Analysis Report BANK ACCOUNT INFO!.exe

Overview

General Information

Sample Name: BANK ACCOUNT INFO!.exe
Analysis ID: 321134
MD5: 0bd3e9073a968fd6c10c3b163302c2c9
SHA1: f0b948a18e960b1e5141471fe6e1cb4e85a2867d
SHA256: dde122ac5a5a8eb786e335b3278dc5aae9cd3635c889fc4eb641a7a69123954d
Tags: exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.meatslasvegas.com/sbmh/ Avira URL Cloud: Label: malware
Source: http://www.meatslasvegas.com/sbmh/www.salon-massage-linit.com Avira URL Cloud: Label: malware
Source: http://www.meatslasvegas.com Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: BANK ACCOUNT INFO!.exe Virustotal: Detection: 21% Perma Link
Source: BANK ACCOUNT INFO!.exe ReversingLabs: Detection: 10%
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: BANK ACCOUNT INFO!.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /sbmh/?FPWlMXx=PcjUtjh0MRWP8BRvWG8NuUt69AEkHHHW5P4XnB/f7cjpZcBvzWU1+UolGZvfCul1Hwqj&AlO=O2JtmTIX2 HTTP/1.1Host: www.ablehead.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2 HTTP/1.1Host: www.katrinarask.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sbmh/?FPWlMXx=+2tIfJwwghXNm+fysv8+EMC6xMyDXIpTEsDIQwPK5FpH6PGBMSGX6HHqgPLM/DeZI3NR&AlO=O2JtmTIX2 HTTP/1.1Host: www.wellnysdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.49.23.141 198.49.23.141
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: global traffic HTTP traffic detected: GET /sbmh/?FPWlMXx=PcjUtjh0MRWP8BRvWG8NuUt69AEkHHHW5P4XnB/f7cjpZcBvzWU1+UolGZvfCul1Hwqj&AlO=O2JtmTIX2 HTTP/1.1Host: www.ablehead.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2 HTTP/1.1Host: www.katrinarask.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sbmh/?FPWlMXx=+2tIfJwwghXNm+fysv8+EMC6xMyDXIpTEsDIQwPK5FpH6PGBMSGX6HHqgPLM/DeZI3NR&AlO=O2JtmTIX2 HTTP/1.1Host: www.wellnysdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.friendlyksa.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 11:02:06 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 62 6d 68 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sbmh/ was not found on this server.</p></body></html>
Source: explorer.exe, 00000002.00000003.295037272.000000000F541000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000002.00000000.229795137.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://crl.m
Source: explorer.exe, 00000002.00000000.229795137.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://crl.micr
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.213965097.00000000028B1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.ablehead.net
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.ablehead.net/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.ablehead.net/sbmh/www.katrinarask.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.ablehead.netReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.downrangedynamics.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.downrangedynamics.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.downrangedynamics.com/sbmh/www.meatslasvegas.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.downrangedynamics.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.elegancerealestategroup.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.elegancerealestategroup.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.elegancerealestategroup.com/sbmh/www.hoy.viajes
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.elegancerealestategroup.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.endlessgirls.online
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.endlessgirls.online/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.endlessgirls.online/sbmh/www.makgxoimisitzer.info
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.endlessgirls.onlineReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.exposingsecrets.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.exposingsecrets.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.exposingsecrets.com/sbmh/www.parking500.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.exposingsecrets.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.faculdadegraca.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.faculdadegraca.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.faculdadegraca.com/sbmh/www.magentos6.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.faculdadegraca.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.firedoom.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.firedoom.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.firedoom.com/sbmh/www.endlessgirls.online
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.firedoom.comReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.friendlyksa.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.friendlyksa.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.friendlyksa.com/sbmh/www.ablehead.net
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.friendlyksa.comReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.hoy.viajes
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.hoy.viajes/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.hoy.viajes/sbmh/www.firedoom.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.hoy.viajesReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.katrinarask.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.katrinarask.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.katrinarask.com/sbmh/www.wellnysdirect.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.katrinarask.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.magentos6.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.magentos6.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.magentos6.com/sbmh/www.elegancerealestategroup.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.magentos6.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.makgxoimisitzer.info
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.makgxoimisitzer.info/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.makgxoimisitzer.info/sbmh/www.downrangedynamics.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.makgxoimisitzer.infoReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.meatslasvegas.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.meatslasvegas.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.meatslasvegas.com/sbmh/www.salon-massage-linit.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.meatslasvegas.comReferer:
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.parking500.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.parking500.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.parking500.com/sbmh/www.faculdadegraca.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.parking500.comReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.salon-massage-linit.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.salon-massage-linit.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.salon-massage-linit.com/sbmh/N
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.salon-massage-linit.comReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.wellnysdirect.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.wellnysdirect.com/sbmh/
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.wellnysdirect.com/sbmh/www.exposingsecrets.com
Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmp String found in binary or memory: http://www.wellnysdirect.comReferer:
Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: wscript.exe, 00000004.00000002.479367974.000000000546F000.00000004.00000001.sdmp String found in binary or memory: https://www.wellnysdirect.com/sbmh/?FPWlMXx=

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041A050 NtClose, 1_2_0041A050
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041A100 NtAllocateVirtualMemory, 1_2_0041A100
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00419F20 NtCreateFile, 1_2_00419F20
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00419FD0 NtReadFile, 1_2_00419FD0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00419FCA NtReadFile, 1_2_00419FCA
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_014B9910
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B99A0 NtCreateSection,LdrInitializeThunk, 1_2_014B99A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9840 NtDelayExecution,LdrInitializeThunk, 1_2_014B9840
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_014B9860
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_014B98F0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9A50 NtCreateFile,LdrInitializeThunk, 1_2_014B9A50
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_014B9A00
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9A20 NtResumeThread,LdrInitializeThunk, 1_2_014B9A20
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9540 NtReadFile,LdrInitializeThunk, 1_2_014B9540
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B95D0 NtClose,LdrInitializeThunk, 1_2_014B95D0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_014B9710
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_014B9780
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_014B97A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_014B9660
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_014B96E0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9950 NtQueueApcThread, 1_2_014B9950
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B99D0 NtCreateProcessEx, 1_2_014B99D0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014BB040 NtSuspendThread, 1_2_014BB040
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9820 NtEnumerateKey, 1_2_014B9820
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B98A0 NtWriteVirtualMemory, 1_2_014B98A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9B00 NtSetValueKey, 1_2_014B9B00
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014BA3B0 NtGetContextThread, 1_2_014BA3B0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9A10 NtQuerySection, 1_2_014B9A10
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9A80 NtOpenDirectoryObject, 1_2_014B9A80
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9560 NtWriteFile, 1_2_014B9560
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9520 NtWaitForSingleObject, 1_2_014B9520
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014BAD30 NtSetContextThread, 1_2_014BAD30
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B95F0 NtQueryInformationFile, 1_2_014B95F0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9760 NtOpenProcess, 1_2_014B9760
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014BA770 NtOpenThread, 1_2_014BA770
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9770 NtSetInformationFile, 1_2_014B9770
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014BA710 NtOpenProcessToken, 1_2_014BA710
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9730 NtQueryVirtualMemory, 1_2_014B9730
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9FE0 NtCreateMutant, 1_2_014B9FE0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9650 NtQueryValueKey, 1_2_014B9650
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9670 NtQueryInformationProcess, 1_2_014B9670
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B9610 NtEnumerateValueKey, 1_2_014B9610
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B96D0 NtCreateKey, 1_2_014B96D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB95D0 NtClose,LdrInitializeThunk, 4_2_04AB95D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9540 NtReadFile,LdrInitializeThunk, 4_2_04AB9540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB96E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_04AB96E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB96D0 NtCreateKey,LdrInitializeThunk, 4_2_04AB96D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_04AB9660
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9650 NtQueryValueKey,LdrInitializeThunk, 4_2_04AB9650
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9780 NtMapViewOfSection,LdrInitializeThunk, 4_2_04AB9780
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9FE0 NtCreateMutant,LdrInitializeThunk, 4_2_04AB9FE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9710 NtQueryInformationToken,LdrInitializeThunk, 4_2_04AB9710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_04AB9860
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9840 NtDelayExecution,LdrInitializeThunk, 4_2_04AB9840
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB99A0 NtCreateSection,LdrInitializeThunk, 4_2_04AB99A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_04AB9910
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9A50 NtCreateFile,LdrInitializeThunk, 4_2_04AB9A50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB95F0 NtQueryInformationFile, 4_2_04AB95F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9520 NtWaitForSingleObject, 4_2_04AB9520
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04ABAD30 NtSetContextThread, 4_2_04ABAD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9560 NtWriteFile, 4_2_04AB9560
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9610 NtEnumerateValueKey, 4_2_04AB9610
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9670 NtQueryInformationProcess, 4_2_04AB9670
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB97A0 NtUnmapViewOfSection, 4_2_04AB97A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9730 NtQueryVirtualMemory, 4_2_04AB9730
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04ABA710 NtOpenProcessToken, 4_2_04ABA710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9760 NtOpenProcess, 4_2_04AB9760
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04ABA770 NtOpenThread, 4_2_04ABA770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9770 NtSetInformationFile, 4_2_04AB9770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB98A0 NtWriteVirtualMemory, 4_2_04AB98A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB98F0 NtReadVirtualMemory, 4_2_04AB98F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9820 NtEnumerateKey, 4_2_04AB9820
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04ABB040 NtSuspendThread, 4_2_04ABB040
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB99D0 NtCreateProcessEx, 4_2_04AB99D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9950 NtQueueApcThread, 4_2_04AB9950
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9A80 NtOpenDirectoryObject, 4_2_04AB9A80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9A20 NtResumeThread, 4_2_04AB9A20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9A00 NtProtectVirtualMemory, 4_2_04AB9A00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9A10 NtQuerySection, 4_2_04AB9A10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04ABA3B0 NtGetContextThread, 4_2_04ABA3B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AB9B00 NtSetValueKey, 4_2_04AB9B00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DA050 NtClose, 4_2_005DA050
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DA100 NtAllocateVirtualMemory, 4_2_005DA100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005D9F20 NtCreateFile, 4_2_005D9F20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005D9FD0 NtReadFile, 4_2_005D9FD0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005D9FCA NtReadFile, 4_2_005D9FCA
Detected potential crypto function
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 0_2_00482050 0_2_00482050
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 0_2_00486C64 0_2_00486C64
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041D853 1_2_0041D853
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041D38E 1_2_0041D38E
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00402D88 1_2_00402D88
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00409E30 1_2_00409E30
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041E73A 1_2_0041E73A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00992050 1_2_00992050
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00996C64 1_2_00996C64
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147F900 1_2_0147F900
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01494120 1_2_01494120
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531002 1_2_01531002
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0154E824 1_2_0154E824
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A830 1_2_0149A830
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015428EC 1_2_015428EC
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148B090 1_2_0148B090
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A20A0 1_2_014A20A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015420A8 1_2_015420A8
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149AB40 1_2_0149AB40
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0151CB4F 1_2_0151CB4F
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01542B28 1_2_01542B28
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153DBD2 1_2_0153DBD2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015303DA 1_2_015303DA
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AABD8 1_2_014AABD8
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015223E3 1_2_015223E3
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A138B 1_2_014A138B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AEBB0 1_2_014AEBB0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0152FA2B 1_2_0152FA2B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B236 1_2_0149B236
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015422AE 1_2_015422AE
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01541D55 1_2_01541D55
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01542D07 1_2_01542D07
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01470D20 1_2_01470D20
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015425DD 1_2_015425DD
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148D5E0 1_2_0148D5E0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A2581 1_2_014A2581
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01532D82 1_2_01532D82
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153D466 1_2_0153D466
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148841F 1_2_0148841F
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0154DFCE 1_2_0154DFCE
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01541FF1 1_2_01541FF1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153D616 1_2_0153D616
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01496E30 1_2_01496E30
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01542EF7 1_2_01542EF7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A8841F 4_2_04A8841F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B3D466 4_2_04B3D466
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA2581 4_2_04AA2581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B32D82 4_2_04B32D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A8D5E0 4_2_04A8D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B425DD 4_2_04B425DD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A70D20 4_2_04A70D20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B42D07 4_2_04B42D07
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B41D55 4_2_04B41D55
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B21EB6 4_2_04B21EB6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B42EF7 4_2_04B42EF7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A96E30 4_2_04A96E30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B3D616 4_2_04B3D616
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A95600 4_2_04A95600
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B41FF1 4_2_04B41FF1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B4DFCE 4_2_04B4DFCE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA20A0 4_2_04AA20A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B420A8 4_2_04B420A8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A8B090 4_2_04A8B090
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B428EC 4_2_04B428EC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B4E824 4_2_04B4E824
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9A830 4_2_04A9A830
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31002 4_2_04B31002
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A999BF 4_2_04A999BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A94120 4_2_04A94120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A7F900 4_2_04A7F900
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B422AE 4_2_04B422AE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34AEF 4_2_04B34AEF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B2FA2B 4_2_04B2FA2B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B236 4_2_04A9B236
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAEBB0 4_2_04AAEBB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA138B 4_2_04AA138B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9EB9A 4_2_04A9EB9A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B223E3 4_2_04B223E3
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B3DBD2 4_2_04B3DBD2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B303DA 4_2_04B303DA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAABD8 4_2_04AAABD8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B42B28 4_2_04B42B28
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9A309 4_2_04A9A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9AB40 4_2_04A9AB40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B1CB4F 4_2_04B1CB4F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DD853 4_2_005DD853
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DD816 4_2_005DD816
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DD38E 4_2_005DD38E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005C2D90 4_2_005C2D90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005C2D88 4_2_005C2D88
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005C9E30 4_2_005C9E30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DE73A 4_2_005DE73A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005C2FB0 4_2_005C2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: String function: 0147B150 appears 136 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 04A7B150 appears 145 times
Sample file is different than original file name gathered from version info
Source: BANK ACCOUNT INFO!.exe Binary or memory string: OriginalFilename vs BANK ACCOUNT INFO!.exe
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.215904460.0000000005A50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKedermister.dllT vs BANK ACCOUNT INFO!.exe
Source: BANK ACCOUNT INFO!.exe Binary or memory string: OriginalFilename vs BANK ACCOUNT INFO!.exe
Source: BANK ACCOUNT INFO!.exe, 00000001.00000002.258458802.000000000156F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs BANK ACCOUNT INFO!.exe
Source: BANK ACCOUNT INFO!.exe, 00000001.00000002.260642680.0000000003250000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs BANK ACCOUNT INFO!.exe
Source: BANK ACCOUNT INFO!.exe Binary or memory string: OriginalFilenametymo.exeN vs BANK ACCOUNT INFO!.exe
Yara signature match
Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: BANK ACCOUNT INFO!.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@4/3
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK ACCOUNT INFO!.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_01
Source: BANK ACCOUNT INFO!.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: BANK ACCOUNT INFO!.exe Virustotal: Detection: 21%
Source: BANK ACCOUNT INFO!.exe ReversingLabs: Detection: 10%
Source: unknown Process created: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe'
Source: unknown Process created: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process created: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: BANK ACCOUNT INFO!.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: BANK ACCOUNT INFO!.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscript.pdbGCTL source: BANK ACCOUNT INFO!.exe, 00000001.00000002.260642680.0000000003250000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: BANK ACCOUNT INFO!.exe, 00000001.00000002.258458802.000000000156F000.00000040.00000001.sdmp, wscript.exe, 00000004.00000002.476368319.0000000004A50000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: BANK ACCOUNT INFO!.exe, wscript.exe
Source: Binary string: wscript.pdb source: BANK ACCOUNT INFO!.exe, 00000001.00000002.260642680.0000000003250000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041D075 push eax; ret 1_2_0041D0C8
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041C802 push esi; iretd 1_2_0041C803
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041D0C2 push eax; ret 1_2_0041D0C8
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041D0CB push eax; ret 1_2_0041D132
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041E172 pushfd ; ret 1_2_0041E174
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041D12C push eax; ret 1_2_0041D132
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_004182CC push cs; retf 1_2_004182CE
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041E4F5 push dword ptr [537421FAh]; ret 1_2_0041E515
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00419C92 pushfd ; iretd 1_2_00419C98
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0041674D push 8EAE14C8h; iretd 1_2_00416753
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_004167AE push C6E9D42Ah; ret 1_2_004167C2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014CD0D1 push ecx; ret 1_2_014CD0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04ACD0D1 push ecx; ret 4_2_04ACD0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DD075 push eax; ret 4_2_005DD0C8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DC802 push esi; iretd 4_2_005DC803
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DD0CB push eax; ret 4_2_005DD132
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DD0C2 push eax; ret 4_2_005DD0C8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DE172 pushfd ; ret 4_2_005DE174
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DD12C push eax; ret 4_2_005DD132
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005D82CC push cs; retf 4_2_005D82CE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005DE4F5 push dword ptr [537421FAh]; ret 4_2_005DE515
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005D9C92 pushfd ; iretd 4_2_005D9C98
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005D674D push 8EAE14C8h; iretd 4_2_005D6753
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_005D67AE push C6E9D42Ah; ret 4_2_005D67C2
Source: initial sample Static PE information: section name: .text entropy: 7.82664888308

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE6
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.213965097.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BANK ACCOUNT INFO!.exe PID: 5264, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 00000000005C98E4 second address: 00000000005C98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 00000000005C9B4E second address: 00000000005C9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00409A80 rdtsc 1_2_00409A80
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe TID: 5936 Thread sleep time: -49237s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe TID: 6096 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6376 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6376 Thread sleep time: -72000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 4464 Thread sleep time: -48000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe Last function: Thread delayed
Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.229324948.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp Binary or memory string: vmware
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
Source: explorer.exe, 00000002.00000002.487079470.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.229616866.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000002.00000002.487119662.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000003.292352680.0000000008A13000.00000004.00000001.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAY
Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_00409A80 rdtsc 1_2_00409A80
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0040ACC0 LdrLoadDll, 1_2_0040ACC0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B944 mov eax, dword ptr fs:[00000030h] 1_2_0149B944
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B944 mov eax, dword ptr fs:[00000030h] 1_2_0149B944
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147C962 mov eax, dword ptr fs:[00000030h] 1_2_0147C962
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147B171 mov eax, dword ptr fs:[00000030h] 1_2_0147B171
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147B171 mov eax, dword ptr fs:[00000030h] 1_2_0147B171
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01479100 mov eax, dword ptr fs:[00000030h] 1_2_01479100
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01479100 mov eax, dword ptr fs:[00000030h] 1_2_01479100
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01479100 mov eax, dword ptr fs:[00000030h] 1_2_01479100
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01494120 mov eax, dword ptr fs:[00000030h] 1_2_01494120
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01494120 mov eax, dword ptr fs:[00000030h] 1_2_01494120
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01494120 mov eax, dword ptr fs:[00000030h] 1_2_01494120
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01494120 mov eax, dword ptr fs:[00000030h] 1_2_01494120
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01494120 mov ecx, dword ptr fs:[00000030h] 1_2_01494120
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A513A mov eax, dword ptr fs:[00000030h] 1_2_014A513A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A513A mov eax, dword ptr fs:[00000030h] 1_2_014A513A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0147B1E1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0147B1E1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0147B1E1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015041E8 mov eax, dword ptr fs:[00000030h] 1_2_015041E8
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149C182 mov eax, dword ptr fs:[00000030h] 1_2_0149C182
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AA185 mov eax, dword ptr fs:[00000030h] 1_2_014AA185
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A2990 mov eax, dword ptr fs:[00000030h] 1_2_014A2990
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F69A6 mov eax, dword ptr fs:[00000030h] 1_2_014F69A6
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A61A0 mov eax, dword ptr fs:[00000030h] 1_2_014A61A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A61A0 mov eax, dword ptr fs:[00000030h] 1_2_014A61A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F51BE mov eax, dword ptr fs:[00000030h] 1_2_014F51BE
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F51BE mov eax, dword ptr fs:[00000030h] 1_2_014F51BE
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F51BE mov eax, dword ptr fs:[00000030h] 1_2_014F51BE
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F51BE mov eax, dword ptr fs:[00000030h] 1_2_014F51BE
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov eax, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov eax, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov eax, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov ecx, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014999BF mov eax, dword ptr fs:[00000030h] 1_2_014999BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015349A4 mov eax, dword ptr fs:[00000030h] 1_2_015349A4
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015349A4 mov eax, dword ptr fs:[00000030h] 1_2_015349A4
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015349A4 mov eax, dword ptr fs:[00000030h] 1_2_015349A4
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015349A4 mov eax, dword ptr fs:[00000030h] 1_2_015349A4
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01490050 mov eax, dword ptr fs:[00000030h] 1_2_01490050
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01490050 mov eax, dword ptr fs:[00000030h] 1_2_01490050
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01532073 mov eax, dword ptr fs:[00000030h] 1_2_01532073
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01541074 mov eax, dword ptr fs:[00000030h] 1_2_01541074
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01544015 mov eax, dword ptr fs:[00000030h] 1_2_01544015
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01544015 mov eax, dword ptr fs:[00000030h] 1_2_01544015
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F7016 mov eax, dword ptr fs:[00000030h] 1_2_014F7016
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F7016 mov eax, dword ptr fs:[00000030h] 1_2_014F7016
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F7016 mov eax, dword ptr fs:[00000030h] 1_2_014F7016
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148B02A mov eax, dword ptr fs:[00000030h] 1_2_0148B02A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148B02A mov eax, dword ptr fs:[00000030h] 1_2_0148B02A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148B02A mov eax, dword ptr fs:[00000030h] 1_2_0148B02A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148B02A mov eax, dword ptr fs:[00000030h] 1_2_0148B02A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A002D mov eax, dword ptr fs:[00000030h] 1_2_014A002D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A002D mov eax, dword ptr fs:[00000030h] 1_2_014A002D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A002D mov eax, dword ptr fs:[00000030h] 1_2_014A002D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A002D mov eax, dword ptr fs:[00000030h] 1_2_014A002D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A002D mov eax, dword ptr fs:[00000030h] 1_2_014A002D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A830 mov eax, dword ptr fs:[00000030h] 1_2_0149A830
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A830 mov eax, dword ptr fs:[00000030h] 1_2_0149A830
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A830 mov eax, dword ptr fs:[00000030h] 1_2_0149A830
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A830 mov eax, dword ptr fs:[00000030h] 1_2_0149A830
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0150B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0150B8D0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0150B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_0150B8D0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0150B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0150B8D0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0150B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0150B8D0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0150B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0150B8D0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0150B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0150B8D0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014740E1 mov eax, dword ptr fs:[00000030h] 1_2_014740E1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014740E1 mov eax, dword ptr fs:[00000030h] 1_2_014740E1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014740E1 mov eax, dword ptr fs:[00000030h] 1_2_014740E1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014758EC mov eax, dword ptr fs:[00000030h] 1_2_014758EC
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B8E4 mov eax, dword ptr fs:[00000030h] 1_2_0149B8E4
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B8E4 mov eax, dword ptr fs:[00000030h] 1_2_0149B8E4
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01479080 mov eax, dword ptr fs:[00000030h] 1_2_01479080
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F3884 mov eax, dword ptr fs:[00000030h] 1_2_014F3884
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F3884 mov eax, dword ptr fs:[00000030h] 1_2_014F3884
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B90AF mov eax, dword ptr fs:[00000030h] 1_2_014B90AF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h] 1_2_014A20A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h] 1_2_014A20A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h] 1_2_014A20A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h] 1_2_014A20A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h] 1_2_014A20A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A20A0 mov eax, dword ptr fs:[00000030h] 1_2_014A20A0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AF0BF mov ecx, dword ptr fs:[00000030h] 1_2_014AF0BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AF0BF mov eax, dword ptr fs:[00000030h] 1_2_014AF0BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AF0BF mov eax, dword ptr fs:[00000030h] 1_2_014AF0BF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147DB40 mov eax, dword ptr fs:[00000030h] 1_2_0147DB40
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01548B58 mov eax, dword ptr fs:[00000030h] 1_2_01548B58
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147F358 mov eax, dword ptr fs:[00000030h] 1_2_0147F358
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147DB60 mov ecx, dword ptr fs:[00000030h] 1_2_0147DB60
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A3B7A mov eax, dword ptr fs:[00000030h] 1_2_014A3B7A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A3B7A mov eax, dword ptr fs:[00000030h] 1_2_014A3B7A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A309 mov eax, dword ptr fs:[00000030h] 1_2_0149A309
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153131B mov eax, dword ptr fs:[00000030h] 1_2_0153131B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F53CA mov eax, dword ptr fs:[00000030h] 1_2_014F53CA
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F53CA mov eax, dword ptr fs:[00000030h] 1_2_014F53CA
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149DBE9 mov eax, dword ptr fs:[00000030h] 1_2_0149DBE9
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h] 1_2_014A03E2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h] 1_2_014A03E2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h] 1_2_014A03E2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h] 1_2_014A03E2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h] 1_2_014A03E2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A03E2 mov eax, dword ptr fs:[00000030h] 1_2_014A03E2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015223E3 mov ecx, dword ptr fs:[00000030h] 1_2_015223E3
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015223E3 mov ecx, dword ptr fs:[00000030h] 1_2_015223E3
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015223E3 mov eax, dword ptr fs:[00000030h] 1_2_015223E3
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A138B mov eax, dword ptr fs:[00000030h] 1_2_014A138B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A138B mov eax, dword ptr fs:[00000030h] 1_2_014A138B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A138B mov eax, dword ptr fs:[00000030h] 1_2_014A138B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01481B8F mov eax, dword ptr fs:[00000030h] 1_2_01481B8F
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01481B8F mov eax, dword ptr fs:[00000030h] 1_2_01481B8F
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0152D380 mov ecx, dword ptr fs:[00000030h] 1_2_0152D380
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153138A mov eax, dword ptr fs:[00000030h] 1_2_0153138A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AB390 mov eax, dword ptr fs:[00000030h] 1_2_014AB390
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A2397 mov eax, dword ptr fs:[00000030h] 1_2_014A2397
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A4BAD mov eax, dword ptr fs:[00000030h] 1_2_014A4BAD
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A4BAD mov eax, dword ptr fs:[00000030h] 1_2_014A4BAD
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A4BAD mov eax, dword ptr fs:[00000030h] 1_2_014A4BAD
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01545BA5 mov eax, dword ptr fs:[00000030h] 1_2_01545BA5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153EA55 mov eax, dword ptr fs:[00000030h] 1_2_0153EA55
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01479240 mov eax, dword ptr fs:[00000030h] 1_2_01479240
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01479240 mov eax, dword ptr fs:[00000030h] 1_2_01479240
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01479240 mov eax, dword ptr fs:[00000030h] 1_2_01479240
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01479240 mov eax, dword ptr fs:[00000030h] 1_2_01479240
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01504257 mov eax, dword ptr fs:[00000030h] 1_2_01504257
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B927A mov eax, dword ptr fs:[00000030h] 1_2_014B927A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0152B260 mov eax, dword ptr fs:[00000030h] 1_2_0152B260
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0152B260 mov eax, dword ptr fs:[00000030h] 1_2_0152B260
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01548A62 mov eax, dword ptr fs:[00000030h] 1_2_01548A62
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01488A0A mov eax, dword ptr fs:[00000030h] 1_2_01488A0A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153AA16 mov eax, dword ptr fs:[00000030h] 1_2_0153AA16
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153AA16 mov eax, dword ptr fs:[00000030h] 1_2_0153AA16
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147AA16 mov eax, dword ptr fs:[00000030h] 1_2_0147AA16
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147AA16 mov eax, dword ptr fs:[00000030h] 1_2_0147AA16
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01493A1C mov eax, dword ptr fs:[00000030h] 1_2_01493A1C
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01475210 mov eax, dword ptr fs:[00000030h] 1_2_01475210
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01475210 mov ecx, dword ptr fs:[00000030h] 1_2_01475210
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01475210 mov eax, dword ptr fs:[00000030h] 1_2_01475210
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01475210 mov eax, dword ptr fs:[00000030h] 1_2_01475210
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h] 1_2_0149A229
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h] 1_2_0149A229
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h] 1_2_0149A229
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h] 1_2_0149A229
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h] 1_2_0149A229
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h] 1_2_0149A229
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h] 1_2_0149A229
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h] 1_2_0149A229
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149A229 mov eax, dword ptr fs:[00000030h] 1_2_0149A229
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B4A2C mov eax, dword ptr fs:[00000030h] 1_2_014B4A2C
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B4A2C mov eax, dword ptr fs:[00000030h] 1_2_014B4A2C
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h] 1_2_0149B236
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h] 1_2_0149B236
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h] 1_2_0149B236
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h] 1_2_0149B236
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h] 1_2_0149B236
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B236 mov eax, dword ptr fs:[00000030h] 1_2_0149B236
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A2ACB mov eax, dword ptr fs:[00000030h] 1_2_014A2ACB
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A2AE4 mov eax, dword ptr fs:[00000030h] 1_2_014A2AE4
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534AEF mov eax, dword ptr fs:[00000030h] 1_2_01534AEF
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AD294 mov eax, dword ptr fs:[00000030h] 1_2_014AD294
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AD294 mov eax, dword ptr fs:[00000030h] 1_2_014AD294
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014752A5 mov eax, dword ptr fs:[00000030h] 1_2_014752A5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014752A5 mov eax, dword ptr fs:[00000030h] 1_2_014752A5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014752A5 mov eax, dword ptr fs:[00000030h] 1_2_014752A5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014752A5 mov eax, dword ptr fs:[00000030h] 1_2_014752A5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014752A5 mov eax, dword ptr fs:[00000030h] 1_2_014752A5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148AAB0 mov eax, dword ptr fs:[00000030h] 1_2_0148AAB0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148AAB0 mov eax, dword ptr fs:[00000030h] 1_2_0148AAB0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AFAB0 mov eax, dword ptr fs:[00000030h] 1_2_014AFAB0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B3D43 mov eax, dword ptr fs:[00000030h] 1_2_014B3D43
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F3540 mov eax, dword ptr fs:[00000030h] 1_2_014F3540
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01523D40 mov eax, dword ptr fs:[00000030h] 1_2_01523D40
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01497D50 mov eax, dword ptr fs:[00000030h] 1_2_01497D50
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149C577 mov eax, dword ptr fs:[00000030h] 1_2_0149C577
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149C577 mov eax, dword ptr fs:[00000030h] 1_2_0149C577
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01548D34 mov eax, dword ptr fs:[00000030h] 1_2_01548D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153E539 mov eax, dword ptr fs:[00000030h] 1_2_0153E539
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A4D3B mov eax, dword ptr fs:[00000030h] 1_2_014A4D3B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A4D3B mov eax, dword ptr fs:[00000030h] 1_2_014A4D3B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A4D3B mov eax, dword ptr fs:[00000030h] 1_2_014A4D3B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147AD30 mov eax, dword ptr fs:[00000030h] 1_2_0147AD30
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014FA537 mov eax, dword ptr fs:[00000030h] 1_2_014FA537
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01483D34 mov eax, dword ptr fs:[00000030h] 1_2_01483D34
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6DC9 mov eax, dword ptr fs:[00000030h] 1_2_014F6DC9
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6DC9 mov eax, dword ptr fs:[00000030h] 1_2_014F6DC9
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6DC9 mov eax, dword ptr fs:[00000030h] 1_2_014F6DC9
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6DC9 mov ecx, dword ptr fs:[00000030h] 1_2_014F6DC9
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6DC9 mov eax, dword ptr fs:[00000030h] 1_2_014F6DC9
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6DC9 mov eax, dword ptr fs:[00000030h] 1_2_014F6DC9
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01528DF1 mov eax, dword ptr fs:[00000030h] 1_2_01528DF1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148D5E0 mov eax, dword ptr fs:[00000030h] 1_2_0148D5E0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148D5E0 mov eax, dword ptr fs:[00000030h] 1_2_0148D5E0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0153FDE2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0153FDE2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0153FDE2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0153FDE2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A2581 mov eax, dword ptr fs:[00000030h] 1_2_014A2581
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A2581 mov eax, dword ptr fs:[00000030h] 1_2_014A2581
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A2581 mov eax, dword ptr fs:[00000030h] 1_2_014A2581
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A2581 mov eax, dword ptr fs:[00000030h] 1_2_014A2581
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01472D8A mov eax, dword ptr fs:[00000030h] 1_2_01472D8A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01472D8A mov eax, dword ptr fs:[00000030h] 1_2_01472D8A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01472D8A mov eax, dword ptr fs:[00000030h] 1_2_01472D8A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01472D8A mov eax, dword ptr fs:[00000030h] 1_2_01472D8A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01472D8A mov eax, dword ptr fs:[00000030h] 1_2_01472D8A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AFD9B mov eax, dword ptr fs:[00000030h] 1_2_014AFD9B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AFD9B mov eax, dword ptr fs:[00000030h] 1_2_014AFD9B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h] 1_2_01532D82
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h] 1_2_01532D82
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h] 1_2_01532D82
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h] 1_2_01532D82
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h] 1_2_01532D82
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h] 1_2_01532D82
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01532D82 mov eax, dword ptr fs:[00000030h] 1_2_01532D82
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A35A1 mov eax, dword ptr fs:[00000030h] 1_2_014A35A1
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015405AC mov eax, dword ptr fs:[00000030h] 1_2_015405AC
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015405AC mov eax, dword ptr fs:[00000030h] 1_2_015405AC
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A1DB5 mov eax, dword ptr fs:[00000030h] 1_2_014A1DB5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A1DB5 mov eax, dword ptr fs:[00000030h] 1_2_014A1DB5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A1DB5 mov eax, dword ptr fs:[00000030h] 1_2_014A1DB5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0150C450 mov eax, dword ptr fs:[00000030h] 1_2_0150C450
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0150C450 mov eax, dword ptr fs:[00000030h] 1_2_0150C450
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AA44B mov eax, dword ptr fs:[00000030h] 1_2_014AA44B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149746D mov eax, dword ptr fs:[00000030h] 1_2_0149746D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h] 1_2_014AAC7B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h] 1_2_014AAC7B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h] 1_2_014AAC7B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h] 1_2_014AAC7B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h] 1_2_014AAC7B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h] 1_2_014AAC7B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h] 1_2_014AAC7B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h] 1_2_014AAC7B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h] 1_2_014AAC7B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h] 1_2_014AAC7B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AAC7B mov eax, dword ptr fs:[00000030h] 1_2_014AAC7B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B477 mov eax, dword ptr fs:[00000030h] 1_2_0149B477
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6C0A mov eax, dword ptr fs:[00000030h] 1_2_014F6C0A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6C0A mov eax, dword ptr fs:[00000030h] 1_2_014F6C0A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6C0A mov eax, dword ptr fs:[00000030h] 1_2_014F6C0A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6C0A mov eax, dword ptr fs:[00000030h] 1_2_014F6C0A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531C06 mov eax, dword ptr fs:[00000030h] 1_2_01531C06
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0154740D mov eax, dword ptr fs:[00000030h] 1_2_0154740D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0154740D mov eax, dword ptr fs:[00000030h] 1_2_0154740D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0154740D mov eax, dword ptr fs:[00000030h] 1_2_0154740D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014ABC2C mov eax, dword ptr fs:[00000030h] 1_2_014ABC2C
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01548CD6 mov eax, dword ptr fs:[00000030h] 1_2_01548CD6
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_015314FB mov eax, dword ptr fs:[00000030h] 1_2_015314FB
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6CF0 mov eax, dword ptr fs:[00000030h] 1_2_014F6CF0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6CF0 mov eax, dword ptr fs:[00000030h] 1_2_014F6CF0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F6CF0 mov eax, dword ptr fs:[00000030h] 1_2_014F6CF0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01534496 mov eax, dword ptr fs:[00000030h] 1_2_01534496
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148849B mov eax, dword ptr fs:[00000030h] 1_2_0148849B
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148EF40 mov eax, dword ptr fs:[00000030h] 1_2_0148EF40
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148FF60 mov eax, dword ptr fs:[00000030h] 1_2_0148FF60
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01548F6A mov eax, dword ptr fs:[00000030h] 1_2_01548F6A
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0150FF10 mov eax, dword ptr fs:[00000030h] 1_2_0150FF10
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0150FF10 mov eax, dword ptr fs:[00000030h] 1_2_0150FF10
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AA70E mov eax, dword ptr fs:[00000030h] 1_2_014AA70E
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AA70E mov eax, dword ptr fs:[00000030h] 1_2_014AA70E
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0154070D mov eax, dword ptr fs:[00000030h] 1_2_0154070D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0154070D mov eax, dword ptr fs:[00000030h] 1_2_0154070D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149F716 mov eax, dword ptr fs:[00000030h] 1_2_0149F716
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01474F2E mov eax, dword ptr fs:[00000030h] 1_2_01474F2E
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01474F2E mov eax, dword ptr fs:[00000030h] 1_2_01474F2E
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B73D mov eax, dword ptr fs:[00000030h] 1_2_0149B73D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149B73D mov eax, dword ptr fs:[00000030h] 1_2_0149B73D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AE730 mov eax, dword ptr fs:[00000030h] 1_2_014AE730
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B37F5 mov eax, dword ptr fs:[00000030h] 1_2_014B37F5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F7794 mov eax, dword ptr fs:[00000030h] 1_2_014F7794
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F7794 mov eax, dword ptr fs:[00000030h] 1_2_014F7794
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F7794 mov eax, dword ptr fs:[00000030h] 1_2_014F7794
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01488794 mov eax, dword ptr fs:[00000030h] 1_2_01488794
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h] 1_2_01487E41
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h] 1_2_01487E41
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h] 1_2_01487E41
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h] 1_2_01487E41
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h] 1_2_01487E41
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01487E41 mov eax, dword ptr fs:[00000030h] 1_2_01487E41
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153AE44 mov eax, dword ptr fs:[00000030h] 1_2_0153AE44
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0153AE44 mov eax, dword ptr fs:[00000030h] 1_2_0153AE44
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0148766D mov eax, dword ptr fs:[00000030h] 1_2_0148766D
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149AE73 mov eax, dword ptr fs:[00000030h] 1_2_0149AE73
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149AE73 mov eax, dword ptr fs:[00000030h] 1_2_0149AE73
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149AE73 mov eax, dword ptr fs:[00000030h] 1_2_0149AE73
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149AE73 mov eax, dword ptr fs:[00000030h] 1_2_0149AE73
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0149AE73 mov eax, dword ptr fs:[00000030h] 1_2_0149AE73
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147C600 mov eax, dword ptr fs:[00000030h] 1_2_0147C600
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147C600 mov eax, dword ptr fs:[00000030h] 1_2_0147C600
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147C600 mov eax, dword ptr fs:[00000030h] 1_2_0147C600
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A8E00 mov eax, dword ptr fs:[00000030h] 1_2_014A8E00
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AA61C mov eax, dword ptr fs:[00000030h] 1_2_014AA61C
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014AA61C mov eax, dword ptr fs:[00000030h] 1_2_014AA61C
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01531608 mov eax, dword ptr fs:[00000030h] 1_2_01531608
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0147E620 mov eax, dword ptr fs:[00000030h] 1_2_0147E620
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0152FE3F mov eax, dword ptr fs:[00000030h] 1_2_0152FE3F
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01548ED6 mov eax, dword ptr fs:[00000030h] 1_2_01548ED6
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A36CC mov eax, dword ptr fs:[00000030h] 1_2_014A36CC
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014B8EC7 mov eax, dword ptr fs:[00000030h] 1_2_014B8EC7
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0152FEC0 mov eax, dword ptr fs:[00000030h] 1_2_0152FEC0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014A16E0 mov ecx, dword ptr fs:[00000030h] 1_2_014A16E0
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014876E2 mov eax, dword ptr fs:[00000030h] 1_2_014876E2
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_0150FE87 mov eax, dword ptr fs:[00000030h] 1_2_0150FE87
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_014F46A7 mov eax, dword ptr fs:[00000030h] 1_2_014F46A7
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01540EA5 mov eax, dword ptr fs:[00000030h] 1_2_01540EA5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01540EA5 mov eax, dword ptr fs:[00000030h] 1_2_01540EA5
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Code function: 1_2_01540EA5 mov eax, dword ptr fs:[00000030h] 1_2_01540EA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B34496 mov eax, dword ptr fs:[00000030h] 4_2_04B34496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A8849B mov eax, dword ptr fs:[00000030h] 4_2_04A8849B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B314FB mov eax, dword ptr fs:[00000030h] 4_2_04B314FB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AF6CF0 mov eax, dword ptr fs:[00000030h] 4_2_04AF6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AF6CF0 mov eax, dword ptr fs:[00000030h] 4_2_04AF6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AF6CF0 mov eax, dword ptr fs:[00000030h] 4_2_04AF6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B48CD6 mov eax, dword ptr fs:[00000030h] 4_2_04B48CD6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AABC2C mov eax, dword ptr fs:[00000030h] 4_2_04AABC2C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA3C3E mov eax, dword ptr fs:[00000030h] 4_2_04AA3C3E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA3C3E mov eax, dword ptr fs:[00000030h] 4_2_04AA3C3E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA3C3E mov eax, dword ptr fs:[00000030h] 4_2_04AA3C3E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A8B433 mov eax, dword ptr fs:[00000030h] 4_2_04A8B433
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A8B433 mov eax, dword ptr fs:[00000030h] 4_2_04A8B433
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A8B433 mov eax, dword ptr fs:[00000030h] 4_2_04A8B433
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AF6C0A mov eax, dword ptr fs:[00000030h] 4_2_04AF6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AF6C0A mov eax, dword ptr fs:[00000030h] 4_2_04AF6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AF6C0A mov eax, dword ptr fs:[00000030h] 4_2_04AF6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AF6C0A mov eax, dword ptr fs:[00000030h] 4_2_04AF6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B31C06 mov eax, dword ptr fs:[00000030h] 4_2_04B31C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B4740D mov eax, dword ptr fs:[00000030h] 4_2_04B4740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B4740D mov eax, dword ptr fs:[00000030h] 4_2_04B4740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B4740D mov eax, dword ptr fs:[00000030h] 4_2_04B4740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9746D mov eax, dword ptr fs:[00000030h] 4_2_04A9746D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h] 4_2_04AAAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h] 4_2_04AAAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h] 4_2_04AAAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h] 4_2_04AAAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h] 4_2_04AAAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h] 4_2_04AAAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h] 4_2_04AAAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h] 4_2_04AAAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h] 4_2_04AAAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h] 4_2_04AAAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAAC7B mov eax, dword ptr fs:[00000030h] 4_2_04AAAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A9B477 mov eax, dword ptr fs:[00000030h] 4_2_04A9B477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B0C450 mov eax, dword ptr fs:[00000030h] 4_2_04B0C450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B0C450 mov eax, dword ptr fs:[00000030h] 4_2_04B0C450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAA44B mov eax, dword ptr fs:[00000030h] 4_2_04AAA44B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA35A1 mov eax, dword ptr fs:[00000030h] 4_2_04AA35A1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B405AC mov eax, dword ptr fs:[00000030h] 4_2_04B405AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B405AC mov eax, dword ptr fs:[00000030h] 4_2_04B405AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA1DB5 mov eax, dword ptr fs:[00000030h] 4_2_04AA1DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA1DB5 mov eax, dword ptr fs:[00000030h] 4_2_04AA1DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA1DB5 mov eax, dword ptr fs:[00000030h] 4_2_04AA1DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA2581 mov eax, dword ptr fs:[00000030h] 4_2_04AA2581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA2581 mov eax, dword ptr fs:[00000030h] 4_2_04AA2581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA2581 mov eax, dword ptr fs:[00000030h] 4_2_04AA2581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AA2581 mov eax, dword ptr fs:[00000030h] 4_2_04AA2581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A72D8A mov eax, dword ptr fs:[00000030h] 4_2_04A72D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A72D8A mov eax, dword ptr fs:[00000030h] 4_2_04A72D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A72D8A mov eax, dword ptr fs:[00000030h] 4_2_04A72D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A72D8A mov eax, dword ptr fs:[00000030h] 4_2_04A72D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A72D8A mov eax, dword ptr fs:[00000030h] 4_2_04A72D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAFD9B mov eax, dword ptr fs:[00000030h] 4_2_04AAFD9B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AAFD9B mov eax, dword ptr fs:[00000030h] 4_2_04AAFD9B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h] 4_2_04B32D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h] 4_2_04B32D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h] 4_2_04B32D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h] 4_2_04B32D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h] 4_2_04B32D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h] 4_2_04B32D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B32D82 mov eax, dword ptr fs:[00000030h] 4_2_04B32D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B28DF1 mov eax, dword ptr fs:[00000030h] 4_2_04B28DF1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A8D5E0 mov eax, dword ptr fs:[00000030h] 4_2_04A8D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04A8D5E0 mov eax, dword ptr fs:[00000030h] 4_2_04A8D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B3FDE2 mov eax, dword ptr fs:[00000030h] 4_2_04B3FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B3FDE2 mov eax, dword ptr fs:[00000030h] 4_2_04B3FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B3FDE2 mov eax, dword ptr fs:[00000030h] 4_2_04B3FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04B3FDE2 mov eax, dword ptr fs:[00000030h] 4_2_04B3FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AF6DC9 mov eax, dword ptr fs:[00000030h] 4_2_04AF6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4_2_04AF6DC9 mov eax, dword ptr fs:[00000030h] 4_2_04AF6DC9
Enables debug privileges
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 35.230.2.159 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.49.23.141 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.22.223.163 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 8B0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Process created: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe' Jump to behavior
Source: explorer.exe, 00000002.00000000.216648547.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000002.00000002.475812841.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.475893028.0000000003300000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000002.475812841.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.475893028.0000000003300000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.475812841.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.475893028.0000000003300000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.475812841.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.475893028.0000000003300000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Queries volume information: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321134 Sample: BANK ACCOUNT INFO!.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 6 other signatures 2->43 10 BANK ACCOUNT INFO!.exe 3 2->10         started        process3 file4 27 C:\Users\user\...\BANK ACCOUNT INFO!.exe.log, ASCII 10->27 dropped 13 BANK ACCOUNT INFO!.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.ablehead.net 107.22.223.163, 49743, 80 AMAZON-AESUS United States 16->29 31 www.wellnysdirect.com 16->31 33 4 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 wscript.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.49.23.141
 unknown United States
53831 SQUARESPACEUS false
35.230.2.159
 unknown United States
15169 GOOGLEUS false
107.22.223.163
 unknown United States
14618 AMAZON-AESUS true

Contacted Domains

Name IP Active
www.ablehead.net 107.22.223.163 true
ext-sq.squarespace.com 198.49.23.141 true
welllnysdirect.wpengine.com 35.230.2.159 true
www.friendlyksa.com unknown unknown
www.wellnysdirect.com unknown unknown
www.katrinarask.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.katrinarask.com/sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2 true
  • Avira URL Cloud: safe
 unknown
http://www.wellnysdirect.com/sbmh/?FPWlMXx=+2tIfJwwghXNm+fysv8+EMC6xMyDXIpTEsDIQwPK5FpH6PGBMSGX6HHqgPLM/DeZI3NR&AlO=O2JtmTIX2 true
  • Avira URL Cloud: safe
 unknown
http://www.ablehead.net/sbmh/?FPWlMXx=PcjUtjh0MRWP8BRvWG8NuUt69AEkHHHW5P4XnB/f7cjpZcBvzWU1+UolGZvfCul1Hwqj&AlO=O2JtmTIX2 true
  • Avira URL Cloud: safe
 unknown