05119A00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119A20 NtResumeThread, 13_2_05119A20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05119A80 NtOpenDirectoryObject, 13_2_05119A80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01119D50 NtCreateFile, 13_2_01119D50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01119F30 NtAllocateVirtualMemory, 13_2_01119F30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01119E00 NtReadFile, 13_2_01119E00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01119E80 NtClose, 13_2_01119E80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01119D4B NtCreateFile, 13_2_01119D4B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01119DA4 NtCreateFile, 13_2_01119DA4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01119DFE NtReadFile, 13_2_01119DFE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01119F2B NtAllocateVirtualMemory, 13_2_01119F2B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01119E7A NtClose, 13_2_01119E7A
Detected potential crypto function
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00403858 0_2_00403858
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00401218 0_2_00401218
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00403C2E 0_2_00403C2E
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00403A59 0_2_00403A59
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00403AEE 0_2_00403AEE
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00403A87 0_2_00403A87
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00403B49 0_2_00403B49
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00403B13 0_2_00403B13
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E166E30 1_2_1E166E30
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20D616 1_2_1E20D616
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E212EF7 1_2_1E212EF7
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E211FF1 1_2_1E211FF1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E21DFCE 1_2_1E21DFCE
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15841F 1_2_1E15841F
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20D466 1_2_1E20D466
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E212D07 1_2_1E212D07
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E140D20 1_2_1E140D20
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E211D55 1_2_1E211D55
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E172581 1_2_1E172581
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15D5E0 1_2_1E15D5E0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2125DD 1_2_1E2125DD
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1FFA2B 1_2_1E1FFA2B
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2122AE 1_2_1E2122AE
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E212B28 1_2_1E212B28
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16AB40 1_2_1E16AB40
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17EBB0 1_2_1E17EBB0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20DBD2 1_2_1E20DBD2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2003DA 1_2_1E2003DA
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E21E824 1_2_1E21E824
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201002 1_2_1E201002
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A830 1_2_1E16A830
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15B090 1_2_1E15B090
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2120A8 1_2_1E2120A8
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1720A0 1_2_1E1720A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2128EC 1_2_1E2128EC
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14F900 1_2_1E14F900
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E164120 1_2_1E164120
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF 1_2_1E1699BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A2D07 13_2_051A2D07
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050D0D20 13_2_050D0D20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A1D55 13_2_051A1D55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05102581 13_2_05102581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A25DD 13_2_051A25DD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050ED5E0 13_2_050ED5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E841F 13_2_050E841F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0519D466 13_2_0519D466
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051ADFCE 13_2_051ADFCE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A1FF1 13_2_051A1FF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0519D616 13_2_0519D616
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050F6E30 13_2_050F6E30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A2EF7 13_2_051A2EF7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DF900 13_2_050DF900
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050F4120 13_2_050F4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191002 13_2_05191002
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051AE824 13_2_051AE824
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050EB090 13_2_050EB090
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051020A0 13_2_051020A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A20A8 13_2_051A20A8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A28EC 13_2_051A28EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A2B28 13_2_051A2B28
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510EBB0 13_2_0510EBB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051903DA 13_2_051903DA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0519DBD2 13_2_0519DBD2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A22AE 13_2_051A22AE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01102D90 13_2_01102D90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0111E5ED 13_2_0111E5ED
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0111DF6E 13_2_0111DF6E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0111CF93 13_2_0111CF93
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0111D781 13_2_0111D781
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01102FB0 13_2_01102FB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01109E30 13_2_01109E30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01109E2C 13_2_01109E2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0111DE55 13_2_0111DE55
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 050DB150 appears 45 times
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: String function: 1E14B150 appears 66 times
PE file contains strange resources
Source: 2eD17GZuWs.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 2eD17GZuWs.exe, 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
Source: 2eD17GZuWs.exe, 00000000.00000002.691998474.0000000002090000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs 2eD17GZuWs.exe
Source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemsiexec.exeX vs 2eD17GZuWs.exe
Source: 2eD17GZuWs.exe, 00000001.00000002.933965294.000000001E3CF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 2eD17GZuWs.exe
Source: 2eD17GZuWs.exe, 00000001.00000002.928375557.00000000008D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs 2eD17GZuWs.exe
Source: 2eD17GZuWs.exe, 00000001.00000000.690796127.000000000040F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
Source: 2eD17GZuWs.exe Binary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Yara signature match
Source: 0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@8/0@0/1
Source: 2eD17GZuWs.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 2eD17GZuWs.exe Virustotal: Detection: 25%
Source: unknown Process created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe'
Source: unknown Process created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe'
Source: unknown Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Process created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe' Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe' Jump to behavior
Source: Binary string: msiexec.pdb source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000002.944274718.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: msiexec.pdbGCTL source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: 2eD17GZuWs.exe, 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, msiexec.exe, 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 2eD17GZuWs.exe, msiexec.exe
Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000002.944274718.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: 2eD17GZuWs.exe PID: 2936, type: MEMORY
Source: Yara match File source: Process Memory Space: 2eD17GZuWs.exe PID: 4700, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: 2eD17GZuWs.exe PID: 2936, type: MEMORY
Source: Yara match File source: Process Memory Space: 2eD17GZuWs.exe PID: 4700, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_0040984F push ecx; retf 0_2_004098B0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00409D50 push edi; ret 0_2_00409D5D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00409D55 push edi; ret 0_2_00409D5D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00406910 pushad ; iretd 0_2_00406914
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_004069F5 push EF15CAC2h; ret 0_2_00406A05
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_0040759B push FFFFFFC6h; ret 0_2_004075A2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00406653 pushad ; iretd 0_2_00406654
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00406A98 pushfd ; ret 0_2_00406A9A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_004082AF push FFFFFFDAh; ret 0_2_004082B2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_0040A3DA push ecx; retf 0_2_0040A3DC
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00407FAA push esp; ret 0_2_00407FB1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_00407FB3 push ecx; retf 0_2_00407FBC
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E19D0D1 push ecx; ret 1_2_1E19D0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0512D0D1 push ecx; ret 13_2_0512D0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_011169BB push esi; ret 13_2_011169BC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0110AB07 push ds; retf 13_2_0110AB09
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0111CF5C push eax; ret 13_2_0111CF62
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_01114E05 push ss; retf 13_2_01114E06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0111CEA5 push eax; ret 13_2_0111CEF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0111CEF2 push eax; ret 13_2_0111CEF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0111CEFB push eax; ret 13_2_0111CF62
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\2eD17GZuWs.exe RDTSC instruction interceptor: First address: 00000000021D4F7E second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA87CCF90B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA87CCF908Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA87CCF90FCh 0x00000043 call 00007FA87CCF90CAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
Tries to detect Any.run
Source: C:\Users\user\Desktop\2eD17GZuWs.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 2eD17GZuWs.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\2eD17GZuWs.exe RDTSC instruction interceptor: First address: 00000000021D4F13 second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000000d test al, bl 0x0000000f test bx, cx 0x00000012 test ecx, ebx 0x00000014 test bx, cx 0x00000017 call 00007FA87CD1247Ch 0x0000001c call 00007FA87CD1244Ah 0x00000021 lfence 0x00000024 mov edx, dword ptr [7FFE0014h] 0x0000002a lfence 0x0000002d ret 0x0000002e mov esi, edx 0x00000030 pushad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\2eD17GZuWs.exe RDTSC instruction interceptor: First address: 00000000021D4F7E second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA87CCF90B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA87CCF908Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA87CCF90FCh 0x00000043 call 00007FA87CCF90CAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\2eD17GZuWs.exe RDTSC instruction interceptor: First address: 00000000021D4FA0 second address: 00000000021D4FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA87CD1284Dh 0x0000001f popad 0x00000020 call 00007FA87CD12521h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\2eD17GZuWs.exe RDTSC instruction interceptor: First address: 0000000000564FA0 second address: 0000000000564FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA87CCF94CDh 0x0000001f popad 0x00000020 call 00007FA87CCF91A1h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\2eD17GZuWs.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2eD17GZuWs.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe RDTSC instruction interceptor: First address: 00000000011098E4 second address: 00000000011098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe RDTSC instruction interceptor: First address: 0000000001109B4E second address: 0000000001109B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D044B rdtsc 0_2_021D044B
Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000A.00000000.896175080.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.894315754.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.896175080.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 2eD17GZuWs.exe, 00000001.00000003.927010291.0000000000948000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000002.940809736.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000A.00000000.896282281.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: 2eD17GZuWs.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000A.00000000.896282281.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D06B1 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000 0_2_021D06B1
Hides threads from debuggers
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D044B rdtsc 0_2_021D044B
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D3746 LdrInitializeThunk, 0_2_021D3746
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D54F4 mov eax, dword ptr fs:[00000030h] 0_2_021D54F4
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D1E09 mov eax, dword ptr fs:[00000030h] 0_2_021D1E09
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D1721 mov eax, dword ptr fs:[00000030h] 0_2_021D1721
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D1C16 mov eax, dword ptr fs:[00000030h] 0_2_021D1C16
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D4802 mov eax, dword ptr fs:[00000030h] 0_2_021D4802
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D4CBB mov eax, dword ptr fs:[00000030h] 0_2_021D4CBB
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D5531 mov eax, dword ptr fs:[00000030h] 0_2_021D5531
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 0_2_021D29C8 mov eax, dword ptr fs:[00000030h] 0_2_021D29C8
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17A61C mov eax, dword ptr fs:[00000030h] 1_2_1E17A61C
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17A61C mov eax, dword ptr fs:[00000030h] 1_2_1E17A61C
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h] 1_2_1E14C600
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h] 1_2_1E14C600
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h] 1_2_1E14C600
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E178E00 mov eax, dword ptr fs:[00000030h] 1_2_1E178E00
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1FFE3F mov eax, dword ptr fs:[00000030h] 1_2_1E1FFE3F
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201608 mov eax, dword ptr fs:[00000030h] 1_2_1E201608
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14E620 mov eax, dword ptr fs:[00000030h] 1_2_1E14E620
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h] 1_2_1E157E41
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h] 1_2_1E157E41
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h] 1_2_1E157E41
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h] 1_2_1E157E41
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h] 1_2_1E157E41
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h] 1_2_1E157E41
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20AE44 mov eax, dword ptr fs:[00000030h] 1_2_1E20AE44
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20AE44 mov eax, dword ptr fs:[00000030h] 1_2_1E20AE44
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h] 1_2_1E16AE73
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h] 1_2_1E16AE73
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h] 1_2_1E16AE73
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h] 1_2_1E16AE73
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h] 1_2_1E16AE73
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15766D mov eax, dword ptr fs:[00000030h] 1_2_1E15766D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h] 1_2_1E210EA5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h] 1_2_1E210EA5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h] 1_2_1E210EA5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1DFE87 mov eax, dword ptr fs:[00000030h] 1_2_1E1DFE87
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C46A7 mov eax, dword ptr fs:[00000030h] 1_2_1E1C46A7
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1736CC mov eax, dword ptr fs:[00000030h] 1_2_1E1736CC
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1FFEC0 mov eax, dword ptr fs:[00000030h] 1_2_1E1FFEC0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E188EC7 mov eax, dword ptr fs:[00000030h] 1_2_1E188EC7
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E218ED6 mov eax, dword ptr fs:[00000030h] 1_2_1E218ED6
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1716E0 mov ecx, dword ptr fs:[00000030h] 1_2_1E1716E0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1576E2 mov eax, dword ptr fs:[00000030h] 1_2_1E1576E2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16F716 mov eax, dword ptr fs:[00000030h] 1_2_1E16F716
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1DFF10 mov eax, dword ptr fs:[00000030h] 1_2_1E1DFF10
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1DFF10 mov eax, dword ptr fs:[00000030h] 1_2_1E1DFF10
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17A70E mov eax, dword ptr fs:[00000030h] 1_2_1E17A70E
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17A70E mov eax, dword ptr fs:[00000030h] 1_2_1E17A70E
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17E730 mov eax, dword ptr fs:[00000030h] 1_2_1E17E730
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E21070D mov eax, dword ptr fs:[00000030h] 1_2_1E21070D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E21070D mov eax, dword ptr fs:[00000030h] 1_2_1E21070D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E144F2E mov eax, dword ptr fs:[00000030h] 1_2_1E144F2E
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E144F2E mov eax, dword ptr fs:[00000030h] 1_2_1E144F2E
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E218F6A mov eax, dword ptr fs:[00000030h] 1_2_1E218F6A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15EF40 mov eax, dword ptr fs:[00000030h] 1_2_1E15EF40
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15FF60 mov eax, dword ptr fs:[00000030h] 1_2_1E15FF60
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E158794 mov eax, dword ptr fs:[00000030h] 1_2_1E158794
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h] 1_2_1E1C7794
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h] 1_2_1E1C7794
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h] 1_2_1E1C7794
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1837F5 mov eax, dword ptr fs:[00000030h] 1_2_1E1837F5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h] 1_2_1E1C6C0A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h] 1_2_1E1C6C0A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h] 1_2_1E1C6C0A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h] 1_2_1E1C6C0A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h] 1_2_1E201C06
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h] 1_2_1E21740D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h] 1_2_1E21740D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h] 1_2_1E21740D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17BC2C mov eax, dword ptr fs:[00000030h] 1_2_1E17BC2C
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1DC450 mov eax, dword ptr fs:[00000030h] 1_2_1E1DC450
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1DC450 mov eax, dword ptr fs:[00000030h] 1_2_1E1DC450
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17A44B mov eax, dword ptr fs:[00000030h] 1_2_1E17A44B
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16746D mov eax, dword ptr fs:[00000030h] 1_2_1E16746D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15849B mov eax, dword ptr fs:[00000030h] 1_2_1E15849B
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2014FB mov eax, dword ptr fs:[00000030h] 1_2_1E2014FB
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h] 1_2_1E1C6CF0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h] 1_2_1E1C6CF0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h] 1_2_1E1C6CF0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E218CD6 mov eax, dword ptr fs:[00000030h] 1_2_1E218CD6
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E218D34 mov eax, dword ptr fs:[00000030h] 1_2_1E218D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20E539 mov eax, dword ptr fs:[00000030h] 1_2_1E20E539
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h] 1_2_1E153D34
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14AD30 mov eax, dword ptr fs:[00000030h] 1_2_1E14AD30
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1CA537 mov eax, dword ptr fs:[00000030h] 1_2_1E1CA537
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h] 1_2_1E174D3B
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h] 1_2_1E174D3B
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h] 1_2_1E174D3B
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E167D50 mov eax, dword ptr fs:[00000030h] 1_2_1E167D50
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E183D43 mov eax, dword ptr fs:[00000030h] 1_2_1E183D43
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C3540 mov eax, dword ptr fs:[00000030h] 1_2_1E1C3540
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1F3D40 mov eax, dword ptr fs:[00000030h] 1_2_1E1F3D40
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16C577 mov eax, dword ptr fs:[00000030h] 1_2_1E16C577
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16C577 mov eax, dword ptr fs:[00000030h] 1_2_1E16C577
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17FD9B mov eax, dword ptr fs:[00000030h] 1_2_1E17FD9B
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17FD9B mov eax, dword ptr fs:[00000030h] 1_2_1E17FD9B
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2105AC mov eax, dword ptr fs:[00000030h] 1_2_1E2105AC
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2105AC mov eax, dword ptr fs:[00000030h] 1_2_1E2105AC
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h] 1_2_1E172581
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h] 1_2_1E172581
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h] 1_2_1E172581
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h] 1_2_1E172581
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h] 1_2_1E142D8A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h] 1_2_1E142D8A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h] 1_2_1E142D8A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h] 1_2_1E142D8A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h] 1_2_1E142D8A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h] 1_2_1E171DB5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h] 1_2_1E171DB5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h] 1_2_1E171DB5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1735A1 mov eax, dword ptr fs:[00000030h] 1_2_1E1735A1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h] 1_2_1E20FDE2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h] 1_2_1E20FDE2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h] 1_2_1E20FDE2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h] 1_2_1E20FDE2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h] 1_2_1E1C6DC9
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h] 1_2_1E1C6DC9
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h] 1_2_1E1C6DC9
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6DC9 mov ecx, dword ptr fs:[00000030h] 1_2_1E1C6DC9
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h] 1_2_1E1C6DC9
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h] 1_2_1E1C6DC9
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1F8DF1 mov eax, dword ptr fs:[00000030h] 1_2_1E1F8DF1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15D5E0 mov eax, dword ptr fs:[00000030h] 1_2_1E15D5E0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15D5E0 mov eax, dword ptr fs:[00000030h] 1_2_1E15D5E0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14AA16 mov eax, dword ptr fs:[00000030h] 1_2_1E14AA16
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14AA16 mov eax, dword ptr fs:[00000030h] 1_2_1E14AA16
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h] 1_2_1E145210
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E145210 mov ecx, dword ptr fs:[00000030h] 1_2_1E145210
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h] 1_2_1E145210
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h] 1_2_1E145210
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E163A1C mov eax, dword ptr fs:[00000030h] 1_2_1E163A1C
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E158A0A mov eax, dword ptr fs:[00000030h] 1_2_1E158A0A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E184A2C mov eax, dword ptr fs:[00000030h] 1_2_1E184A2C
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E184A2C mov eax, dword ptr fs:[00000030h] 1_2_1E184A2C
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20AA16 mov eax, dword ptr fs:[00000030h] 1_2_1E20AA16
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20AA16 mov eax, dword ptr fs:[00000030h] 1_2_1E20AA16
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h] 1_2_1E16A229
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h] 1_2_1E16A229
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h] 1_2_1E16A229
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h] 1_2_1E16A229
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h] 1_2_1E16A229
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h] 1_2_1E16A229
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h] 1_2_1E16A229
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h] 1_2_1E16A229
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h] 1_2_1E16A229
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E218A62 mov eax, dword ptr fs:[00000030h] 1_2_1E218A62
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1D4257 mov eax, dword ptr fs:[00000030h] 1_2_1E1D4257
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h] 1_2_1E149240
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h] 1_2_1E149240
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h] 1_2_1E149240
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h] 1_2_1E149240
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E18927A mov eax, dword ptr fs:[00000030h] 1_2_1E18927A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20EA55 mov eax, dword ptr fs:[00000030h] 1_2_1E20EA55
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1FB260 mov eax, dword ptr fs:[00000030h] 1_2_1E1FB260
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1FB260 mov eax, dword ptr fs:[00000030h] 1_2_1E1FB260
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17D294 mov eax, dword ptr fs:[00000030h] 1_2_1E17D294
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17D294 mov eax, dword ptr fs:[00000030h] 1_2_1E17D294
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15AAB0 mov eax, dword ptr fs:[00000030h] 1_2_1E15AAB0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15AAB0 mov eax, dword ptr fs:[00000030h] 1_2_1E15AAB0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17FAB0 mov eax, dword ptr fs:[00000030h] 1_2_1E17FAB0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h] 1_2_1E1452A5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h] 1_2_1E1452A5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h] 1_2_1E1452A5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h] 1_2_1E1452A5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h] 1_2_1E1452A5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E172ACB mov eax, dword ptr fs:[00000030h] 1_2_1E172ACB
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E172AE4 mov eax, dword ptr fs:[00000030h] 1_2_1E172AE4
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20131B mov eax, dword ptr fs:[00000030h] 1_2_1E20131B
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14F358 mov eax, dword ptr fs:[00000030h] 1_2_1E14F358
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14DB40 mov eax, dword ptr fs:[00000030h] 1_2_1E14DB40
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E173B7A mov eax, dword ptr fs:[00000030h] 1_2_1E173B7A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E173B7A mov eax, dword ptr fs:[00000030h] 1_2_1E173B7A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14DB60 mov ecx, dword ptr fs:[00000030h] 1_2_1E14DB60
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E218B58 mov eax, dword ptr fs:[00000030h] 1_2_1E218B58
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E172397 mov eax, dword ptr fs:[00000030h] 1_2_1E172397
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E215BA5 mov eax, dword ptr fs:[00000030h] 1_2_1E215BA5
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17B390 mov eax, dword ptr fs:[00000030h] 1_2_1E17B390
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E151B8F mov eax, dword ptr fs:[00000030h] 1_2_1E151B8F
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E151B8F mov eax, dword ptr fs:[00000030h] 1_2_1E151B8F
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1FD380 mov ecx, dword ptr fs:[00000030h] 1_2_1E1FD380
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E20138A mov eax, dword ptr fs:[00000030h] 1_2_1E20138A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E174BAD mov eax, dword ptr fs:[00000030h] 1_2_1E174BAD
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E174BAD mov eax, dword ptr fs:[00000030h] 1_2_1E174BAD
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E174BAD mov eax, dword ptr fs:[00000030h] 1_2_1E174BAD
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C53CA mov eax, dword ptr fs:[00000030h] 1_2_1E1C53CA
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C53CA mov eax, dword ptr fs:[00000030h] 1_2_1E1C53CA
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 1_2_1E1703E2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 1_2_1E1703E2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 1_2_1E1703E2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 1_2_1E1703E2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 1_2_1E1703E2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h] 1_2_1E1703E2
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16DBE9 mov eax, dword ptr fs:[00000030h] 1_2_1E16DBE9
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C7016 mov eax, dword ptr fs:[00000030h] 1_2_1E1C7016
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C7016 mov eax, dword ptr fs:[00000030h] 1_2_1E1C7016
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C7016 mov eax, dword ptr fs:[00000030h] 1_2_1E1C7016
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h] 1_2_1E16A830
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h] 1_2_1E16A830
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h] 1_2_1E16A830
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h] 1_2_1E16A830
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E214015 mov eax, dword ptr fs:[00000030h] 1_2_1E214015
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E214015 mov eax, dword ptr fs:[00000030h] 1_2_1E214015
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h] 1_2_1E17002D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h] 1_2_1E17002D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h] 1_2_1E17002D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h] 1_2_1E17002D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h] 1_2_1E17002D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h] 1_2_1E15B02A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h] 1_2_1E15B02A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h] 1_2_1E15B02A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h] 1_2_1E15B02A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E160050 mov eax, dword ptr fs:[00000030h] 1_2_1E160050
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E160050 mov eax, dword ptr fs:[00000030h] 1_2_1E160050
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E202073 mov eax, dword ptr fs:[00000030h] 1_2_1E202073
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E211074 mov eax, dword ptr fs:[00000030h] 1_2_1E211074
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E149080 mov eax, dword ptr fs:[00000030h] 1_2_1E149080
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C3884 mov eax, dword ptr fs:[00000030h] 1_2_1E1C3884
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C3884 mov eax, dword ptr fs:[00000030h] 1_2_1E1C3884
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17F0BF mov ecx, dword ptr fs:[00000030h] 1_2_1E17F0BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17F0BF mov eax, dword ptr fs:[00000030h] 1_2_1E17F0BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17F0BF mov eax, dword ptr fs:[00000030h] 1_2_1E17F0BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1890AF mov eax, dword ptr fs:[00000030h] 1_2_1E1890AF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h] 1_2_1E1720A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h] 1_2_1E1720A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h] 1_2_1E1720A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h] 1_2_1E1720A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h] 1_2_1E1720A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h] 1_2_1E1720A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h] 1_2_1E1DB8D0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1DB8D0 mov ecx, dword ptr fs:[00000030h] 1_2_1E1DB8D0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h] 1_2_1E1DB8D0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h] 1_2_1E1DB8D0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h] 1_2_1E1DB8D0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h] 1_2_1E1DB8D0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1440E1 mov eax, dword ptr fs:[00000030h] 1_2_1E1440E1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1440E1 mov eax, dword ptr fs:[00000030h] 1_2_1E1440E1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1440E1 mov eax, dword ptr fs:[00000030h] 1_2_1E1440E1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1458EC mov eax, dword ptr fs:[00000030h] 1_2_1E1458EC
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E149100 mov eax, dword ptr fs:[00000030h] 1_2_1E149100
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E149100 mov eax, dword ptr fs:[00000030h] 1_2_1E149100
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E149100 mov eax, dword ptr fs:[00000030h] 1_2_1E149100
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17513A mov eax, dword ptr fs:[00000030h] 1_2_1E17513A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17513A mov eax, dword ptr fs:[00000030h] 1_2_1E17513A
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h] 1_2_1E164120
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h] 1_2_1E164120
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h] 1_2_1E164120
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h] 1_2_1E164120
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E164120 mov ecx, dword ptr fs:[00000030h] 1_2_1E164120
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16B944 mov eax, dword ptr fs:[00000030h] 1_2_1E16B944
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16B944 mov eax, dword ptr fs:[00000030h] 1_2_1E16B944
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14B171 mov eax, dword ptr fs:[00000030h] 1_2_1E14B171
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14B171 mov eax, dword ptr fs:[00000030h] 1_2_1E14B171
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14C962 mov eax, dword ptr fs:[00000030h] 1_2_1E14C962
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h] 1_2_1E2049A4
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h] 1_2_1E2049A4
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h] 1_2_1E2049A4
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h] 1_2_1E2049A4
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E172990 mov eax, dword ptr fs:[00000030h] 1_2_1E172990
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E17A185 mov eax, dword ptr fs:[00000030h] 1_2_1E17A185
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E16C182 mov eax, dword ptr fs:[00000030h] 1_2_1E16C182
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h] 1_2_1E1C51BE
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h] 1_2_1E1C51BE
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h] 1_2_1E1C51BE
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h] 1_2_1E1C51BE
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h] 1_2_1E1699BF
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1761A0 mov eax, dword ptr fs:[00000030h] 1_2_1E1761A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1761A0 mov eax, dword ptr fs:[00000030h] 1_2_1E1761A0
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1C69A6 mov eax, dword ptr fs:[00000030h] 1_2_1E1C69A6
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E1D41E8 mov eax, dword ptr fs:[00000030h] 1_2_1E1D41E8
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14B1E1 mov eax, dword ptr fs:[00000030h] 1_2_1E14B1E1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14B1E1 mov eax, dword ptr fs:[00000030h] 1_2_1E14B1E1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_1E14B1E1 mov eax, dword ptr fs:[00000030h] 1_2_1E14B1E1
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00565449 mov eax, dword ptr fs:[00000030h] 1_2_00565449
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00565472 mov eax, dword ptr fs:[00000030h] 1_2_00565472
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00564802 mov eax, dword ptr fs:[00000030h] 1_2_00564802
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00565435 mov eax, dword ptr fs:[00000030h] 1_2_00565435
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_0056548D mov eax, dword ptr fs:[00000030h] 1_2_0056548D
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00564CBB mov eax, dword ptr fs:[00000030h] 1_2_00564CBB
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_005654B9 mov eax, dword ptr fs:[00000030h] 1_2_005654B9
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_00565531 mov eax, dword ptr fs:[00000030h] 1_2_00565531
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Code function: 1_2_005629C2 mov eax, dword ptr fs:[00000030h] 1_2_005629C2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0519E539 mov eax, dword ptr fs:[00000030h] 13_2_0519E539
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0515A537 mov eax, dword ptr fs:[00000030h] 13_2_0515A537
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05104D3B mov eax, dword ptr fs:[00000030h] 13_2_05104D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05104D3B mov eax, dword ptr fs:[00000030h] 13_2_05104D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05104D3B mov eax, dword ptr fs:[00000030h] 13_2_05104D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A8D34 mov eax, dword ptr fs:[00000030h] 13_2_051A8D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h] 13_2_050E3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DAD30 mov eax, dword ptr fs:[00000030h] 13_2_050DAD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05113D43 mov eax, dword ptr fs:[00000030h] 13_2_05113D43
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05153540 mov eax, dword ptr fs:[00000030h] 13_2_05153540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05183D40 mov eax, dword ptr fs:[00000030h] 13_2_05183D40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050F7D50 mov eax, dword ptr fs:[00000030h] 13_2_050F7D50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050FC577 mov eax, dword ptr fs:[00000030h] 13_2_050FC577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050FC577 mov eax, dword ptr fs:[00000030h] 13_2_050FC577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h] 13_2_050D2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h] 13_2_050D2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h] 13_2_050D2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h] 13_2_050D2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h] 13_2_050D2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510FD9B mov eax, dword ptr fs:[00000030h] 13_2_0510FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510FD9B mov eax, dword ptr fs:[00000030h] 13_2_0510FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05102581 mov eax, dword ptr fs:[00000030h] 13_2_05102581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05102581 mov eax, dword ptr fs:[00000030h] 13_2_05102581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05102581 mov eax, dword ptr fs:[00000030h] 13_2_05102581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05102581 mov eax, dword ptr fs:[00000030h] 13_2_05102581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05101DB5 mov eax, dword ptr fs:[00000030h] 13_2_05101DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05101DB5 mov eax, dword ptr fs:[00000030h] 13_2_05101DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05101DB5 mov eax, dword ptr fs:[00000030h] 13_2_05101DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051035A1 mov eax, dword ptr fs:[00000030h] 13_2_051035A1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A05AC mov eax, dword ptr fs:[00000030h] 13_2_051A05AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A05AC mov eax, dword ptr fs:[00000030h] 13_2_051A05AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h] 13_2_05156DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h] 13_2_05156DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h] 13_2_05156DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156DC9 mov ecx, dword ptr fs:[00000030h] 13_2_05156DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h] 13_2_05156DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h] 13_2_05156DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05188DF1 mov eax, dword ptr fs:[00000030h] 13_2_05188DF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050ED5E0 mov eax, dword ptr fs:[00000030h] 13_2_050ED5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050ED5E0 mov eax, dword ptr fs:[00000030h] 13_2_050ED5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0519FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0519FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0519FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0519FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A740D mov eax, dword ptr fs:[00000030h] 13_2_051A740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A740D mov eax, dword ptr fs:[00000030h] 13_2_051A740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A740D mov eax, dword ptr fs:[00000030h] 13_2_051A740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h] 13_2_05191C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h] 13_2_05156C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h] 13_2_05156C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h] 13_2_05156C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h] 13_2_05156C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510BC2C mov eax, dword ptr fs:[00000030h] 13_2_0510BC2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0516C450 mov eax, dword ptr fs:[00000030h] 13_2_0516C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0516C450 mov eax, dword ptr fs:[00000030h] 13_2_0516C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510A44B mov eax, dword ptr fs:[00000030h] 13_2_0510A44B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050F746D mov eax, dword ptr fs:[00000030h] 13_2_050F746D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E849B mov eax, dword ptr fs:[00000030h] 13_2_050E849B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A8CD6 mov eax, dword ptr fs:[00000030h] 13_2_051A8CD6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051914FB mov eax, dword ptr fs:[00000030h] 13_2_051914FB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156CF0 mov eax, dword ptr fs:[00000030h] 13_2_05156CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156CF0 mov eax, dword ptr fs:[00000030h] 13_2_05156CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05156CF0 mov eax, dword ptr fs:[00000030h] 13_2_05156CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0516FF10 mov eax, dword ptr fs:[00000030h] 13_2_0516FF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0516FF10 mov eax, dword ptr fs:[00000030h] 13_2_0516FF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A070D mov eax, dword ptr fs:[00000030h] 13_2_051A070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A070D mov eax, dword ptr fs:[00000030h] 13_2_051A070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050FF716 mov eax, dword ptr fs:[00000030h] 13_2_050FF716
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510A70E mov eax, dword ptr fs:[00000030h] 13_2_0510A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510A70E mov eax, dword ptr fs:[00000030h] 13_2_0510A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510E730 mov eax, dword ptr fs:[00000030h] 13_2_0510E730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050D4F2E mov eax, dword ptr fs:[00000030h] 13_2_050D4F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050D4F2E mov eax, dword ptr fs:[00000030h] 13_2_050D4F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050EEF40 mov eax, dword ptr fs:[00000030h] 13_2_050EEF40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050EFF60 mov eax, dword ptr fs:[00000030h] 13_2_050EFF60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A8F6A mov eax, dword ptr fs:[00000030h] 13_2_051A8F6A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05157794 mov eax, dword ptr fs:[00000030h] 13_2_05157794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05157794 mov eax, dword ptr fs:[00000030h] 13_2_05157794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05157794 mov eax, dword ptr fs:[00000030h] 13_2_05157794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E8794 mov eax, dword ptr fs:[00000030h] 13_2_050E8794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051137F5 mov eax, dword ptr fs:[00000030h] 13_2_051137F5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510A61C mov eax, dword ptr fs:[00000030h] 13_2_0510A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510A61C mov eax, dword ptr fs:[00000030h] 13_2_0510A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DC600 mov eax, dword ptr fs:[00000030h] 13_2_050DC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DC600 mov eax, dword ptr fs:[00000030h] 13_2_050DC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DC600 mov eax, dword ptr fs:[00000030h] 13_2_050DC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05108E00 mov eax, dword ptr fs:[00000030h] 13_2_05108E00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05191608 mov eax, dword ptr fs:[00000030h] 13_2_05191608
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0518FE3F mov eax, dword ptr fs:[00000030h] 13_2_0518FE3F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DE620 mov eax, dword ptr fs:[00000030h] 13_2_050DE620
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h] 13_2_050E7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h] 13_2_050E7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h] 13_2_050E7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h] 13_2_050E7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h] 13_2_050E7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h] 13_2_050E7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0519AE44 mov eax, dword ptr fs:[00000030h] 13_2_0519AE44
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0519AE44 mov eax, dword ptr fs:[00000030h] 13_2_0519AE44
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E766D mov eax, dword ptr fs:[00000030h] 13_2_050E766D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h] 13_2_050FAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h] 13_2_050FAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h] 13_2_050FAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h] 13_2_050FAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h] 13_2_050FAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0516FE87 mov eax, dword ptr fs:[00000030h] 13_2_0516FE87
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051546A7 mov eax, dword ptr fs:[00000030h] 13_2_051546A7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A0EA5 mov eax, dword ptr fs:[00000030h] 13_2_051A0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A0EA5 mov eax, dword ptr fs:[00000030h] 13_2_051A0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A0EA5 mov eax, dword ptr fs:[00000030h] 13_2_051A0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A8ED6 mov eax, dword ptr fs:[00000030h] 13_2_051A8ED6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05118EC7 mov eax, dword ptr fs:[00000030h] 13_2_05118EC7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0518FEC0 mov eax, dword ptr fs:[00000030h] 13_2_0518FEC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051036CC mov eax, dword ptr fs:[00000030h] 13_2_051036CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050E76E2 mov eax, dword ptr fs:[00000030h] 13_2_050E76E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051016E0 mov ecx, dword ptr fs:[00000030h] 13_2_051016E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050D9100 mov eax, dword ptr fs:[00000030h] 13_2_050D9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050D9100 mov eax, dword ptr fs:[00000030h] 13_2_050D9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050D9100 mov eax, dword ptr fs:[00000030h] 13_2_050D9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510513A mov eax, dword ptr fs:[00000030h] 13_2_0510513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510513A mov eax, dword ptr fs:[00000030h] 13_2_0510513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h] 13_2_050F4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h] 13_2_050F4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h] 13_2_050F4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h] 13_2_050F4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050F4120 mov ecx, dword ptr fs:[00000030h] 13_2_050F4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050FB944 mov eax, dword ptr fs:[00000030h] 13_2_050FB944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050FB944 mov eax, dword ptr fs:[00000030h] 13_2_050FB944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DC962 mov eax, dword ptr fs:[00000030h] 13_2_050DC962
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DB171 mov eax, dword ptr fs:[00000030h] 13_2_050DB171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DB171 mov eax, dword ptr fs:[00000030h] 13_2_050DB171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05102990 mov eax, dword ptr fs:[00000030h] 13_2_05102990
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050FC182 mov eax, dword ptr fs:[00000030h] 13_2_050FC182
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510A185 mov eax, dword ptr fs:[00000030h] 13_2_0510A185
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051551BE mov eax, dword ptr fs:[00000030h] 13_2_051551BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051551BE mov eax, dword ptr fs:[00000030h] 13_2_051551BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051551BE mov eax, dword ptr fs:[00000030h] 13_2_051551BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051551BE mov eax, dword ptr fs:[00000030h] 13_2_051551BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051061A0 mov eax, dword ptr fs:[00000030h] 13_2_051061A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051061A0 mov eax, dword ptr fs:[00000030h] 13_2_051061A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051569A6 mov eax, dword ptr fs:[00000030h] 13_2_051569A6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h] 13_2_051949A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h] 13_2_051949A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h] 13_2_051949A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h] 13_2_051949A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DB1E1 mov eax, dword ptr fs:[00000030h] 13_2_050DB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DB1E1 mov eax, dword ptr fs:[00000030h] 13_2_050DB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050DB1E1 mov eax, dword ptr fs:[00000030h] 13_2_050DB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051641E8 mov eax, dword ptr fs:[00000030h] 13_2_051641E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05157016 mov eax, dword ptr fs:[00000030h] 13_2_05157016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05157016 mov eax, dword ptr fs:[00000030h] 13_2_05157016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_05157016 mov eax, dword ptr fs:[00000030h] 13_2_05157016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A4015 mov eax, dword ptr fs:[00000030h] 13_2_051A4015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_051A4015 mov eax, dword ptr fs:[00000030h] 13_2_051A4015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h] 13_2_050EB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h] 13_2_050EB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h] 13_2_050EB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h] 13_2_050EB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510002D mov eax, dword ptr fs:[00000030h] 13_2_0510002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0510002D mov eax, dword ptr fs:[00000030h] 13_2_0510002D
Enables debug privileges
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 1240000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\2eD17GZuWs.exe Process created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe' Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe' Jump to behavior
Source: explorer.exe, 0000000A.00000000.882628410.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.896282281.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: 2eD17GZuWs.exe PID: 2936, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 6680, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320425 Sample: 2eD17GZuWs.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Potential malicious icon found 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 6 other signatures 2->36 10 2eD17GZuWs.exe 2->10         started        process3 signatures4 40 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->40 42 Tries to detect Any.run 10->42 44 Tries to detect virtualization through RDTSC time measurements 10->44 46 2 other signatures 10->46 13 2eD17GZuWs.exe 6 10->13         started        process5 dnsIp6 28 103.125.191.5, 49756, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 13->28 48 Modifies the context of a thread in another process (thread injection) 13->48 50 Tries to detect Any.run 13->50 52 Maps a DLL or memory area into another process 13->52 54 3 other signatures 13->54 17 explorer.exe 13->17 injected signatures7 process8 process9 19 msiexec.exe 17->19         started        22 autofmt.exe 17->22         started        signatures10 38 Tries to detect virtualization through RDTSC time measurements 19->38 24 cmd.exe 19->24         started        process11 process12 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.125.191.5
unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://103.125.191.5/bin_xMjelaYnr43.bin true
  • Avira URL Cloud: safe
unknown