Analysis Report KY4cmAI0jU.exe

Overview

General Information

Sample Name:	KY4cmAI0jU.exe
Analysis ID:	433078
MD5:	8c35ac8d43f7e59105902fa16114144e
SHA1:	c1a0e5de1121e55c22649182c923b41efd4e2848
SHA256:	1a08fc838c4ebab6b986b6010e2074a05c29916cd38096e7f7d26a6455917508
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.alberthospice.com/sh2m/"], "decoy": ["ladorreguita.com", "starflexacademy.com", "aumhouseholds.com", "ylcht.info", "skill-seminar.com", "insurancedowntown.com", "baliholisticacademy.com", "andrealuz.com", "choicecarloans.com", "ezonkorea.com", "charteroaktech.com", "acpcomponents.com", "portugalthecoder.com", "ipoolhub.com", "webfwrd.com", "swiggy.company", "covidproofevents.com", "jianhufeiyang.space", "oohvd-amai.xyz", "directprnews.com", "kfrx-assuv.xyz", "take-me-bergen.com", "audiosech.club", "infinitytradingapp.com", "pujajaiswal.com", "slateradvertising.com", "tensefit.com", "beyou.fitness", "maybowser.com", "thenewrepublican.net", "kenms.com", "rjpadvisors.com", "pridebiking.com", "99kweeclub.com", "wakarasu.com", "millabg.com", "beenovus.com", "gregcasarsocialist.com", "rentmystuff.info", "adultvideolife.xyz", "ytjee4x6zm9wg.net", "dbsjsa.net", "ziduh.com", "track-website.website", "societalfusion.com", "in-homenannies.com", "sudhakarfurniture.com", "services-nz.com", "obi4ex.com", "geniepinie.com", "dilossearticle.com", "changecamps.com", "meganfantastic.com", "jaisl11.com", "sciencebasedmasks.com", "candydulce.com", "tetra-oil.com", "mkpricephoto.com", "hayvankayit.com", "ellasween.com", "gracelandofkrotzsprings.com", "dndemystified.com", "blinbins.com", "lolasvibe.com"]}

Multi AV Scanner detection for submitted file

Source: KY4cmAI0jU.exe	Virustotal: Detection: 34%	Perma Link
Source: KY4cmAI0jU.exe	Metadefender: Detection: 17%	Perma Link
Source: KY4cmAI0jU.exe	ReversingLabs: Detection: 41%

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: KY4cmAI0jU.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.help.exe.3407960.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.help.exe.9fd7e8.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: KY4cmAI0jU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: KY4cmAI0jU.exe, 00000000.00000003.213745090.00000000099C0000.00000004.00000001.sdmp, KY4cmAI0jU.exe, 00000001.00000002.266159838.0000000000AA0000.00000040.00000001.sdmp, help.exe, 00000006.00000002.481376973.0000000002FEF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: KY4cmAI0jU.exe, help.exe
Source:	Binary string: help.pdbGCTL source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop ebx	1_2_00406A9A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop edi	1_2_00415659
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop edi	1_2_00415671
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop ebx	1_1_00406A9A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop edi	1_1_00415659
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop edi	1_1_00415671
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop ebx	6_2_00566A9B
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop edi	6_2_00575659
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop edi	6_2_00575671

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.alberthospice.com/sh2m/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.take-me-bergen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.starflexacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ladorreguita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.candydulce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.insurancedowntown.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ezonkorea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.dndemystified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 3.143.65.214 3.143.65.214

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.take-me-bergen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.starflexacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ladorreguita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.candydulce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.insurancedowntown.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ezonkorea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.dndemystified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.take-me-bergen.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 11 Jun 2021 07:03:07 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>

Source: explorer.exe, 00000002.00000000.235645842.0000000008907000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: KY4cmAI0jU.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: KY4cmAI0jU.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmp	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405042

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_004181D0 NtCreateFile,	1_2_004181D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00418280 NtReadFile,	1_2_00418280
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00418300 NtClose,	1_2_00418300
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_004183B0 NtAllocateVirtualMemory,	1_2_004183B0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041827B NtCreateFile,	1_2_0041827B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_004182FD NtClose,	1_2_004182FD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_004183AB NtAllocateVirtualMemory,	1_2_004183AB
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B098F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_00B098F0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00B09860
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09840 NtDelayExecution,LdrInitializeThunk,	1_2_00B09840
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B099A0 NtCreateSection,LdrInitializeThunk,	1_2_00B099A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_00B09910
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09A20 NtResumeThread,LdrInitializeThunk,	1_2_00B09A20
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_00B09A00
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09A50 NtCreateFile,LdrInitializeThunk,	1_2_00B09A50
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B095D0 NtClose,LdrInitializeThunk,	1_2_00B095D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09540 NtReadFile,LdrInitializeThunk,	1_2_00B09540
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B096E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00B096E0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_00B09660
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B097A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_00B097A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09780 NtMapViewOfSection,LdrInitializeThunk,	1_2_00B09780
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09FE0 NtCreateMutant,LdrInitializeThunk,	1_2_00B09FE0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09710 NtQueryInformationToken,LdrInitializeThunk,	1_2_00B09710
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B098A0 NtWriteVirtualMemory,	1_2_00B098A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09820 NtEnumerateKey,	1_2_00B09820
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0B040 NtSuspendThread,	1_2_00B0B040
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B099D0 NtCreateProcessEx,	1_2_00B099D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09950 NtQueueApcThread,	1_2_00B09950
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09A80 NtOpenDirectoryObject,	1_2_00B09A80
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09A10 NtQuerySection,	1_2_00B09A10
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0A3B0 NtGetContextThread,	1_2_00B0A3B0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09B00 NtSetValueKey,	1_2_00B09B00
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B095F0 NtQueryInformationFile,	1_2_00B095F0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0AD30 NtSetContextThread,	1_2_00B0AD30
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09520 NtWaitForSingleObject,	1_2_00B09520
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09560 NtWriteFile,	1_2_00B09560
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B096D0 NtCreateKey,	1_2_00B096D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09610 NtEnumerateValueKey,	1_2_00B09610
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09670 NtQueryInformationProcess,	1_2_00B09670
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09650 NtQueryValueKey,	1_2_00B09650
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09730 NtQueryVirtualMemory,	1_2_00B09730
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0A710 NtOpenProcessToken,	1_2_00B0A710
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09770 NtSetInformationFile,	1_2_00B09770
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0A770 NtOpenThread,	1_2_00B0A770
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09760 NtOpenProcess,	1_2_00B09760
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_004181D0 NtCreateFile,	1_1_004181D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00418280 NtReadFile,	1_1_00418280
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00418300 NtClose,	1_1_00418300
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_004183B0 NtAllocateVirtualMemory,	1_1_004183B0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041827B NtCreateFile,	1_1_0041827B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_004182FD NtClose,	1_1_004182FD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_004183AB NtAllocateVirtualMemory,	1_1_004183AB
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39A50 NtCreateFile,LdrInitializeThunk,	6_2_02F39A50
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_02F39860
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39840 NtDelayExecution,LdrInitializeThunk,	6_2_02F39840
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F399A0 NtCreateSection,LdrInitializeThunk,	6_2_02F399A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_02F39910
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F396E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_02F396E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F396D0 NtCreateKey,LdrInitializeThunk,	6_2_02F396D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_02F39660
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39650 NtQueryValueKey,LdrInitializeThunk,	6_2_02F39650
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39FE0 NtCreateMutant,LdrInitializeThunk,	6_2_02F39FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39780 NtMapViewOfSection,LdrInitializeThunk,	6_2_02F39780
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39710 NtQueryInformationToken,LdrInitializeThunk,	6_2_02F39710
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F395D0 NtClose,LdrInitializeThunk,	6_2_02F395D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39540 NtReadFile,LdrInitializeThunk,	6_2_02F39540
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39A80 NtOpenDirectoryObject,	6_2_02F39A80
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39A20 NtResumeThread,	6_2_02F39A20
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39A10 NtQuerySection,	6_2_02F39A10
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39A00 NtProtectVirtualMemory,	6_2_02F39A00
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3A3B0 NtGetContextThread,	6_2_02F3A3B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39B00 NtSetValueKey,	6_2_02F39B00
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F398F0 NtReadVirtualMemory,	6_2_02F398F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F398A0 NtWriteVirtualMemory,	6_2_02F398A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3B040 NtSuspendThread,	6_2_02F3B040
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39820 NtEnumerateKey,	6_2_02F39820
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F399D0 NtCreateProcessEx,	6_2_02F399D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39950 NtQueueApcThread,	6_2_02F39950
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39670 NtQueryInformationProcess,	6_2_02F39670
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39610 NtEnumerateValueKey,	6_2_02F39610
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F397A0 NtUnmapViewOfSection,	6_2_02F397A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3A770 NtOpenThread,	6_2_02F3A770
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39770 NtSetInformationFile,	6_2_02F39770
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39760 NtOpenProcess,	6_2_02F39760
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39730 NtQueryVirtualMemory,	6_2_02F39730
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3A710 NtOpenProcessToken,	6_2_02F3A710
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F395F0 NtQueryInformationFile,	6_2_02F395F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39560 NtWriteFile,	6_2_02F39560
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3AD30 NtSetContextThread,	6_2_02F3AD30
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39520 NtWaitForSingleObject,	6_2_02F39520
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005781D0 NtCreateFile,	6_2_005781D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00578280 NtReadFile,	6_2_00578280
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00578300 NtClose,	6_2_00578300
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005783B0 NtAllocateVirtualMemory,	6_2_005783B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057827B NtCreateFile,	6_2_0057827B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005782FD NtClose,	6_2_005782FD
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005783AB NtAllocateVirtualMemory,	6_2_005783AB

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040323C

Detected potential crypto function

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_00404853	0_2_00404853
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_00406131	0_2_00406131
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_73751A98	0_2_73751A98
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041C87B	1_2_0041C87B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00401174	1_2_00401174
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041BA9A	1_2_0041BA9A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00408C6B	1_2_00408C6B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00408C70	1_2_00408C70
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041CC9C	1_2_0041CC9C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041C548	1_2_0041C548
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041BDD4	1_2_0041BDD4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00402D87	1_2_00402D87
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041C7AF	1_2_0041C7AF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B920A8	1_2_00B920A8
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADB090	1_2_00ADB090
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B928EC	1_2_00B928EC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9E824	1_2_00B9E824
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA830	1_2_00AEA830
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81002	1_2_00B81002
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACF900	1_2_00ACF900
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B922AE	1_2_00B922AE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7FA2B	1_2_00B7FA2B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFEBB0	1_2_00AFEBB0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF138B	1_2_00AF138B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B723E3	1_2_00B723E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B803DA	1_2_00B803DA
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8DBD2	1_2_00B8DBD2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFABD8	1_2_00AFABD8
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B92B28	1_2_00B92B28
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAB40	1_2_00AEAB40
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B6CB4F	1_2_00B6CB4F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD841F	1_2_00AD841F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8D466	1_2_00B8D466
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2581	1_2_00AF2581
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADD5E0	1_2_00ADD5E0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B925DD	1_2_00B925DD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC0D20	1_2_00AC0D20
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B92D07	1_2_00B92D07
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B91D55	1_2_00B91D55
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B92EF7	1_2_00B92EF7
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE6E30	1_2_00AE6E30
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8D616	1_2_00B8D616
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B91FF1	1_2_00B91FF1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9DFCE	1_2_00B9DFCE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041C87B	1_1_0041C87B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00401030	1_1_00401030
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00401174	1_1_00401174
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041BA9A	1_1_0041BA9A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00408C6B	1_1_00408C6B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00408C70	1_1_00408C70
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041CC9C	1_1_0041CC9C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041C548	1_1_0041C548
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041BDD4	1_1_0041BDD4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00402D87	1_1_00402D87
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00402D90	1_1_00402D90
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041C7AF	1_1_0041C7AF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00402FB0	1_1_00402FB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC22AE	6_2_02FC22AE
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FAFA2B	6_2_02FAFA2B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FA23E3	6_2_02FA23E3
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB03DA	6_2_02FB03DA
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBDBD2	6_2_02FBDBD2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2ABD8	6_2_02F2ABD8
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2EBB0	6_2_02F2EBB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1EB9A	6_2_02F1EB9A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2138B	6_2_02F2138B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1AB40	6_2_02F1AB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F9CB4F	6_2_02F9CB4F
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC2B28	6_2_02FC2B28
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC28EC	6_2_02FC28EC
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F220A0	6_2_02F220A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC20A8	6_2_02FC20A8
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F0B090	6_2_02F0B090
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A830	6_2_02F1A830
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FCE824	6_2_02FCE824
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB1002	6_2_02FB1002
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F199BF	6_2_02F199BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F14120	6_2_02F14120
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFF900	6_2_02EFF900
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC2EF7	6_2_02FC2EF7
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FA1EB6	6_2_02FA1EB6
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F16E30	6_2_02F16E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBD616	6_2_02FBD616
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F15600	6_2_02F15600
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC1FF1	6_2_02FC1FF1
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FCDFCE	6_2_02FCDFCE
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4496	6_2_02FB4496
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B477	6_2_02F1B477
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBD466	6_2_02FBD466
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F0841F	6_2_02F0841F
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F0D5E0	6_2_02F0D5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC25DD	6_2_02FC25DD
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F22581	6_2_02F22581
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB2D82	6_2_02FB2D82
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC1D55	6_2_02FC1D55
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF0D20	6_2_02EF0D20
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC2D07	6_2_02FC2D07
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057C87B	6_2_0057C87B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00568C70	6_2_00568C70
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00568C6B	6_2_00568C6B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057CC9C	6_2_0057CC9C
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057C548	6_2_0057C548
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00562D90	6_2_00562D90
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00562D87	6_2_00562D87
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00562FB0	6_2_00562FB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057C7AF	6_2_0057C7AF

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: String function: 00419F80 appears 40 times
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: String function: 00ACB150 appears 136 times
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: String function: 0041A0B0 appears 38 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 02EFB150 appears 145 times

Sample file is different than original file name gathered from version info

Source: KY4cmAI0jU.exe, 00000000.00000003.213687683.0000000009946000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs KY4cmAI0jU.exe
Source: KY4cmAI0jU.exe, 00000001.00000002.266447217.0000000000D4F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs KY4cmAI0jU.exe
Source: KY4cmAI0jU.exe, 00000001.00000002.266145503.0000000000A44000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs KY4cmAI0jU.exe

Uses 32bit PE files

Source: KY4cmAI0jU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@13/8

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404356

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

File created: C:\Users\user\AppData\Local\Temp\nssF13E.tmp

Jump to behavior

Source: KY4cmAI0jU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: KY4cmAI0jU.exe	Virustotal: Detection: 34%
Source: KY4cmAI0jU.exe	Metadefender: Detection: 17%
Source: KY4cmAI0jU.exe	ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

File read: C:\Users\user\Desktop\KY4cmAI0jU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe'	Jump to behavior

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: KY4cmAI0jU.exe, 00000000.00000003.213745090.00000000099C0000.00000004.00000001.sdmp, KY4cmAI0jU.exe, 00000001.00000002.266159838.0000000000AA0000.00000040.00000001.sdmp, help.exe, 00000006.00000002.481376973.0000000002FEF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: KY4cmAI0jU.exe, help.exe
Source:	Binary string: help.pdbGCTL source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Unpacked PE file: 1.2.KY4cmAI0jU.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_73752F60 push eax; ret	0_2_73752F8E
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041C9AD push eax; ret	1_2_0041C9BC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0040D291 push ebp; iretd	1_2_0040D296
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041B3C5 push eax; ret	1_2_0041B418
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0040C394 pushad ; ret	1_2_0040C3E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041B47C push eax; ret	1_2_0041B482
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041B412 push eax; ret	1_2_0041B418
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041B41B push eax; ret	1_2_0041B482
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00414E45 push ebp; iretd	1_2_00414E48
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_004106D4 push cs; iretd	1_2_004106D7
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00414F4F push ss; ret	1_2_00414F5F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B1D0D1 push ecx; ret	1_2_00B1D0E4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041C9AD push eax; ret	1_1_0041C9BC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0040D291 push ebp; iretd	1_1_0040D296
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041B3C5 push eax; ret	1_1_0041B418
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0040C394 pushad ; ret	1_1_0040C3E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041B47C push eax; ret	1_1_0041B482
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041B412 push eax; ret	1_1_0041B418
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041B41B push eax; ret	1_1_0041B482
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00414E45 push ebp; iretd	1_1_00414E48
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_004106D4 push cs; iretd	1_1_004106D7
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00414F4F push ss; ret	1_1_00414F5F
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F4D0D1 push ecx; ret	6_2_02F4D0E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057C9AD push eax; ret	6_2_0057C9BC
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0056D291 push ebp; iretd	6_2_0056D296
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057B3C5 push eax; ret	6_2_0057B418
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0056C394 pushad ; ret	6_2_0056C3E3
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057B47C push eax; ret	6_2_0057B482
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057B412 push eax; ret	6_2_0057B418
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057B41B push eax; ret	6_2_0057B482
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057C4F5 push cs; iretd	6_2_0057C4F7

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

File created: C:\Users\user\AppData\Local\Temp\nssF140.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 00000000005685F4 second address: 00000000005685FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 000000000056898E second address: 0000000000568994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 1_2_004088C0 rdtsc

1_2_004088C0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6128	Thread sleep time: -40000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 5796	Thread sleep time: -48000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000002.00000000.244267378.0000000001398000.00000004.00000020.sdmp	Binary or memory string: War&Prod_VMware_SATAR
Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.234998239.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.227568679.0000000004E61000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAv
Source: explorer.exe, 00000002.00000000.255829741.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.235308086.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000002.00000000.228165850.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 1_2_004088C0 rdtsc

1_2_004088C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 1_2_00409B30 LdrLoadDll,

1_2_00409B30

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFF0BF mov ecx, dword ptr fs:[00000030h]	1_2_00AFF0BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFF0BF mov eax, dword ptr fs:[00000030h]	1_2_00AFF0BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFF0BF mov eax, dword ptr fs:[00000030h]	1_2_00AFF0BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B090AF mov eax, dword ptr fs:[00000030h]	1_2_00B090AF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9080 mov eax, dword ptr fs:[00000030h]	1_2_00AC9080
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B43884 mov eax, dword ptr fs:[00000030h]	1_2_00B43884
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B43884 mov eax, dword ptr fs:[00000030h]	1_2_00B43884
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC58EC mov eax, dword ptr fs:[00000030h]	1_2_00AC58EC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB8E4 mov eax, dword ptr fs:[00000030h]	1_2_00AEB8E4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB8E4 mov eax, dword ptr fs:[00000030h]	1_2_00AEB8E4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC40E1 mov eax, dword ptr fs:[00000030h]	1_2_00AC40E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC40E1 mov eax, dword ptr fs:[00000030h]	1_2_00AC40E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC40E1 mov eax, dword ptr fs:[00000030h]	1_2_00AC40E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]	1_2_00AF002D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]	1_2_00AF002D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]	1_2_00AF002D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]	1_2_00AF002D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]	1_2_00AF002D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]	1_2_00ADB02A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]	1_2_00ADB02A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]	1_2_00ADB02A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]	1_2_00ADB02A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]	1_2_00AEA830
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]	1_2_00AEA830
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]	1_2_00AEA830
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]	1_2_00AEA830
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]	1_2_00B47016
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]	1_2_00B47016
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]	1_2_00B47016
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B94015 mov eax, dword ptr fs:[00000030h]	1_2_00B94015
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B94015 mov eax, dword ptr fs:[00000030h]	1_2_00B94015
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82073 mov eax, dword ptr fs:[00000030h]	1_2_00B82073
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B91074 mov eax, dword ptr fs:[00000030h]	1_2_00B91074
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE0050 mov eax, dword ptr fs:[00000030h]	1_2_00AE0050
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE0050 mov eax, dword ptr fs:[00000030h]	1_2_00AE0050
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]	1_2_00B451BE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]	1_2_00B451BE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]	1_2_00B451BE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]	1_2_00B451BE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF61A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF61A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF61A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF61A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B469A6 mov eax, dword ptr fs:[00000030h]	1_2_00B469A6
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]	1_2_00B849A4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]	1_2_00B849A4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]	1_2_00B849A4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]	1_2_00B849A4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA185 mov eax, dword ptr fs:[00000030h]	1_2_00AFA185
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEC182 mov eax, dword ptr fs:[00000030h]	1_2_00AEC182
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2990 mov eax, dword ptr fs:[00000030h]	1_2_00AF2990
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00ACB1E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00ACB1E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00ACB1E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B541E8 mov eax, dword ptr fs:[00000030h]	1_2_00B541E8
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120 mov ecx, dword ptr fs:[00000030h]	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF513A mov eax, dword ptr fs:[00000030h]	1_2_00AF513A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF513A mov eax, dword ptr fs:[00000030h]	1_2_00AF513A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]	1_2_00AC9100
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]	1_2_00AC9100
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]	1_2_00AC9100
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACC962 mov eax, dword ptr fs:[00000030h]	1_2_00ACC962
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACB171 mov eax, dword ptr fs:[00000030h]	1_2_00ACB171
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACB171 mov eax, dword ptr fs:[00000030h]	1_2_00ACB171
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB944 mov eax, dword ptr fs:[00000030h]	1_2_00AEB944
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB944 mov eax, dword ptr fs:[00000030h]	1_2_00AEB944
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]	1_2_00AC52A5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]	1_2_00AC52A5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]	1_2_00AC52A5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]	1_2_00AC52A5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]	1_2_00AC52A5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADAAB0 mov eax, dword ptr fs:[00000030h]	1_2_00ADAAB0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADAAB0 mov eax, dword ptr fs:[00000030h]	1_2_00ADAAB0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFFAB0 mov eax, dword ptr fs:[00000030h]	1_2_00AFFAB0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFD294 mov eax, dword ptr fs:[00000030h]	1_2_00AFD294
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFD294 mov eax, dword ptr fs:[00000030h]	1_2_00AFD294
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2AE4 mov eax, dword ptr fs:[00000030h]	1_2_00AF2AE4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2ACB mov eax, dword ptr fs:[00000030h]	1_2_00AF2ACB
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B04A2C mov eax, dword ptr fs:[00000030h]	1_2_00B04A2C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B04A2C mov eax, dword ptr fs:[00000030h]	1_2_00B04A2C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD8A0A mov eax, dword ptr fs:[00000030h]	1_2_00AD8A0A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h]	1_2_00B8AA16
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h]	1_2_00B8AA16
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE3A1C mov eax, dword ptr fs:[00000030h]	1_2_00AE3A1C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]	1_2_00ACAA16
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]	1_2_00ACAA16
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]	1_2_00AC5210
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC5210 mov ecx, dword ptr fs:[00000030h]	1_2_00AC5210
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]	1_2_00AC5210
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]	1_2_00AC5210
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0927A mov eax, dword ptr fs:[00000030h]	1_2_00B0927A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7B260 mov eax, dword ptr fs:[00000030h]	1_2_00B7B260
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7B260 mov eax, dword ptr fs:[00000030h]	1_2_00B7B260
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98A62 mov eax, dword ptr fs:[00000030h]	1_2_00B98A62
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B54257 mov eax, dword ptr fs:[00000030h]	1_2_00B54257
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]	1_2_00AC9240
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]	1_2_00AC9240
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]	1_2_00AC9240
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]	1_2_00AC9240
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8EA55 mov eax, dword ptr fs:[00000030h]	1_2_00B8EA55
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AF4BAD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AF4BAD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AF4BAD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B95BA5 mov eax, dword ptr fs:[00000030h]	1_2_00B95BA5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD1B8F mov eax, dword ptr fs:[00000030h]	1_2_00AD1B8F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD1B8F mov eax, dword ptr fs:[00000030h]	1_2_00AD1B8F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF138B mov eax, dword ptr fs:[00000030h]	1_2_00AF138B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF138B mov eax, dword ptr fs:[00000030h]	1_2_00AF138B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF138B mov eax, dword ptr fs:[00000030h]	1_2_00AF138B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8138A mov eax, dword ptr fs:[00000030h]	1_2_00B8138A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7D380 mov ecx, dword ptr fs:[00000030h]	1_2_00B7D380
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2397 mov eax, dword ptr fs:[00000030h]	1_2_00AF2397
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFB390 mov eax, dword ptr fs:[00000030h]	1_2_00AFB390
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEDBE9 mov eax, dword ptr fs:[00000030h]	1_2_00AEDBE9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B723E3 mov ecx, dword ptr fs:[00000030h]	1_2_00B723E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B723E3 mov ecx, dword ptr fs:[00000030h]	1_2_00B723E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B723E3 mov eax, dword ptr fs:[00000030h]	1_2_00B723E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B453CA mov eax, dword ptr fs:[00000030h]	1_2_00B453CA
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B453CA mov eax, dword ptr fs:[00000030h]	1_2_00B453CA
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8131B mov eax, dword ptr fs:[00000030h]	1_2_00B8131B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACDB60 mov ecx, dword ptr fs:[00000030h]	1_2_00ACDB60
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF3B7A mov eax, dword ptr fs:[00000030h]	1_2_00AF3B7A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF3B7A mov eax, dword ptr fs:[00000030h]	1_2_00AF3B7A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98B58 mov eax, dword ptr fs:[00000030h]	1_2_00B98B58
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACDB40 mov eax, dword ptr fs:[00000030h]	1_2_00ACDB40
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACF358 mov eax, dword ptr fs:[00000030h]	1_2_00ACF358
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD849B mov eax, dword ptr fs:[00000030h]	1_2_00AD849B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B814FB mov eax, dword ptr fs:[00000030h]	1_2_00B814FB
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]	1_2_00B46CF0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]	1_2_00B46CF0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]	1_2_00B46CF0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98CD6 mov eax, dword ptr fs:[00000030h]	1_2_00B98CD6
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFBC2C mov eax, dword ptr fs:[00000030h]	1_2_00AFBC2C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]	1_2_00B9740D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]	1_2_00B9740D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]	1_2_00B9740D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]	1_2_00B46C0A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]	1_2_00B46C0A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]	1_2_00B46C0A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]	1_2_00B46C0A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE746D mov eax, dword ptr fs:[00000030h]	1_2_00AE746D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA44B mov eax, dword ptr fs:[00000030h]	1_2_00AFA44B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5C450 mov eax, dword ptr fs:[00000030h]	1_2_00B5C450
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5C450 mov eax, dword ptr fs:[00000030h]	1_2_00B5C450
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF35A1 mov eax, dword ptr fs:[00000030h]	1_2_00AF35A1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B905AC mov eax, dword ptr fs:[00000030h]	1_2_00B905AC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B905AC mov eax, dword ptr fs:[00000030h]	1_2_00B905AC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AF1DB5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AF1DB5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AF1DB5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]	1_2_00AC2D8A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]	1_2_00AC2D8A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]	1_2_00AC2D8A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]	1_2_00AC2D8A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]	1_2_00AC2D8A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]	1_2_00AF2581
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]	1_2_00AF2581
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]	1_2_00AF2581
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]	1_2_00AF2581
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFFD9B mov eax, dword ptr fs:[00000030h]	1_2_00AFFD9B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFFD9B mov eax, dword ptr fs:[00000030h]	1_2_00AFFD9B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B78DF1 mov eax, dword ptr fs:[00000030h]	1_2_00B78DF1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADD5E0 mov eax, dword ptr fs:[00000030h]	1_2_00ADD5E0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADD5E0 mov eax, dword ptr fs:[00000030h]	1_2_00ADD5E0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B8FDE2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B8FDE2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B8FDE2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B8FDE2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov ecx, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8E539 mov eax, dword ptr fs:[00000030h]	1_2_00B8E539
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B4A537 mov eax, dword ptr fs:[00000030h]	1_2_00B4A537
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98D34 mov eax, dword ptr fs:[00000030h]	1_2_00B98D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AF4D3B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AF4D3B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AF4D3B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACAD30 mov eax, dword ptr fs:[00000030h]	1_2_00ACAD30
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEC577 mov eax, dword ptr fs:[00000030h]	1_2_00AEC577
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEC577 mov eax, dword ptr fs:[00000030h]	1_2_00AEC577
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B03D43 mov eax, dword ptr fs:[00000030h]	1_2_00B03D43
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B43540 mov eax, dword ptr fs:[00000030h]	1_2_00B43540
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B73D40 mov eax, dword ptr fs:[00000030h]	1_2_00B73D40
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE7D50 mov eax, dword ptr fs:[00000030h]	1_2_00AE7D50
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B446A7 mov eax, dword ptr fs:[00000030h]	1_2_00B446A7
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B90EA5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B90EA5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B90EA5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5FE87 mov eax, dword ptr fs:[00000030h]	1_2_00B5FE87
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF16E0 mov ecx, dword ptr fs:[00000030h]	1_2_00AF16E0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD76E2 mov eax, dword ptr fs:[00000030h]	1_2_00AD76E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF36CC mov eax, dword ptr fs:[00000030h]	1_2_00AF36CC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98ED6 mov eax, dword ptr fs:[00000030h]	1_2_00B98ED6
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7FEC0 mov eax, dword ptr fs:[00000030h]	1_2_00B7FEC0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B08EC7 mov eax, dword ptr fs:[00000030h]	1_2_00B08EC7
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7FE3F mov eax, dword ptr fs:[00000030h]	1_2_00B7FE3F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACE620 mov eax, dword ptr fs:[00000030h]	1_2_00ACE620
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]	1_2_00ACC600
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]	1_2_00ACC600
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]	1_2_00ACC600
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF8E00 mov eax, dword ptr fs:[00000030h]	1_2_00AF8E00
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81608 mov eax, dword ptr fs:[00000030h]	1_2_00B81608
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA61C mov eax, dword ptr fs:[00000030h]	1_2_00AFA61C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA61C mov eax, dword ptr fs:[00000030h]	1_2_00AFA61C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD766D mov eax, dword ptr fs:[00000030h]	1_2_00AD766D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]	1_2_00AEAE73
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]	1_2_00AEAE73
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]	1_2_00AEAE73
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]	1_2_00AEAE73
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]	1_2_00AEAE73
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8AE44 mov eax, dword ptr fs:[00000030h]	1_2_00B8AE44
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8AE44 mov eax, dword ptr fs:[00000030h]	1_2_00B8AE44
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]	1_2_00B47794
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]	1_2_00B47794
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]	1_2_00B47794
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD8794 mov eax, dword ptr fs:[00000030h]	1_2_00AD8794
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B037F5 mov eax, dword ptr fs:[00000030h]	1_2_00B037F5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC4F2E mov eax, dword ptr fs:[00000030h]	1_2_00AC4F2E
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC4F2E mov eax, dword ptr fs:[00000030h]	1_2_00AC4F2E
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB73D mov eax, dword ptr fs:[00000030h]	1_2_00AEB73D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB73D mov eax, dword ptr fs:[00000030h]	1_2_00AEB73D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFE730 mov eax, dword ptr fs:[00000030h]	1_2_00AFE730
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA70E mov eax, dword ptr fs:[00000030h]	1_2_00AFA70E
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA70E mov eax, dword ptr fs:[00000030h]	1_2_00AFA70E
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5FF10 mov eax, dword ptr fs:[00000030h]	1_2_00B5FF10
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5FF10 mov eax, dword ptr fs:[00000030h]	1_2_00B5FF10
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9070D mov eax, dword ptr fs:[00000030h]	1_2_00B9070D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9070D mov eax, dword ptr fs:[00000030h]	1_2_00B9070D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEF716 mov eax, dword ptr fs:[00000030h]	1_2_00AEF716
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADFF60 mov eax, dword ptr fs:[00000030h]	1_2_00ADFF60
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98F6A mov eax, dword ptr fs:[00000030h]	1_2_00B98F6A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADEF40 mov eax, dword ptr fs:[00000030h]	1_2_00ADEF40
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F22AE4 mov eax, dword ptr fs:[00000030h]	6_2_02F22AE4
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F22ACB mov eax, dword ptr fs:[00000030h]	6_2_02F22ACB
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F0AAB0 mov eax, dword ptr fs:[00000030h]	6_2_02F0AAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F0AAB0 mov eax, dword ptr fs:[00000030h]	6_2_02F0AAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2FAB0 mov eax, dword ptr fs:[00000030h]	6_2_02F2FAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	6_2_02EF52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	6_2_02EF52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	6_2_02EF52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	6_2_02EF52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	6_2_02EF52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2D294 mov eax, dword ptr fs:[00000030h]	6_2_02F2D294
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2D294 mov eax, dword ptr fs:[00000030h]	6_2_02F2D294
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3927A mov eax, dword ptr fs:[00000030h]	6_2_02F3927A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FAB260 mov eax, dword ptr fs:[00000030h]	6_2_02FAB260
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FAB260 mov eax, dword ptr fs:[00000030h]	6_2_02FAB260
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC8A62 mov eax, dword ptr fs:[00000030h]	6_2_02FC8A62
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBEA55 mov eax, dword ptr fs:[00000030h]	6_2_02FBEA55
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]	6_2_02EF9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]	6_2_02EF9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]	6_2_02EF9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]	6_2_02EF9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F84257 mov eax, dword ptr fs:[00000030h]	6_2_02F84257
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F34A2C mov eax, dword ptr fs:[00000030h]	6_2_02F34A2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F34A2C mov eax, dword ptr fs:[00000030h]	6_2_02F34A2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F13A1C mov eax, dword ptr fs:[00000030h]	6_2_02F13A1C
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBAA16 mov eax, dword ptr fs:[00000030h]	6_2_02FBAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBAA16 mov eax, dword ptr fs:[00000030h]	6_2_02FBAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFAA16 mov eax, dword ptr fs:[00000030h]	6_2_02EFAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFAA16 mov eax, dword ptr fs:[00000030h]	6_2_02EFAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F08A0A mov eax, dword ptr fs:[00000030h]	6_2_02F08A0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF5210 mov eax, dword ptr fs:[00000030h]	6_2_02EF5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF5210 mov ecx, dword ptr fs:[00000030h]	6_2_02EF5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF5210 mov eax, dword ptr fs:[00000030h]	6_2_02EF5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF5210 mov eax, dword ptr fs:[00000030h]	6_2_02EF5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1DBE9 mov eax, dword ptr fs:[00000030h]	6_2_02F1DBE9
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FA23E3 mov ecx, dword ptr fs:[00000030h]	6_2_02FA23E3
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FA23E3 mov ecx, dword ptr fs:[00000030h]	6_2_02FA23E3
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FA23E3 mov eax, dword ptr fs:[00000030h]	6_2_02FA23E3
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F253C5 mov eax, dword ptr fs:[00000030h]	6_2_02F253C5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F753CA mov eax, dword ptr fs:[00000030h]	6_2_02F753CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F753CA mov eax, dword ptr fs:[00000030h]	6_2_02F753CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC5BA5 mov eax, dword ptr fs:[00000030h]	6_2_02FC5BA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F24BAD mov eax, dword ptr fs:[00000030h]	6_2_02F24BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F24BAD mov eax, dword ptr fs:[00000030h]	6_2_02F24BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F24BAD mov eax, dword ptr fs:[00000030h]	6_2_02F24BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2B390 mov eax, dword ptr fs:[00000030h]	6_2_02F2B390
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F22397 mov eax, dword ptr fs:[00000030h]	6_2_02F22397
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1EB9A mov eax, dword ptr fs:[00000030h]	6_2_02F1EB9A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1EB9A mov eax, dword ptr fs:[00000030h]	6_2_02F1EB9A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB138A mov eax, dword ptr fs:[00000030h]	6_2_02FB138A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2138B mov eax, dword ptr fs:[00000030h]	6_2_02F2138B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2138B mov eax, dword ptr fs:[00000030h]	6_2_02F2138B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2138B mov eax, dword ptr fs:[00000030h]	6_2_02F2138B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FAD380 mov ecx, dword ptr fs:[00000030h]	6_2_02FAD380
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F01B8F mov eax, dword ptr fs:[00000030h]	6_2_02F01B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F01B8F mov eax, dword ptr fs:[00000030h]	6_2_02F01B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F23B7A mov eax, dword ptr fs:[00000030h]	6_2_02F23B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F23B7A mov eax, dword ptr fs:[00000030h]	6_2_02F23B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFDB60 mov ecx, dword ptr fs:[00000030h]	6_2_02EFDB60
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC8B58 mov eax, dword ptr fs:[00000030h]	6_2_02FC8B58
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFDB40 mov eax, dword ptr fs:[00000030h]	6_2_02EFDB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFF358 mov eax, dword ptr fs:[00000030h]	6_2_02EFF358
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB131B mov eax, dword ptr fs:[00000030h]	6_2_02FB131B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309

Enables debug privileges

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.89.72 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 173.234.255.253 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.starflexacademy.com
Source: C:\Windows\explorer.exe	Domain query: www.dndemystified.com
Source: C:\Windows\explorer.exe	Domain query: www.meganfantastic.com
Source: C:\Windows\explorer.exe	Domain query: www.candydulce.com
Source: C:\Windows\explorer.exe	Domain query: www.ezonkorea.com
Source: C:\Windows\explorer.exe	Network Connect: 3.143.65.214 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.195.169.197 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.34.12.41 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.18.193.20 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.180.57.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.take-me-bergen.com
Source: C:\Windows\explorer.exe	Domain query: www.insurancedowntown.com
Source: C:\Windows\explorer.exe	Domain query: www.obi4ex.com
Source: C:\Windows\explorer.exe	Network Connect: 172.67.206.33 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ladorreguita.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Section loaded: unknown target: C:\Users\user\Desktop\KY4cmAI0jU.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Section unmapped: C:\Windows\SysWOW64\help.exe base address: B80000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.244267378.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000002.00000000.244805482.0000000001980000.00000002.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.244805482.0000000001980000.00000002.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.244805482.0000000001980000.00000002.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B88

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.89.72	www.candydulce.com	United States	13335	CLOUDFLARENETUS	true
104.18.193.20	www.rentcafecloudflaremvccn.com	United States	13335	CLOUDFLARENETUS	true
107.180.57.111	dndemystified.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
173.234.255.253	www.ladorreguita.com	United States	395954	LEASEWEB-USA-LAX-11US	true
172.67.206.33	www.take-me-bergen.com	United States	13335	CLOUDFLARENETUS	true
3.143.65.214	prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
45.195.169.197	www.meganfantastic.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
3.34.12.41	www.ezonkorea.com	United States	16509	AMAZON-02US	true

Contacted Domains

Name	IP	Active
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	3.143.65.214	true
www.baliholisticacademy.com	192.185.0.218	true
www.take-me-bergen.com	172.67.206.33	true
www.meganfantastic.com	45.195.169.197	true
www.rentcafecloudflaremvccn.com	104.18.193.20	true
www.candydulce.com	104.21.89.72	true
www.ezonkorea.com	3.34.12.41	true
www.ladorreguita.com	173.234.255.253	true
dndemystified.com	107.180.57.111	true
www.starflexacademy.com	unknown	unknown
www.dndemystified.com	unknown	unknown
www.insurancedowntown.com	unknown	unknown
www.obi4ex.com	unknown	unknown
www.sciencebasedmasks.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.dndemystified.com/sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3L	true	Avira URL Cloud: safe	unknown
http://www.meganfantastic.com/sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3L	true	Avira URL Cloud: safe	unknown
http://www.starflexacademy.com/sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L	true	Avira URL Cloud: safe	unknown
http://www.insurancedowntown.com/sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3L	true	Avira URL Cloud: safe	unknown
http://www.ladorreguita.com/sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3L	true	Avira URL Cloud: safe	unknown
www.alberthospice.com/sh2m/	true	Avira URL Cloud: safe	low
http://www.candydulce.com/sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3L	true	Avira URL Cloud: safe	unknown
http://www.ezonkorea.com/sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3L	true	Avira URL Cloud: safe	unknown
http://www.take-me-bergen.com/sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp

Multi AV Scanner detection for submitted file

Source: KY4cmAI0jU.exe	Virustotal: Detection: 34%	Perma Link
Source: KY4cmAI0jU.exe	Metadefender: Detection: 17%	Perma Link
Source: KY4cmAI0jU.exe	ReversingLabs: Detection: 41%

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: KY4cmAI0jU.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.help.exe.3407960.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.help.exe.9fd7e8.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: KY4cmAI0jU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: KY4cmAI0jU.exe, 00000000.00000003.213745090.00000000099C0000.00000004.00000001.sdmp, KY4cmAI0jU.exe, 00000001.00000002.266159838.0000000000AA0000.00000040.00000001.sdmp, help.exe, 00000006.00000002.481376973.0000000002FEF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: KY4cmAI0jU.exe, help.exe
Source:	Binary string: help.pdbGCTL source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop ebx	1_2_00406A9A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop edi	1_2_00415659
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop edi	1_2_00415671
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop ebx	1_1_00406A9A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop edi	1_1_00415659
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 4x nop then pop edi	1_1_00415671
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop ebx	6_2_00566A9B
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop edi	6_2_00575659
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop edi	6_2_00575671

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.alberthospice.com/sh2m/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.take-me-bergen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.starflexacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ladorreguita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.candydulce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.insurancedowntown.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ezonkorea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.dndemystified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 3.143.65.214 3.143.65.214

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.take-me-bergen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.starflexacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ladorreguita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.candydulce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.insurancedowntown.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ezonkorea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.dndemystified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.take-me-bergen.com

Source: global traffic

Source: explorer.exe, 00000002.00000000.235645842.0000000008907000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: KY4cmAI0jU.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: KY4cmAI0jU.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmp	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

0_2_00405042

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_004181D0 NtCreateFile,	1_2_004181D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00418280 NtReadFile,	1_2_00418280
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00418300 NtClose,	1_2_00418300
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_004183B0 NtAllocateVirtualMemory,	1_2_004183B0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041827B NtCreateFile,	1_2_0041827B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_004182FD NtClose,	1_2_004182FD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_004183AB NtAllocateVirtualMemory,	1_2_004183AB
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B098F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_00B098F0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00B09860
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09840 NtDelayExecution,LdrInitializeThunk,	1_2_00B09840
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B099A0 NtCreateSection,LdrInitializeThunk,	1_2_00B099A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_00B09910
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09A20 NtResumeThread,LdrInitializeThunk,	1_2_00B09A20
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_00B09A00
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09A50 NtCreateFile,LdrInitializeThunk,	1_2_00B09A50
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B095D0 NtClose,LdrInitializeThunk,	1_2_00B095D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09540 NtReadFile,LdrInitializeThunk,	1_2_00B09540
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B096E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00B096E0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_00B09660
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B097A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_00B097A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09780 NtMapViewOfSection,LdrInitializeThunk,	1_2_00B09780
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09FE0 NtCreateMutant,LdrInitializeThunk,	1_2_00B09FE0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09710 NtQueryInformationToken,LdrInitializeThunk,	1_2_00B09710
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B098A0 NtWriteVirtualMemory,	1_2_00B098A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09820 NtEnumerateKey,	1_2_00B09820
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0B040 NtSuspendThread,	1_2_00B0B040
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B099D0 NtCreateProcessEx,	1_2_00B099D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09950 NtQueueApcThread,	1_2_00B09950
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09A80 NtOpenDirectoryObject,	1_2_00B09A80
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09A10 NtQuerySection,	1_2_00B09A10
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0A3B0 NtGetContextThread,	1_2_00B0A3B0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09B00 NtSetValueKey,	1_2_00B09B00
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B095F0 NtQueryInformationFile,	1_2_00B095F0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0AD30 NtSetContextThread,	1_2_00B0AD30
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09520 NtWaitForSingleObject,	1_2_00B09520
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09560 NtWriteFile,	1_2_00B09560
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B096D0 NtCreateKey,	1_2_00B096D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09610 NtEnumerateValueKey,	1_2_00B09610
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09670 NtQueryInformationProcess,	1_2_00B09670
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09650 NtQueryValueKey,	1_2_00B09650
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09730 NtQueryVirtualMemory,	1_2_00B09730
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0A710 NtOpenProcessToken,	1_2_00B0A710
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09770 NtSetInformationFile,	1_2_00B09770
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0A770 NtOpenThread,	1_2_00B0A770
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B09760 NtOpenProcess,	1_2_00B09760
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_004181D0 NtCreateFile,	1_1_004181D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00418280 NtReadFile,	1_1_00418280
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00418300 NtClose,	1_1_00418300
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_004183B0 NtAllocateVirtualMemory,	1_1_004183B0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041827B NtCreateFile,	1_1_0041827B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_004182FD NtClose,	1_1_004182FD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_004183AB NtAllocateVirtualMemory,	1_1_004183AB
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39A50 NtCreateFile,LdrInitializeThunk,	6_2_02F39A50
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_02F39860
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39840 NtDelayExecution,LdrInitializeThunk,	6_2_02F39840
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F399A0 NtCreateSection,LdrInitializeThunk,	6_2_02F399A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_02F39910
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F396E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_02F396E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F396D0 NtCreateKey,LdrInitializeThunk,	6_2_02F396D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_02F39660
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39650 NtQueryValueKey,LdrInitializeThunk,	6_2_02F39650
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39FE0 NtCreateMutant,LdrInitializeThunk,	6_2_02F39FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39780 NtMapViewOfSection,LdrInitializeThunk,	6_2_02F39780
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39710 NtQueryInformationToken,LdrInitializeThunk,	6_2_02F39710
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F395D0 NtClose,LdrInitializeThunk,	6_2_02F395D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39540 NtReadFile,LdrInitializeThunk,	6_2_02F39540
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39A80 NtOpenDirectoryObject,	6_2_02F39A80
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39A20 NtResumeThread,	6_2_02F39A20
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39A10 NtQuerySection,	6_2_02F39A10
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39A00 NtProtectVirtualMemory,	6_2_02F39A00
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3A3B0 NtGetContextThread,	6_2_02F3A3B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39B00 NtSetValueKey,	6_2_02F39B00
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F398F0 NtReadVirtualMemory,	6_2_02F398F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F398A0 NtWriteVirtualMemory,	6_2_02F398A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3B040 NtSuspendThread,	6_2_02F3B040
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39820 NtEnumerateKey,	6_2_02F39820
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F399D0 NtCreateProcessEx,	6_2_02F399D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39950 NtQueueApcThread,	6_2_02F39950
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39670 NtQueryInformationProcess,	6_2_02F39670
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39610 NtEnumerateValueKey,	6_2_02F39610
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F397A0 NtUnmapViewOfSection,	6_2_02F397A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3A770 NtOpenThread,	6_2_02F3A770
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39770 NtSetInformationFile,	6_2_02F39770
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39760 NtOpenProcess,	6_2_02F39760
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39730 NtQueryVirtualMemory,	6_2_02F39730
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3A710 NtOpenProcessToken,	6_2_02F3A710
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F395F0 NtQueryInformationFile,	6_2_02F395F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39560 NtWriteFile,	6_2_02F39560
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3AD30 NtSetContextThread,	6_2_02F3AD30
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F39520 NtWaitForSingleObject,	6_2_02F39520
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005781D0 NtCreateFile,	6_2_005781D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00578280 NtReadFile,	6_2_00578280
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00578300 NtClose,	6_2_00578300
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005783B0 NtAllocateVirtualMemory,	6_2_005783B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057827B NtCreateFile,	6_2_0057827B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005782FD NtClose,	6_2_005782FD
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_005783AB NtAllocateVirtualMemory,	6_2_005783AB

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

0_2_0040323C

Detected potential crypto function

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_00404853	0_2_00404853
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_00406131	0_2_00406131
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_73751A98	0_2_73751A98
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041C87B	1_2_0041C87B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00401174	1_2_00401174
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041BA9A	1_2_0041BA9A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00408C6B	1_2_00408C6B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00408C70	1_2_00408C70
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041CC9C	1_2_0041CC9C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041C548	1_2_0041C548
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041BDD4	1_2_0041BDD4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00402D87	1_2_00402D87
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041C7AF	1_2_0041C7AF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B920A8	1_2_00B920A8
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADB090	1_2_00ADB090
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B928EC	1_2_00B928EC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9E824	1_2_00B9E824
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA830	1_2_00AEA830
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81002	1_2_00B81002
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACF900	1_2_00ACF900
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B922AE	1_2_00B922AE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7FA2B	1_2_00B7FA2B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFEBB0	1_2_00AFEBB0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF138B	1_2_00AF138B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B723E3	1_2_00B723E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B803DA	1_2_00B803DA
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8DBD2	1_2_00B8DBD2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFABD8	1_2_00AFABD8
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B92B28	1_2_00B92B28
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAB40	1_2_00AEAB40
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B6CB4F	1_2_00B6CB4F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD841F	1_2_00AD841F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8D466	1_2_00B8D466
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2581	1_2_00AF2581
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADD5E0	1_2_00ADD5E0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B925DD	1_2_00B925DD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC0D20	1_2_00AC0D20
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B92D07	1_2_00B92D07
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B91D55	1_2_00B91D55
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B92EF7	1_2_00B92EF7
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE6E30	1_2_00AE6E30
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8D616	1_2_00B8D616
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B91FF1	1_2_00B91FF1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9DFCE	1_2_00B9DFCE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041C87B	1_1_0041C87B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00401030	1_1_00401030
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00401174	1_1_00401174
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041BA9A	1_1_0041BA9A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00408C6B	1_1_00408C6B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00408C70	1_1_00408C70
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041CC9C	1_1_0041CC9C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041C548	1_1_0041C548
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041BDD4	1_1_0041BDD4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00402D87	1_1_00402D87
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00402D90	1_1_00402D90
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041C7AF	1_1_0041C7AF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00402FB0	1_1_00402FB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC22AE	6_2_02FC22AE
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FAFA2B	6_2_02FAFA2B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FA23E3	6_2_02FA23E3
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB03DA	6_2_02FB03DA
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBDBD2	6_2_02FBDBD2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2ABD8	6_2_02F2ABD8
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2EBB0	6_2_02F2EBB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1EB9A	6_2_02F1EB9A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2138B	6_2_02F2138B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1AB40	6_2_02F1AB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F9CB4F	6_2_02F9CB4F
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC2B28	6_2_02FC2B28
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC28EC	6_2_02FC28EC
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F220A0	6_2_02F220A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC20A8	6_2_02FC20A8
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F0B090	6_2_02F0B090
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A830	6_2_02F1A830
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FCE824	6_2_02FCE824
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB1002	6_2_02FB1002
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F199BF	6_2_02F199BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F14120	6_2_02F14120
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFF900	6_2_02EFF900
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC2EF7	6_2_02FC2EF7
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FA1EB6	6_2_02FA1EB6
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F16E30	6_2_02F16E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBD616	6_2_02FBD616
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F15600	6_2_02F15600
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC1FF1	6_2_02FC1FF1
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FCDFCE	6_2_02FCDFCE
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4496	6_2_02FB4496
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B477	6_2_02F1B477
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBD466	6_2_02FBD466
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F0841F	6_2_02F0841F
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F0D5E0	6_2_02F0D5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC25DD	6_2_02FC25DD
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F22581	6_2_02F22581
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB2D82	6_2_02FB2D82
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC1D55	6_2_02FC1D55
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF0D20	6_2_02EF0D20
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC2D07	6_2_02FC2D07
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057C87B	6_2_0057C87B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00568C70	6_2_00568C70
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00568C6B	6_2_00568C6B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057CC9C	6_2_0057CC9C
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057C548	6_2_0057C548
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00562D90	6_2_00562D90
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00562D87	6_2_00562D87
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_00562FB0	6_2_00562FB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057C7AF	6_2_0057C7AF

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: String function: 00419F80 appears 40 times
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: String function: 00ACB150 appears 136 times
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: String function: 0041A0B0 appears 38 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 02EFB150 appears 145 times

Sample file is different than original file name gathered from version info

Source: KY4cmAI0jU.exe, 00000000.00000003.213687683.0000000009946000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs KY4cmAI0jU.exe
Source: KY4cmAI0jU.exe, 00000001.00000002.266447217.0000000000D4F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs KY4cmAI0jU.exe
Source: KY4cmAI0jU.exe, 00000001.00000002.266145503.0000000000A44000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs KY4cmAI0jU.exe

Uses 32bit PE files

Source: KY4cmAI0jU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@13/8

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404356

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

File created: C:\Users\user\AppData\Local\Temp\nssF13E.tmp

Jump to behavior

Source: KY4cmAI0jU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: KY4cmAI0jU.exe	Virustotal: Detection: 34%
Source: KY4cmAI0jU.exe	Metadefender: Detection: 17%
Source: KY4cmAI0jU.exe	ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

File read: C:\Users\user\Desktop\KY4cmAI0jU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe'	Jump to behavior

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: KY4cmAI0jU.exe, 00000000.00000003.213745090.00000000099C0000.00000004.00000001.sdmp, KY4cmAI0jU.exe, 00000001.00000002.266159838.0000000000AA0000.00000040.00000001.sdmp, help.exe, 00000006.00000002.481376973.0000000002FEF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: KY4cmAI0jU.exe, help.exe
Source:	Binary string: help.pdbGCTL source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Unpacked PE file: 1.2.KY4cmAI0jU.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_73752F60 push eax; ret	0_2_73752F8E
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041C9AD push eax; ret	1_2_0041C9BC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0040D291 push ebp; iretd	1_2_0040D296
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041B3C5 push eax; ret	1_2_0041B418
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0040C394 pushad ; ret	1_2_0040C3E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041B47C push eax; ret	1_2_0041B482
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041B412 push eax; ret	1_2_0041B418
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_0041B41B push eax; ret	1_2_0041B482
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00414E45 push ebp; iretd	1_2_00414E48
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_004106D4 push cs; iretd	1_2_004106D7
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00414F4F push ss; ret	1_2_00414F5F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B1D0D1 push ecx; ret	1_2_00B1D0E4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041C9AD push eax; ret	1_1_0041C9BC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0040D291 push ebp; iretd	1_1_0040D296
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041B3C5 push eax; ret	1_1_0041B418
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0040C394 pushad ; ret	1_1_0040C3E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041B47C push eax; ret	1_1_0041B482
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041B412 push eax; ret	1_1_0041B418
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_0041B41B push eax; ret	1_1_0041B482
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00414E45 push ebp; iretd	1_1_00414E48
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_004106D4 push cs; iretd	1_1_004106D7
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_1_00414F4F push ss; ret	1_1_00414F5F
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F4D0D1 push ecx; ret	6_2_02F4D0E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057C9AD push eax; ret	6_2_0057C9BC
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0056D291 push ebp; iretd	6_2_0056D296
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057B3C5 push eax; ret	6_2_0057B418
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0056C394 pushad ; ret	6_2_0056C3E3
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057B47C push eax; ret	6_2_0057B482
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057B412 push eax; ret	6_2_0057B418
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057B41B push eax; ret	6_2_0057B482
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_0057C4F5 push cs; iretd	6_2_0057C4F7

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

File created: C:\Users\user\AppData\Local\Temp\nssF140.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 00000000005685F4 second address: 00000000005685FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 000000000056898E second address: 0000000000568994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 1_2_004088C0 rdtsc

1_2_004088C0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6128	Thread sleep time: -40000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 5796	Thread sleep time: -48000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000002.00000000.244267378.0000000001398000.00000004.00000020.sdmp	Binary or memory string: War&Prod_VMware_SATAR
Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.234998239.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.227568679.0000000004E61000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAv
Source: explorer.exe, 00000002.00000000.255829741.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.235308086.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000002.00000000.228165850.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.232695480.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 1_2_004088C0 rdtsc

1_2_004088C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 1_2_00409B30 LdrLoadDll,

1_2_00409B30

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF20A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFF0BF mov ecx, dword ptr fs:[00000030h]	1_2_00AFF0BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFF0BF mov eax, dword ptr fs:[00000030h]	1_2_00AFF0BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFF0BF mov eax, dword ptr fs:[00000030h]	1_2_00AFF0BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B090AF mov eax, dword ptr fs:[00000030h]	1_2_00B090AF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9080 mov eax, dword ptr fs:[00000030h]	1_2_00AC9080
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B43884 mov eax, dword ptr fs:[00000030h]	1_2_00B43884
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B43884 mov eax, dword ptr fs:[00000030h]	1_2_00B43884
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC58EC mov eax, dword ptr fs:[00000030h]	1_2_00AC58EC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB8E4 mov eax, dword ptr fs:[00000030h]	1_2_00AEB8E4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB8E4 mov eax, dword ptr fs:[00000030h]	1_2_00AEB8E4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC40E1 mov eax, dword ptr fs:[00000030h]	1_2_00AC40E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC40E1 mov eax, dword ptr fs:[00000030h]	1_2_00AC40E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC40E1 mov eax, dword ptr fs:[00000030h]	1_2_00AC40E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B5B8D0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]	1_2_00AF002D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]	1_2_00AF002D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]	1_2_00AF002D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]	1_2_00AF002D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]	1_2_00AF002D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]	1_2_00ADB02A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]	1_2_00ADB02A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]	1_2_00ADB02A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]	1_2_00ADB02A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]	1_2_00AEA830
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]	1_2_00AEA830
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]	1_2_00AEA830
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA830 mov eax, dword ptr fs:[00000030h]	1_2_00AEA830
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]	1_2_00B47016
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]	1_2_00B47016
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]	1_2_00B47016
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B94015 mov eax, dword ptr fs:[00000030h]	1_2_00B94015
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B94015 mov eax, dword ptr fs:[00000030h]	1_2_00B94015
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82073 mov eax, dword ptr fs:[00000030h]	1_2_00B82073
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B91074 mov eax, dword ptr fs:[00000030h]	1_2_00B91074
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE0050 mov eax, dword ptr fs:[00000030h]	1_2_00AE0050
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE0050 mov eax, dword ptr fs:[00000030h]	1_2_00AE0050
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]	1_2_00B451BE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]	1_2_00B451BE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]	1_2_00B451BE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]	1_2_00B451BE
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF61A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF61A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF61A0 mov eax, dword ptr fs:[00000030h]	1_2_00AF61A0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov ecx, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE99BF mov eax, dword ptr fs:[00000030h]	1_2_00AE99BF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B469A6 mov eax, dword ptr fs:[00000030h]	1_2_00B469A6
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]	1_2_00B849A4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]	1_2_00B849A4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]	1_2_00B849A4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B849A4 mov eax, dword ptr fs:[00000030h]	1_2_00B849A4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA185 mov eax, dword ptr fs:[00000030h]	1_2_00AFA185
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEC182 mov eax, dword ptr fs:[00000030h]	1_2_00AEC182
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2990 mov eax, dword ptr fs:[00000030h]	1_2_00AF2990
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00ACB1E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00ACB1E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]	1_2_00ACB1E1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B541E8 mov eax, dword ptr fs:[00000030h]	1_2_00B541E8
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE4120 mov ecx, dword ptr fs:[00000030h]	1_2_00AE4120
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF513A mov eax, dword ptr fs:[00000030h]	1_2_00AF513A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF513A mov eax, dword ptr fs:[00000030h]	1_2_00AF513A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]	1_2_00AC9100
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]	1_2_00AC9100
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]	1_2_00AC9100
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACC962 mov eax, dword ptr fs:[00000030h]	1_2_00ACC962
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACB171 mov eax, dword ptr fs:[00000030h]	1_2_00ACB171
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACB171 mov eax, dword ptr fs:[00000030h]	1_2_00ACB171
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB944 mov eax, dword ptr fs:[00000030h]	1_2_00AEB944
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB944 mov eax, dword ptr fs:[00000030h]	1_2_00AEB944
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]	1_2_00AC52A5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]	1_2_00AC52A5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]	1_2_00AC52A5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]	1_2_00AC52A5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]	1_2_00AC52A5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADAAB0 mov eax, dword ptr fs:[00000030h]	1_2_00ADAAB0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADAAB0 mov eax, dword ptr fs:[00000030h]	1_2_00ADAAB0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFFAB0 mov eax, dword ptr fs:[00000030h]	1_2_00AFFAB0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFD294 mov eax, dword ptr fs:[00000030h]	1_2_00AFD294
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFD294 mov eax, dword ptr fs:[00000030h]	1_2_00AFD294
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2AE4 mov eax, dword ptr fs:[00000030h]	1_2_00AF2AE4
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84AEF mov eax, dword ptr fs:[00000030h]	1_2_00B84AEF
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2ACB mov eax, dword ptr fs:[00000030h]	1_2_00AF2ACB
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA229 mov eax, dword ptr fs:[00000030h]	1_2_00AEA229
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB236 mov eax, dword ptr fs:[00000030h]	1_2_00AEB236
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B04A2C mov eax, dword ptr fs:[00000030h]	1_2_00B04A2C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B04A2C mov eax, dword ptr fs:[00000030h]	1_2_00B04A2C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD8A0A mov eax, dword ptr fs:[00000030h]	1_2_00AD8A0A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h]	1_2_00B8AA16
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h]	1_2_00B8AA16
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE3A1C mov eax, dword ptr fs:[00000030h]	1_2_00AE3A1C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]	1_2_00ACAA16
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]	1_2_00ACAA16
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]	1_2_00AC5210
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC5210 mov ecx, dword ptr fs:[00000030h]	1_2_00AC5210
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]	1_2_00AC5210
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]	1_2_00AC5210
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B0927A mov eax, dword ptr fs:[00000030h]	1_2_00B0927A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7B260 mov eax, dword ptr fs:[00000030h]	1_2_00B7B260
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7B260 mov eax, dword ptr fs:[00000030h]	1_2_00B7B260
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98A62 mov eax, dword ptr fs:[00000030h]	1_2_00B98A62
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B54257 mov eax, dword ptr fs:[00000030h]	1_2_00B54257
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]	1_2_00AC9240
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]	1_2_00AC9240
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]	1_2_00AC9240
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]	1_2_00AC9240
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8EA55 mov eax, dword ptr fs:[00000030h]	1_2_00B8EA55
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AF4BAD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AF4BAD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AF4BAD
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B95BA5 mov eax, dword ptr fs:[00000030h]	1_2_00B95BA5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD1B8F mov eax, dword ptr fs:[00000030h]	1_2_00AD1B8F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD1B8F mov eax, dword ptr fs:[00000030h]	1_2_00AD1B8F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF138B mov eax, dword ptr fs:[00000030h]	1_2_00AF138B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF138B mov eax, dword ptr fs:[00000030h]	1_2_00AF138B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF138B mov eax, dword ptr fs:[00000030h]	1_2_00AF138B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8138A mov eax, dword ptr fs:[00000030h]	1_2_00B8138A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7D380 mov ecx, dword ptr fs:[00000030h]	1_2_00B7D380
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2397 mov eax, dword ptr fs:[00000030h]	1_2_00AF2397
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFB390 mov eax, dword ptr fs:[00000030h]	1_2_00AFB390
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEDBE9 mov eax, dword ptr fs:[00000030h]	1_2_00AEDBE9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AF03E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B723E3 mov ecx, dword ptr fs:[00000030h]	1_2_00B723E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B723E3 mov ecx, dword ptr fs:[00000030h]	1_2_00B723E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B723E3 mov eax, dword ptr fs:[00000030h]	1_2_00B723E3
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B453CA mov eax, dword ptr fs:[00000030h]	1_2_00B453CA
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B453CA mov eax, dword ptr fs:[00000030h]	1_2_00B453CA
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8131B mov eax, dword ptr fs:[00000030h]	1_2_00B8131B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEA309 mov eax, dword ptr fs:[00000030h]	1_2_00AEA309
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACDB60 mov ecx, dword ptr fs:[00000030h]	1_2_00ACDB60
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF3B7A mov eax, dword ptr fs:[00000030h]	1_2_00AF3B7A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF3B7A mov eax, dword ptr fs:[00000030h]	1_2_00AF3B7A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98B58 mov eax, dword ptr fs:[00000030h]	1_2_00B98B58
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACDB40 mov eax, dword ptr fs:[00000030h]	1_2_00ACDB40
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACF358 mov eax, dword ptr fs:[00000030h]	1_2_00ACF358
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B84496 mov eax, dword ptr fs:[00000030h]	1_2_00B84496
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD849B mov eax, dword ptr fs:[00000030h]	1_2_00AD849B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B814FB mov eax, dword ptr fs:[00000030h]	1_2_00B814FB
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]	1_2_00B46CF0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]	1_2_00B46CF0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]	1_2_00B46CF0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98CD6 mov eax, dword ptr fs:[00000030h]	1_2_00B98CD6
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFBC2C mov eax, dword ptr fs:[00000030h]	1_2_00AFBC2C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]	1_2_00B9740D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]	1_2_00B9740D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]	1_2_00B9740D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]	1_2_00B81C06
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]	1_2_00B46C0A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]	1_2_00B46C0A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]	1_2_00B46C0A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]	1_2_00B46C0A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE746D mov eax, dword ptr fs:[00000030h]	1_2_00AE746D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AFAC7B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB477 mov eax, dword ptr fs:[00000030h]	1_2_00AEB477
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA44B mov eax, dword ptr fs:[00000030h]	1_2_00AFA44B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5C450 mov eax, dword ptr fs:[00000030h]	1_2_00B5C450
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5C450 mov eax, dword ptr fs:[00000030h]	1_2_00B5C450
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF35A1 mov eax, dword ptr fs:[00000030h]	1_2_00AF35A1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B905AC mov eax, dword ptr fs:[00000030h]	1_2_00B905AC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B905AC mov eax, dword ptr fs:[00000030h]	1_2_00B905AC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AF1DB5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AF1DB5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AF1DB5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]	1_2_00AC2D8A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]	1_2_00AC2D8A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]	1_2_00AC2D8A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]	1_2_00AC2D8A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]	1_2_00AC2D8A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]	1_2_00AF2581
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]	1_2_00AF2581
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]	1_2_00AF2581
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]	1_2_00AF2581
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFFD9B mov eax, dword ptr fs:[00000030h]	1_2_00AFFD9B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFFD9B mov eax, dword ptr fs:[00000030h]	1_2_00AFFD9B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B82D82 mov eax, dword ptr fs:[00000030h]	1_2_00B82D82
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B78DF1 mov eax, dword ptr fs:[00000030h]	1_2_00B78DF1
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADD5E0 mov eax, dword ptr fs:[00000030h]	1_2_00ADD5E0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADD5E0 mov eax, dword ptr fs:[00000030h]	1_2_00ADD5E0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B8FDE2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B8FDE2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B8FDE2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B8FDE2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov ecx, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]	1_2_00B46DC9
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8E539 mov eax, dword ptr fs:[00000030h]	1_2_00B8E539
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B4A537 mov eax, dword ptr fs:[00000030h]	1_2_00B4A537
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98D34 mov eax, dword ptr fs:[00000030h]	1_2_00B98D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AF4D3B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AF4D3B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AF4D3B
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]	1_2_00AD3D34
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACAD30 mov eax, dword ptr fs:[00000030h]	1_2_00ACAD30
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEC577 mov eax, dword ptr fs:[00000030h]	1_2_00AEC577
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEC577 mov eax, dword ptr fs:[00000030h]	1_2_00AEC577
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B03D43 mov eax, dword ptr fs:[00000030h]	1_2_00B03D43
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B43540 mov eax, dword ptr fs:[00000030h]	1_2_00B43540
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B73D40 mov eax, dword ptr fs:[00000030h]	1_2_00B73D40
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AE7D50 mov eax, dword ptr fs:[00000030h]	1_2_00AE7D50
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B446A7 mov eax, dword ptr fs:[00000030h]	1_2_00B446A7
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B90EA5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B90EA5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B90EA5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5FE87 mov eax, dword ptr fs:[00000030h]	1_2_00B5FE87
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF16E0 mov ecx, dword ptr fs:[00000030h]	1_2_00AF16E0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD76E2 mov eax, dword ptr fs:[00000030h]	1_2_00AD76E2
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF36CC mov eax, dword ptr fs:[00000030h]	1_2_00AF36CC
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98ED6 mov eax, dword ptr fs:[00000030h]	1_2_00B98ED6
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7FEC0 mov eax, dword ptr fs:[00000030h]	1_2_00B7FEC0
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B08EC7 mov eax, dword ptr fs:[00000030h]	1_2_00B08EC7
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B7FE3F mov eax, dword ptr fs:[00000030h]	1_2_00B7FE3F
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACE620 mov eax, dword ptr fs:[00000030h]	1_2_00ACE620
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]	1_2_00ACC600
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]	1_2_00ACC600
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]	1_2_00ACC600
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AF8E00 mov eax, dword ptr fs:[00000030h]	1_2_00AF8E00
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B81608 mov eax, dword ptr fs:[00000030h]	1_2_00B81608
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA61C mov eax, dword ptr fs:[00000030h]	1_2_00AFA61C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA61C mov eax, dword ptr fs:[00000030h]	1_2_00AFA61C
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD766D mov eax, dword ptr fs:[00000030h]	1_2_00AD766D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]	1_2_00AEAE73
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]	1_2_00AEAE73
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]	1_2_00AEAE73
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]	1_2_00AEAE73
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]	1_2_00AEAE73
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]	1_2_00AD7E41
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8AE44 mov eax, dword ptr fs:[00000030h]	1_2_00B8AE44
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B8AE44 mov eax, dword ptr fs:[00000030h]	1_2_00B8AE44
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]	1_2_00B47794
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]	1_2_00B47794
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]	1_2_00B47794
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AD8794 mov eax, dword ptr fs:[00000030h]	1_2_00AD8794
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B037F5 mov eax, dword ptr fs:[00000030h]	1_2_00B037F5
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC4F2E mov eax, dword ptr fs:[00000030h]	1_2_00AC4F2E
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AC4F2E mov eax, dword ptr fs:[00000030h]	1_2_00AC4F2E
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB73D mov eax, dword ptr fs:[00000030h]	1_2_00AEB73D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEB73D mov eax, dword ptr fs:[00000030h]	1_2_00AEB73D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFE730 mov eax, dword ptr fs:[00000030h]	1_2_00AFE730
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA70E mov eax, dword ptr fs:[00000030h]	1_2_00AFA70E
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AFA70E mov eax, dword ptr fs:[00000030h]	1_2_00AFA70E
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5FF10 mov eax, dword ptr fs:[00000030h]	1_2_00B5FF10
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B5FF10 mov eax, dword ptr fs:[00000030h]	1_2_00B5FF10
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9070D mov eax, dword ptr fs:[00000030h]	1_2_00B9070D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B9070D mov eax, dword ptr fs:[00000030h]	1_2_00B9070D
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00AEF716 mov eax, dword ptr fs:[00000030h]	1_2_00AEF716
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADFF60 mov eax, dword ptr fs:[00000030h]	1_2_00ADFF60
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00B98F6A mov eax, dword ptr fs:[00000030h]	1_2_00B98F6A
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Code function: 1_2_00ADEF40 mov eax, dword ptr fs:[00000030h]	1_2_00ADEF40
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB4AEF mov eax, dword ptr fs:[00000030h]	6_2_02FB4AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F22AE4 mov eax, dword ptr fs:[00000030h]	6_2_02F22AE4
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F22ACB mov eax, dword ptr fs:[00000030h]	6_2_02F22ACB
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F0AAB0 mov eax, dword ptr fs:[00000030h]	6_2_02F0AAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F0AAB0 mov eax, dword ptr fs:[00000030h]	6_2_02F0AAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2FAB0 mov eax, dword ptr fs:[00000030h]	6_2_02F2FAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	6_2_02EF52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	6_2_02EF52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	6_2_02EF52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	6_2_02EF52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF52A5 mov eax, dword ptr fs:[00000030h]	6_2_02EF52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2D294 mov eax, dword ptr fs:[00000030h]	6_2_02F2D294
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2D294 mov eax, dword ptr fs:[00000030h]	6_2_02F2D294
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F3927A mov eax, dword ptr fs:[00000030h]	6_2_02F3927A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FAB260 mov eax, dword ptr fs:[00000030h]	6_2_02FAB260
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FAB260 mov eax, dword ptr fs:[00000030h]	6_2_02FAB260
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC8A62 mov eax, dword ptr fs:[00000030h]	6_2_02FC8A62
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBEA55 mov eax, dword ptr fs:[00000030h]	6_2_02FBEA55
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]	6_2_02EF9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]	6_2_02EF9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]	6_2_02EF9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF9240 mov eax, dword ptr fs:[00000030h]	6_2_02EF9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F84257 mov eax, dword ptr fs:[00000030h]	6_2_02F84257
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1B236 mov eax, dword ptr fs:[00000030h]	6_2_02F1B236
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A229 mov eax, dword ptr fs:[00000030h]	6_2_02F1A229
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F34A2C mov eax, dword ptr fs:[00000030h]	6_2_02F34A2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F34A2C mov eax, dword ptr fs:[00000030h]	6_2_02F34A2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F13A1C mov eax, dword ptr fs:[00000030h]	6_2_02F13A1C
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBAA16 mov eax, dword ptr fs:[00000030h]	6_2_02FBAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FBAA16 mov eax, dword ptr fs:[00000030h]	6_2_02FBAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFAA16 mov eax, dword ptr fs:[00000030h]	6_2_02EFAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFAA16 mov eax, dword ptr fs:[00000030h]	6_2_02EFAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F08A0A mov eax, dword ptr fs:[00000030h]	6_2_02F08A0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF5210 mov eax, dword ptr fs:[00000030h]	6_2_02EF5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF5210 mov ecx, dword ptr fs:[00000030h]	6_2_02EF5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF5210 mov eax, dword ptr fs:[00000030h]	6_2_02EF5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EF5210 mov eax, dword ptr fs:[00000030h]	6_2_02EF5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F203E2 mov eax, dword ptr fs:[00000030h]	6_2_02F203E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1DBE9 mov eax, dword ptr fs:[00000030h]	6_2_02F1DBE9
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FA23E3 mov ecx, dword ptr fs:[00000030h]	6_2_02FA23E3
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FA23E3 mov ecx, dword ptr fs:[00000030h]	6_2_02FA23E3
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FA23E3 mov eax, dword ptr fs:[00000030h]	6_2_02FA23E3
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F253C5 mov eax, dword ptr fs:[00000030h]	6_2_02F253C5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F753CA mov eax, dword ptr fs:[00000030h]	6_2_02F753CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F753CA mov eax, dword ptr fs:[00000030h]	6_2_02F753CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC5BA5 mov eax, dword ptr fs:[00000030h]	6_2_02FC5BA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F24BAD mov eax, dword ptr fs:[00000030h]	6_2_02F24BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F24BAD mov eax, dword ptr fs:[00000030h]	6_2_02F24BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F24BAD mov eax, dword ptr fs:[00000030h]	6_2_02F24BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2B390 mov eax, dword ptr fs:[00000030h]	6_2_02F2B390
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F22397 mov eax, dword ptr fs:[00000030h]	6_2_02F22397
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1EB9A mov eax, dword ptr fs:[00000030h]	6_2_02F1EB9A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1EB9A mov eax, dword ptr fs:[00000030h]	6_2_02F1EB9A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB138A mov eax, dword ptr fs:[00000030h]	6_2_02FB138A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2138B mov eax, dword ptr fs:[00000030h]	6_2_02F2138B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2138B mov eax, dword ptr fs:[00000030h]	6_2_02F2138B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F2138B mov eax, dword ptr fs:[00000030h]	6_2_02F2138B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FAD380 mov ecx, dword ptr fs:[00000030h]	6_2_02FAD380
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F01B8F mov eax, dword ptr fs:[00000030h]	6_2_02F01B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F01B8F mov eax, dword ptr fs:[00000030h]	6_2_02F01B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F23B7A mov eax, dword ptr fs:[00000030h]	6_2_02F23B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F23B7A mov eax, dword ptr fs:[00000030h]	6_2_02F23B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFDB60 mov ecx, dword ptr fs:[00000030h]	6_2_02EFDB60
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FC8B58 mov eax, dword ptr fs:[00000030h]	6_2_02FC8B58
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFDB40 mov eax, dword ptr fs:[00000030h]	6_2_02EFDB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02EFF358 mov eax, dword ptr fs:[00000030h]	6_2_02EFF358
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02FB131B mov eax, dword ptr fs:[00000030h]	6_2_02FB131B
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309
Source: C:\Windows\SysWOW64\help.exe	Code function: 6_2_02F1A309 mov eax, dword ptr fs:[00000030h]	6_2_02F1A309

Enables debug privileges

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.89.72 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 173.234.255.253 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.starflexacademy.com
Source: C:\Windows\explorer.exe	Domain query: www.dndemystified.com
Source: C:\Windows\explorer.exe	Domain query: www.meganfantastic.com
Source: C:\Windows\explorer.exe	Domain query: www.candydulce.com
Source: C:\Windows\explorer.exe	Domain query: www.ezonkorea.com
Source: C:\Windows\explorer.exe	Network Connect: 3.143.65.214 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.195.169.197 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.34.12.41 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.18.193.20 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.180.57.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.take-me-bergen.com
Source: C:\Windows\explorer.exe	Domain query: www.insurancedowntown.com
Source: C:\Windows\explorer.exe	Domain query: www.obi4ex.com
Source: C:\Windows\explorer.exe	Network Connect: 172.67.206.33 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ladorreguita.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Section loaded: unknown target: C:\Users\user\Desktop\KY4cmAI0jU.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Section unmapped: C:\Windows\SysWOW64\help.exe base address: B80000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe	Process created: C:\Users\user\Desktop\KY4cmAI0jU.exe 'C:\Users\user\Desktop\KY4cmAI0jU.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.244267378.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000002.00000000.244805482.0000000001980000.00000002.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.235214151.000000000871F000.00000004.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.244805482.0000000001980000.00000002.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.244805482.0000000001980000.00000002.00000001.sdmp, help.exe, 00000006.00000002.483227631.00000000054F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\KY4cmAI0jU.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B88

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

ID:	433078
Product:	CloudBasic
Start time:	09:00:39
Start date:	11.06.2021
Sample:	KY4cmAI0jU.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8c35ac8d43f7e59105902fa16114144e
SHA1:	c1a0e5de1121e55c22649182c923b41efd4e2848
SHA256:	1a08fc838c4ebab6b986b6010e2074a05c29916cd38096e7f7d26a6455917508
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nssF13F.tmp	data	AF69C1313ADD571627D87D2453F87D28	97818C9D2B9E8794F97D27CF0EBC2A763639F5E0	6AFC732265B4C7257FF86EEE7AA8AD9E25DA0E0BA996CE425BDFF07EBF2B4349
C:\Users\user\AppData\Local\Temp\nssF140.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FCCFF8CB7A1067E23FD2E2B63971A8E1	30E2A9E137C1223A78A0F7B0BF96A1C361976D91	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
C:\Users\user\AppData\Local\Temp\x8abgzdx2taarfhvmdw	data	D6A1573FFB40613104C0755D78241AB4	8567FBE29F2DE39618F8FC5EEAFB18F5C6B9D4AD	B3132DA42852DD7F3C7BD9044AF9FB0916F9B8C6C6854B572F2CA6424CF2FECD
C:\Users\user\AppData\Local\Temp\yerrxvolv	data	83D3E22048178472A2287533D5C2FE99	CA6E1F360EF458E914968D27963E2E821B281080	98B4220FF7F5974B33154C161C82A814078FE0D670726F0C62CBCB17F9A0A8FE

Analysis Report KY4cmAI0jU.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs