Play interactive tour

Edit tour

Analysis Report MT103---USD42880.45---20201127--dbs--9900.exe

Overview

General Information

Sample Name:	MT103---USD42880.45---20201127--dbs--9900.exe
Analysis ID:	323965
MD5:	d7545487bde794de42b3a655f3664c8d
SHA1:	f4728d4c214b0282efc7d0779cd673d4b68e7da0
SHA256:	4d39dfd975de3e9aca4e430390618b2e548db3f3d4bf2d0409f643be7da2a91e
Tags:	exe
Most interesting Screenshot:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to detect virtual machines (SMSW)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

MT103---USD42880.45---20201127--dbs--9900.exe (PID: 5504 cmdline: 'C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe' MD5: D7545487BDE794DE42B3A655F3664C8D)

MT103---USD42880.45---20201127--dbs--9900.exe (PID: 2416 cmdline: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe MD5: D7545487BDE794DE42B3A655F3664C8D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.214074450.0000000004C67000.00000020.00000001.sdmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xde8:$file: URL= 0xdcc:$url_explicit: [InternetShortcut]
00000000.00000002.214074450.0000000004C67000.00000020.00000001.sdmp	Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0xe14:$icon: IconFile= 0xdcc:$url_explicit: [InternetShortcut]
00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa230:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa4aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37860:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x37ada:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15fcd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x435fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15ab9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x430e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x160cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x436ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16247:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x43877:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaec2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x384f2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14d34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x42364:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbbbb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x391eb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bc6f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x4929f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cc72:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18d51:$sqlite3step: 68 34 1C 7B E1 0x18e64:$sqlite3step: 68 34 1C 7B E1 0x46381:$sqlite3step: 68 34 1C 7B E1 0x46494:$sqlite3step: 68 34 1C 7B E1 0x18d80:$sqlite3text: 68 38 2A 90 C5 0x18ea5:$sqlite3text: 68 38 2A 90 C5 0x463b0:$sqlite3text: 68 38 2A 90 C5 0x464d5:$sqlite3text: 68 38 2A 90 C5 0x18d93:$sqlite3blob: 68 53 D8 7F 8C 0x18ebb:$sqlite3blob: 68 53 D8 7F 8C 0x463c3:$sqlite3blob: 68 53 D8 7F 8C 0x464eb:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: MT103---USD42880.45---20201127--dbs--9900.exe	Virustotal: Detection: 37%			Perma Link
Source: MT103---USD42880.45---20201127--dbs--9900.exe	ReversingLabs: Detection: 47%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: MT103---USD42880.45---20201127--dbs--9900.exe

Joe Sandbox ML: detected

Source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4c50000.8.unpack	Avira: Label: TR/Hijacker.Gen
Source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 4x nop then mov eax, dword ptr [00460BCCh]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 4x nop then mov eax, ecx
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 4x nop then pop ebx
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 4x nop then pop edi

Source: Joe Sandbox View	IP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233

Source: unknown

DNS traffic detected: queries for: discord.com

Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.disc8
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discorda
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attac
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachmen
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/78183
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/781839169$
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/7818391691222
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/78183916912220570
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/781839169122205709/781839
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/781839169122205709/78183922049902
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/781839169122205709/781839220499021834/Yipmyyy
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/781839169122205709/781839220499021834x
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/781839169122205709/7818392204d
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/7H
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/V

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00419D60 NtCreateFile,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00419E10 NtReadFile,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00419E90 NtClose,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00419F40 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00419D5B NtCreateFile,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00419E0A NtReadFile,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00419E8B NtClose,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00419EBA NtClose,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00419F3A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B396E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B3B040 NtSuspendThread,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B3A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B395F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B395D0 NtClose,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39560 NtWriteFile,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39540 NtReadFile,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B396D0 NtCreateKey,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39650 NtQueryValueKey,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B397A0 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39780 NtMapViewOfSection,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39710 NtQueryInformationToken,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B3A710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B3A770 NtOpenThread,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39770 NtSetInformationFile,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39760 NtOpenProcess,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B398A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B398F0 NtReadVirtualMemory,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39820 NtEnumerateKey,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39840 NtDelayExecution,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B399A0 NtCreateSection,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B399D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39910 NtAdjustPrivilegesToken,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39950 NtQueueApcThread,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39A20 NtResumeThread,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39A10 NtQuerySection,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39A00 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39A50 NtCreateFile,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39B00 NtSetValueKey,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B3AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B39FE0 NtCreateMutant,

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_02314000
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_023144FE
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_02C6A4F4
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00401030
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_0041E972
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_0041D376
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00402D89
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00402D90
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00409E40
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00409E3B
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_0041CFA3
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00402FB0
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B220A0
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC20A8
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0B090
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB60F5
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2701D
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB1002
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0C1C0
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B14120
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC22AE
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC32A9
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBE2C5
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B236
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AD225E
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AD3382
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2138B
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BA23E3
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB03DA
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB231B
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AD337D
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B13360
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AD94B8
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B12430
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0841F
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBD466
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B265A0
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B22581
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0D5E0
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC25DD
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBD616
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF9660
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB67E2
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF88E0
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC28EC
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A830
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BCE824
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF6800
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B199BF
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B12990
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B01915
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFF900
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4AEF
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BAFA2B
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB5A4F
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2EBB0
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1EB9A
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B9EB8A
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B48BE8
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBDBD2
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2ABD8
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC2B28
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1AB40
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B9CB4F
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B04CEC
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B24CD4
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBCC77
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB2D82
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF0D20
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC2D07
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B12D50
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC1D55
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BA1EB6
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC2EF7
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B16E30
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B7AE60
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC1FF1
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BCDFCE

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: String function: 00B4D08C appears 55 times
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: String function: 00B85720 appears 85 times
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: String function: 00AFB150 appears 177 times

Source: MT103---USD42880.45---20201127--dbs--9900.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: MT103---USD42880.45---20201127--dbs--9900.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213987933.0000000004BE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs MT103---USD42880.45---20201127--dbs--9900.exe
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.212592770.0000000002500000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs MT103---USD42880.45---20201127--dbs--9900.exe
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213608327.0000000002F60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs MT103---USD42880.45---20201127--dbs--9900.exe
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.214005915.0000000004C10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs MT103---USD42880.45---20201127--dbs--9900.exe
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213601876.0000000002F50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs MT103---USD42880.45---20201127--dbs--9900.exe
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.214013653.0000000004C20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs MT103---USD42880.45---20201127--dbs--9900.exe
Source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000001.00000002.213736069.0000000000BEF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs MT103---USD42880.45---20201127--dbs--9900.exe

Source: 00000000.00000002.214074450.0000000004C67000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000002.214074450.0000000004C67000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/0@2/2

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: MT103---USD42880.45---20201127--dbs--9900.exe	Virustotal: Detection: 37%
Source: MT103---USD42880.45---20201127--dbs--9900.exe	ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe 'C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe'
Source: unknown	Process created: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Process created: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Source: MT103---USD42880.45---20201127--dbs--9900.exe

Static file information: File size 1289728 > 1048576

Source:	Binary string: wntdll.pdbUGP source: MT103---USD42880.45---20201127--dbs--9900.exe, 00000001.00000002.213524549.0000000000AD0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: MT103---USD42880.45---20201127--dbs--9900.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Unpacked PE file: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239B338 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239943F push edi; ret
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239C137 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239D536 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_02399C23 push ebx; ret
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239C724 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239D61B push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239C81F push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_02399E14 push ebx; ret
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239D207 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239D607 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239B178 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239997C push ebx; ret
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239926C push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_02399A6C push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239D153 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239D24E push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239A7B0 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239B0B3 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239C1A9 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239949D push ebx; ret
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239C49C push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239A392 push edi; iretd
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239B287 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239C2FC push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_02399EE9 push ebx; ret
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239C4EF push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239B5E4 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239C5D6 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_0239C3C2 push esi; retf
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 0_3_02C62ADC push ecx; mov dword ptr [esp], edx

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Code function: 1_2_00409A90 rdtsc

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Code function: 1_2_004163C0 smsw ebx

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Code function: 1_2_00409A90 rdtsc

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Code function: 1_2_00B396E0 NtFreeVirtualMemory,LdrInitializeThunk,

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B390AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFB080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB60F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB60F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB60F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB60F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF70C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF70C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBB0C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBB0C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B24020 mov edi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B77016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B77016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B77016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B83019 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2701D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B10050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B10050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF7057 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF5050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF5050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF5050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BCF1B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BCF1B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B261A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B261A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B061A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B061A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B061A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B061A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B24190 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF519E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF519E mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBA189 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBA189 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8190 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B8D1F9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF31E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B841E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1D1EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB31DC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0C1C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B14120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B14120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B14120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B14120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B14120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF3138 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B00100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B00100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B00100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B212BD mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B212BD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B212BD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B062A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B062A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B062A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B062A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB129A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBB2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBB2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBB2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBB2E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF12D4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB1229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8239 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8239 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8239 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFB233 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFB233 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B3927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BAB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BAB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B84257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B22397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BAD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BA23E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BA23E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BA23E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B253C5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B753CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B753CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0F370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0F370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0F370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B86365 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B86365 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B86365 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B034B1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B034B1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2D4B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B864B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B864B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B834A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B834A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B834A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B014A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B014A9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF1480 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF649B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF649B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B284E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B284E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B284E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B284E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B284E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B284E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B12430 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B12430 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0B433 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0B433 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0B433 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF4439 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8410 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8466 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8466 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B8C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B8C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC8450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF9450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B265A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B265A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B265A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B235A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B22581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B22581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B22581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B22581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBB581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBB581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBB581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBB581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF3591 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B295EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF95F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF95F0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF15C1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B7A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BBE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2F527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2F527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2F527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB3518 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB3518 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB3518 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF751A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF9515 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF354C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF354C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFB540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFB540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B73540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB56B6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB56B6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF86A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B746A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B216E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B076E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B206C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B236CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2C63D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B27620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B27620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B27620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B27620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B27620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B27620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFA63B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFA63B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B75623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B75623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B75623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B75623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B75623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B75623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B75623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B75623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B75623 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0B62E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0B62E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0161A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B15600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF1618 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B14670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B14670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B14670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B14670 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B0766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B86652 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B017B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B77794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B77794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B77794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B08794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B337F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B237EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B237EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B237EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B237EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B237EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B237EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B237EB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B197ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B197ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B197ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B197ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B197ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B197ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B197ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB17D2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC87CF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2D7CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2D7CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF6730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF6730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF6730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B24710 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2D715 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2D715 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2C707 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2C707 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2C707 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8760 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF8760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1E760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1E760 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB1751 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AFA745 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B278A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B278A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B278A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B278A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B278A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B278A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B278A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B278A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B278A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B028AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B028AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B028AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B028AE mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B028AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B028AE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF3880 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF3880 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B73884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B73884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BC98FE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B028FD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B028FD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B028FD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF88E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B8B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B8B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B8B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B8B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B8B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B8B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB18CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF78D6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF78D6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF78D6 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF6800 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF6800 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF6800 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF381B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00AF381B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B1F86D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00BB1843 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe	Code function: 1_2_00B2C9BF mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Memory written: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Process created: C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection111	Virtualization/Sandbox Evasion2	OS Credential Dumping	Security Software Discovery12	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection111	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing11	LSA Secrets	System Information Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MT103---USD42880.45---20201127--dbs--9900.exe	37%	Virustotal		Browse
MT103---USD42880.45---20201127--dbs--9900.exe	48%	ReversingLabs	Win32.Trojan.Strictor
MT103---USD42880.45---20201127--dbs--9900.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4c50000.8.unpack	100%	Avira	TR/Hijacker.Gen	Download File
0.2.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
0.2.MT103---USD42880.45---20201127--dbs--9900.exe.4cc0000.9.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.1.MT103---USD42880.45---20201127--dbs--9900.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.MT103---USD42880.45---20201127--dbs--9900.exe.2590000.2.unpack	100%	Avira	HEUR/AGEN.1108768	Download File

Domains

Source	Detection	Scanner	Label	Link
discord.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://discord.com/V	0%	Avira URL Cloud	safe
https://cdn.discorda	0%	Avira URL Cloud	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://cdn.disc8	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
discord.com	162.159.137.232	true	false	1%, Virustotal, Browse	unknown
cdn.discordapp.com	162.159.129.233	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cdn.discordapp.com/attachments/781839169122205709/781839220499021834/Yipmyyy	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/7818391691222	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://discord.com/V	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discorda	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/781839169122205709/78183922049902	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attac	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/78183916912220570	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/781839169122205709/7818392204d	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/781839169122205709/781839	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/7H	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://discord.com/	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cdn.discordapp.com/attachments/78183	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachmen	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/781839169122205709/781839220499021834x	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/781839169$	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false		high
https://cdn.disc8	MT103---USD42880.45---20201127--dbs--9900.exe, 00000000.00000002.213462989.0000000002E50000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.137.232	unknown	United States		13335	CLOUDFLARENETUS	false
162.159.129.233	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323965
Start date:	28.11.2020
Start time:	00:04:55
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	MT103---USD42880.45---20201127--dbs--9900.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/0@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 35.2% (good quality ratio 34%) Quality average: 71.9% Quality standard deviation: 29.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Excluded IPs from analysis (whitelisted): 13.64.90.137, 168.61.161.212 TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, watson.telemetry.microsoft.com Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:05:44	API Interceptor	2x Sleep call for process: MT103---USD42880.45---20201127--dbs--9900.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.159.137.232	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse
	Scan 25112020 pdf.exe	Get hash	malicious	Browse
	Q21rQw2C4o.exe	Get hash	malicious	Browse
	tzjEwwwbqK.exe	Get hash	malicious	Browse
	oUI0jQS8xQ.exe	Get hash	malicious	Browse
	NyUnwsFSCa.exe	Get hash	malicious	Browse
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse
	LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exe	Get hash	malicious	Browse
	8fJPaTfN8D.exe	Get hash	malicious	Browse
	LJLMG5Syza.exe	Get hash	malicious	Browse
	oAkfKRTCvN.exe	Get hash	malicious	Browse
	eybgvwBamW.exe	Get hash	malicious	Browse
	R#U00d6SLER Puchase_tcs 10-28-2020,pdf.exe	Get hash	malicious	Browse
	#U8ba2#U5355#U786e#U8ba4,pdf.exe	Get hash	malicious	Browse
	Documentos_ordine.exe	Get hash	malicious	Browse
	ShipmentReceipt.exe	Get hash	malicious	Browse
	ShipmentReceipt.exe	Get hash	malicious	Browse
	PO102620.exe	Get hash	malicious	Browse
	Albawardi Group Project offer description 678467463756382020.exe	Get hash	malicious	Browse
	91HN20DCI100053,54,80.exe	Get hash	malicious	Browse
162.159.129.233	ENQ-015August 2020 R1 Proj LOT.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/722888184203051118/757862128198877274/Stub.jpg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
discord.com	caw.exe	Get hash	malicious	Browse	162.159.138.232
	lxpo.exe	Get hash	malicious	Browse	162.159.128.233
	SpecificationX20202611.xlsx	Get hash	malicious	Browse	162.159.136.232
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	162.159.137.232
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	162.159.137.232
	Piraeus Bank_swift_.exe	Get hash	malicious	Browse	162.159.128.233
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.137.232
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.128.233
	tzjEwwwbqK.exe	Get hash	malicious	Browse	162.159.136.232
	DHL_Express_Consignment_Details.exe	Get hash	malicious	Browse	162.159.138.232
	New Microsoft Office Excel Worksheet.xlsx	Get hash	malicious	Browse	162.159.136.232
	Komfkim_Signed_.exe	Get hash	malicious	Browse	162.159.135.232
	oUI0jQS8xQ.exe	Get hash	malicious	Browse	162.159.137.232
	USD67,884.08_Payment_Advise_9083008849.exe	Get hash	malicious	Browse	162.159.136.232
	USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE	Get hash	malicious	Browse	162.159.138.232
	NyUnwsFSCa.exe	Get hash	malicious	Browse	162.159.135.232
	Fl0aIIH39W.exe	Get hash	malicious	Browse	162.159.138.232
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse	162.159.135.232
	9Pimjl3jyq.exe	Get hash	malicious	Browse	162.159.138.232
	D6vy84I7rJ.exe	Get hash	malicious	Browse	162.159.135.232
cdn.discordapp.com	Vessel details.doc	Get hash	malicious	Browse	162.159.135.233
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	162.159.130.233
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	162.159.135.233
	Piraeus Bank_swift_.exe	Get hash	malicious	Browse	162.159.129.233
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.130.233
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.133.233
	tzjEwwwbqK.exe	Get hash	malicious	Browse	162.159.130.233
	DHL_Express_Consignment_Details.exe	Get hash	malicious	Browse	162.159.133.233
	New Microsoft Office Excel Worksheet.xlsx	Get hash	malicious	Browse	162.159.129.233
	INV SF2910202.doc	Get hash	malicious	Browse	162.159.135.233
	Komfkim_Signed_.exe	Get hash	malicious	Browse	162.159.129.233
	oUI0jQS8xQ.exe	Get hash	malicious	Browse	162.159.130.233
	USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE	Get hash	malicious	Browse	162.159.135.233
	NyUnwsFSCa.exe	Get hash	malicious	Browse	162.159.133.233
	1099008FEDEX_090887766.xls	Get hash	malicious	Browse	162.159.129.233
	1099008FEDEX_090887766.xls	Get hash	malicious	Browse	162.159.134.233
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse	162.159.135.233
	9Pimjl3jyq.exe	Get hash	malicious	Browse	162.159.133.233
	D6vy84I7rJ.exe	Get hash	malicious	Browse	162.159.135.233
	Payment copy.doc	Get hash	malicious	Browse	162.159.129.233

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	notif8372.xls	Get hash	malicious	Browse	104.24.117.11
	notif8372.xls	Get hash	malicious	Browse	172.67.222.45
	SecuriteInfo.com.Heur.23770.xls	Get hash	malicious	Browse	104.31.87.226
	2020-11-27-ZLoader-DLL-example-01.dll	Get hash	malicious	Browse	172.67.155.205
	2020-11-27-ZLoader-DLL-example-02.dll	Get hash	malicious	Browse	172.67.155.205
	2020-11-27-ZLoader-DLL-example-03.dll	Get hash	malicious	Browse	104.27.143.240
	SecuriteInfo.com.Heur.23770.xls	Get hash	malicious	Browse	104.31.86.226
	Final_report_2020.html	Get hash	malicious	Browse	104.16.18.94
	norit.dll	Get hash	malicious	Browse	104.31.69.174
	380000_USD_INV_011740_NOV_2020.jar	Get hash	malicious	Browse	104.20.22.46
	380000_USD_INV_011740_NOV_2020.jar	Get hash	malicious	Browse	104.20.23.46
	https://tinyurl.com/y9xs2oe6	Get hash	malicious	Browse	104.20.138.65
	case.2522.xls	Get hash	malicious	Browse	104.31.87.113
	https://ch1.amorozon.fr/.zz?&78387439&user=jon.parr@syngenta.com	Get hash	malicious	Browse	104.27.129.197
	case.2522.xls	Get hash	malicious	Browse	104.31.87.113
	coinomi-1.20.0.apk	Get hash	malicious	Browse	162.159.200.1
	Purchase Order.exe	Get hash	malicious	Browse	172.67.143.180
	http://fonts.mafia-server.net	Get hash	malicious	Browse	104.18.40.210
	caw.exe	Get hash	malicious	Browse	162.159.138.232
	Direct Deposit.xlsx	Get hash	malicious	Browse	104.16.19.94
CLOUDFLARENETUS	notif8372.xls	Get hash	malicious	Browse	104.24.117.11
	notif8372.xls	Get hash	malicious	Browse	172.67.222.45
	SecuriteInfo.com.Heur.23770.xls	Get hash	malicious	Browse	104.31.87.226
	2020-11-27-ZLoader-DLL-example-01.dll	Get hash	malicious	Browse	172.67.155.205
	2020-11-27-ZLoader-DLL-example-02.dll	Get hash	malicious	Browse	172.67.155.205
	2020-11-27-ZLoader-DLL-example-03.dll	Get hash	malicious	Browse	104.27.143.240
	SecuriteInfo.com.Heur.23770.xls	Get hash	malicious	Browse	104.31.86.226
	Final_report_2020.html	Get hash	malicious	Browse	104.16.18.94
	norit.dll	Get hash	malicious	Browse	104.31.69.174
	380000_USD_INV_011740_NOV_2020.jar	Get hash	malicious	Browse	104.20.22.46
	380000_USD_INV_011740_NOV_2020.jar	Get hash	malicious	Browse	104.20.23.46
	https://tinyurl.com/y9xs2oe6	Get hash	malicious	Browse	104.20.138.65
	case.2522.xls	Get hash	malicious	Browse	104.31.87.113
	https://ch1.amorozon.fr/.zz?&78387439&user=jon.parr@syngenta.com	Get hash	malicious	Browse	104.27.129.197
	case.2522.xls	Get hash	malicious	Browse	104.31.87.113
	coinomi-1.20.0.apk	Get hash	malicious	Browse	162.159.200.1
	Purchase Order.exe	Get hash	malicious	Browse	172.67.143.180
	http://fonts.mafia-server.net	Get hash	malicious	Browse	104.18.40.210
	caw.exe	Get hash	malicious	Browse	162.159.138.232
	Direct Deposit.xlsx	Get hash	malicious	Browse	104.16.19.94

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.171493979360729
TrID:	Win32 Executable (generic) a (10002005/4) 99.24% InstallShield setup (43055/19) 0.43% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	MT103---USD42880.45---20201127--dbs--9900.exe
File size:	1289728
MD5:	d7545487bde794de42b3a655f3664c8d
SHA1:	f4728d4c214b0282efc7d0779cd673d4b68e7da0
SHA256:	4d39dfd975de3e9aca4e430390618b2e548db3f3d4bf2d0409f643be7da2a91e
SHA512:	7d4d4ec5c0aaca0c51f1313769c74428a6615d6919392465ce10a357d81480dd4f80cc6c9c5d7b9d1e5dfe24ed5d6eb152e3e194d50ef81c2fd105768ea676af
SSDEEP:	24576:siLDfJXRq+fowpGG7By3Z72mwt8gKmX9hIbEIK:siLr5By3Z7NTgKA
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	b2a8949ea686da6a

Static PE Info

General
Entrypoint:	0x47d118
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c7f986b767e22dea5696886cb4d7da70

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0047CE60h
call 00007F2CF4BE5CB5h
lea edx, dword ptr [ebx+eax]
push 00000019h
mov eax, dword ptr [004807A4h]
mov eax, dword ptr [eax]
call 00007F2CF4C3AE08h
mov ecx, dword ptr [00480750h]
mov eax, dword ptr [004807A4h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0047C9ECh]
call 00007F2CF4C3AE08h
mov eax, dword ptr [00480750h]
mov eax, dword ptr [eax]
xor edx, edx
call 00007F2CF4C3437Ah
mov eax, dword ptr [004807A4h]
mov eax, dword ptr [eax]
mov byte ptr [eax+5Bh], 00000000h
mov eax, dword ptr [004807A4h]
mov eax, dword ptr [eax]
call 00007F2CF4C3AE63h
call 00007F2CF4BE37A6h
nop
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x83000	0x22b0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x91000	0xb1400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0x8138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x87000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x7c17c	0x7c200	False	0.522454053374	data	6.55138199518	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x7e000	0x2954	0x2a00	False	0.412109375	data	4.92006813937	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x81000	0x114d	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x83000	0x22b0	0x2400	False	0.355251736111	data	4.85312153514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x86000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x87000	0x18	0x200	False	0.05078125	data	0.206920017787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x88000	0x8138	0x8200	False	0.584435096154	data	6.65713214053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x91000	0xb1400	0xb1400	False	0.549854273184	data	7.13542941406	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x9217c	0x134	data
RT_CURSOR	0x922b0	0x134	data
RT_CURSOR	0x923e4	0x134	data
RT_CURSOR	0x92518	0x134	data
RT_CURSOR	0x9264c	0x134	data
RT_CURSOR	0x92780	0x134	data
RT_CURSOR	0x928b4	0x134	data
RT_BITMAP	0x929e8	0x1d0	data
RT_BITMAP	0x92bb8	0x1e4	data
RT_BITMAP	0x92d9c	0x1d0	data
RT_BITMAP	0x92f6c	0x1d0	data
RT_BITMAP	0x9313c	0x1d0	data
RT_BITMAP	0x9330c	0x1d0	data
RT_BITMAP	0x934dc	0x1d0	data
RT_BITMAP	0x936ac	0x1d0	data
RT_BITMAP	0x9387c	0x1d0	data
RT_BITMAP	0x93a4c	0x1d0	data
RT_BITMAP	0x93c1c	0x5c	data
RT_BITMAP	0x93c78	0x5c	data
RT_BITMAP	0x93cd4	0x5c	data
RT_BITMAP	0x93d30	0x5c	data
RT_BITMAP	0x93d8c	0x5c	data
RT_BITMAP	0x93de8	0x138	data
RT_BITMAP	0x93f20	0x138	data
RT_BITMAP	0x94058	0x138	data
RT_BITMAP	0x94190	0x138	data
RT_BITMAP	0x942c8	0x138	data
RT_BITMAP	0x94400	0x138	data
RT_BITMAP	0x94538	0x104	data
RT_BITMAP	0x9463c	0x138	data
RT_BITMAP	0x94774	0x104	data
RT_BITMAP	0x94878	0x138	data
RT_BITMAP	0x949b0	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x94a98	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x94f00	0x988	data	English	United States
RT_ICON	0x95888	0x10a8	data	English	United States
RT_ICON	0x96930	0x25a8	data	English	United States
RT_ICON	0x98ed8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 240, next used block 251658240	English	United States
RT_ICON	0x9d100	0x5488	data	English	United States
RT_ICON	0xa2588	0x94a8	data	English	United States
RT_ICON	0xaba30	0xa2a8	data	English	United States
RT_DIALOG	0xb5cd8	0x52	data
RT_STRING	0xb5d2c	0x280	data
RT_STRING	0xb5fac	0x274	data
RT_STRING	0xb6220	0x1ec	data
RT_STRING	0xb640c	0x13c	data
RT_STRING	0xb6548	0x2c8	data
RT_STRING	0xb6810	0xfc	Hitachi SH big-endian COFF object file, not stripped, 17664 sections, symbol offset=0x65007200, 83907328 symbols, optional header size 28672
RT_STRING	0xb690c	0xf8	data
RT_STRING	0xb6a04	0x128	data
RT_STRING	0xb6b2c	0x468	data
RT_STRING	0xb6f94	0x37c	data
RT_STRING	0xb7310	0x39c	data
RT_STRING	0xb76ac	0x3e8	data
RT_STRING	0xb7a94	0xf4	data
RT_STRING	0xb7b88	0xc4	data
RT_STRING	0xb7c4c	0x2c0	data
RT_STRING	0xb7f0c	0x478	data
RT_STRING	0xb8384	0x3ac	data
RT_STRING	0xb8730	0x2d4	data
RT_RCDATA	0xb8a04	0x10	data
RT_RCDATA	0xb8a14	0x398	data
RT_RCDATA	0xb8dac	0x494	Delphi compiled form 'TLoginDialog'
RT_RCDATA	0xb9240	0x3c4	Delphi compiled form 'TPasswordDialog'
RT_RCDATA	0xb9604	0x76f67	GIF image data, version 89a, 577 x 188	English	United States
RT_RCDATA	0x13056c	0x11a42	Delphi compiled form 'T__958758541'
RT_GROUP_CURSOR	0x141fb0	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x141fc4	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x141fd8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x141fec	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x142000	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x142014	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x142028	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0x14203c	0x76	data	English	United States
RT_MANIFEST	0x1420b4	0x2f0	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetROP2, GetPolyFillMode, GetPixel, GetPaletteEntries, GetObjectA, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2020 00:05:45.428303957 CET	49714	443	192.168.2.3	162.159.137.232
Nov 28, 2020 00:05:45.444849014 CET	443	49714	162.159.137.232	192.168.2.3
Nov 28, 2020 00:05:45.445030928 CET	49714	443	192.168.2.3	162.159.137.232
Nov 28, 2020 00:05:45.445923090 CET	49714	443	192.168.2.3	162.159.137.232
Nov 28, 2020 00:05:45.462764978 CET	443	49714	162.159.137.232	192.168.2.3
Nov 28, 2020 00:05:45.463264942 CET	443	49714	162.159.137.232	192.168.2.3
Nov 28, 2020 00:05:45.463382006 CET	49714	443	192.168.2.3	162.159.137.232
Nov 28, 2020 00:05:45.543860912 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.560765982 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.560965061 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.571419954 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.587831974 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.588376045 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.588417053 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.588447094 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.588498116 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.635109901 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.638703108 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.655452013 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.655683994 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.697613955 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.738403082 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.754874945 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779589891 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779622078 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779649019 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779668093 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779695034 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779728889 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779758930 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779793978 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779798985 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.779833078 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779869080 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779874086 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.779906034 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779932022 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779958010 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779980898 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.779988050 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780008078 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780036926 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780064106 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780076981 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780091047 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780122995 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780143976 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780158997 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780190945 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780211926 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780216932 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780252934 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780287981 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780301094 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780327082 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780361891 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780366898 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780411959 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780453920 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780462980 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780491114 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780518055 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780544043 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780555964 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780582905 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780599117 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780616045 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780647993 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780689001 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780694008 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780728102 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780766964 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780797005 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780805111 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780843019 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780854940 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780883074 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780910015 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780915022 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780952930 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.780985117 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.780991077 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781028986 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781068087 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781068087 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.781104088 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.781109095 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781147003 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781188011 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781224966 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.781229973 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781266928 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781301975 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.781302929 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781332970 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781344891 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.781371117 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781428099 CET	49715	443	192.168.2.3	162.159.129.233
Nov 28, 2020 00:05:45.781575918 CET	443	49715	162.159.129.233	192.168.2.3
Nov 28, 2020 00:05:45.781610012 CET	443	49715	162.159.129.233	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2020 00:05:39.377357960 CET	64185	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:39.413207054 CET	53	64185	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:40.531349897 CET	65110	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:40.566946030 CET	53	65110	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:41.344980955 CET	58361	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:41.372140884 CET	53	58361	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:42.388803959 CET	63492	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:42.417777061 CET	53	63492	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:43.434027910 CET	60831	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:43.465171099 CET	53	60831	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:44.502682924 CET	60100	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:44.529831886 CET	53	60100	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:45.299616098 CET	53195	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:45.326739073 CET	53	53195	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:45.375690937 CET	50141	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:45.402848005 CET	53	50141	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:45.512635946 CET	53023	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:45.540005922 CET	53	53023	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:46.103368044 CET	49563	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:46.131063938 CET	53	49563	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:47.257292032 CET	51352	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:47.293032885 CET	53	51352	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:50.389448881 CET	59349	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:50.425154924 CET	53	59349	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:51.466330051 CET	57084	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:51.493590117 CET	53	57084	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:52.523111105 CET	58823	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:52.558619976 CET	53	58823	8.8.8.8	192.168.2.3
Nov 28, 2020 00:05:53.632405043 CET	57568	53	192.168.2.3	8.8.8.8
Nov 28, 2020 00:05:53.659518957 CET	53	57568	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 28, 2020 00:05:45.375690937 CET	192.168.2.3	8.8.8.8	0x2d18	Standard query (0)	discord.com	A (IP address)	IN (0x0001)
Nov 28, 2020 00:05:45.512635946 CET	192.168.2.3	8.8.8.8	0xc863	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 28, 2020 00:05:45.402848005 CET	8.8.8.8	192.168.2.3	0x2d18	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)
Nov 28, 2020 00:05:45.402848005 CET	8.8.8.8	192.168.2.3	0x2d18	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)
Nov 28, 2020 00:05:45.402848005 CET	8.8.8.8	192.168.2.3	0x2d18	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)
Nov 28, 2020 00:05:45.402848005 CET	8.8.8.8	192.168.2.3	0x2d18	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)
Nov 28, 2020 00:05:45.402848005 CET	8.8.8.8	192.168.2.3	0x2d18	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)
Nov 28, 2020 00:05:45.540005922 CET	8.8.8.8	192.168.2.3	0xc863	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
Nov 28, 2020 00:05:45.540005922 CET	8.8.8.8	192.168.2.3	0xc863	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
Nov 28, 2020 00:05:45.540005922 CET	8.8.8.8	192.168.2.3	0xc863	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
Nov 28, 2020 00:05:45.540005922 CET	8.8.8.8	192.168.2.3	0xc863	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
Nov 28, 2020 00:05:45.540005922 CET	8.8.8.8	192.168.2.3	0xc863	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After
Nov 28, 2020 00:05:45.588447094 CET	162.159.129.233	443	192.168.2.3	49715	CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004	Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029
					CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Sep 25 02:00:00 CEST 2014	Tue Sep 25 01:59:59 CEST 2029
					CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: MT103---USD42880.45---20201127--dbs--9900.exe PID: 5504 Parent PID: 5516

General

Start time:	00:05:43
Start date:	28/11/2020
Path:	C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe'
Imagebase:	0x400000
File size:	1289728 bytes
MD5 hash:	D7545487BDE794DE42B3A655F3664C8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000002.214074450.0000000004C67000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: 00000000.00000002.214074450.0000000004C67000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr) Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.214175689.0000000004CC0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.214642043.0000000005126000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: MT103---USD42880.45---20201127--dbs--9900.exe PID: 2416 Parent PID: 5504

General

Start time:	00:05:46
Start date:	28/11/2020
Path:	C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\MT103---USD42880.45---20201127--dbs--9900.exe
Imagebase:	0x400000
File size:	1289728 bytes
MD5 hash:	D7545487BDE794DE42B3A655F3664C8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.213378752.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.211862077.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report MT103---USD42880.45---20201127--dbs--9900.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: MT103---USD42880.45---20201127--dbs--9900.exe PID: 5504 Parent PID: 5516

General