Analysis Report 3.exe

Overview

General Information

Sample Name: 3.exe
Analysis ID: 433178
MD5: 21f077fa0e739f6174e2452abc30bb7c
SHA1: 9d60988db53eb662eb6a8e2f824036348f5e7ec0
SHA256: 6f536ae781fd98358126408aa6991b4bb3ec3f9940929a22b25f785b71ec770d
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.glocp9.com/ogpo/"], "decoy": ["ctluxurypropinternational.com", "mortgagenewsdailt.com", "diegofragnaud.info", "marthapollackesq.com", "thirtynightstay.com", "sschospitalbardoli.com", "plaquitasparamascota.com", "keochatluong.com", "420rankings.com", "westwoodstorageco.com", "valdobbiadeneinlove.com", "the427group.com", "cartercavanaugh.com", "ivvitaminsofarizona.com", "ummemunira.com", "amplifierconsulting.net", "spk-sakuranomiya.com", "anjanaonline.com", "kalibriya.com", "baincot.com", "mcintire2020.com", "janbosun.com", "briankingfineart.com", "erictailey.com", "shwanfan.com", "secretpal.club", "heatingandairtulsa.com", "hungthinhrealfintechhub.net", "dawnlodge.com", "indyoutlaws.com", "capitalpipework.com", "ngancali.com", "beconnectedby.com", "lindsaysgill.com", "mykidscast.com", "nosequemierda.com", "lightinemporium.com", "18tshortstore.com", "blakedroberts.com", "atlaschatbot.com", "healthchu.com", "aersous.info", "hanoinews.site", "studiodates.com", "gzgzdcd.com", "beeta-company.com", "mu-rain.com", "apalstyle.com", "lezbyfriends.com", "beerundead.com", "superb-mushroomcoffee.fyi", "pennydamspickups.com", "haircutbytin.com", "fulmarsolutions.com", "guoteng66.com", "plastictohydrogen.com", "dingarage.com", "elyernoson03ak2.xyz", "hayatatateyama.com", "templatejar.com", "catherinelazure.com", "ayco.sucks", "vigipharx.com", "devastateclo.com"]}
Multi AV Scanner detection for submitted file
Source: 3.exe Virustotal: Detection: 58% Perma Link
Source: 3.exe Metadefender: Detection: 42% Perma Link
Source: 3.exe ReversingLabs: Detection: 75%
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.3.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 3.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: Binary string: ipconfig.pdb source: 3.exe, 00000001.00000002.303221252.0000000000930000.00000040.00000001.sdmp
Source: Binary string: ipconfig.pdbGCTL source: 3.exe, 00000001.00000002.303221252.0000000000930000.00000040.00000001.sdmp
Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000005.00000000.276361272.000000000F707000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: 3.exe, 00000001.00000003.242702997.0000000000750000.00000004.00000001.sdmp, ipconfig.exe, 00000013.00000002.468141767.0000000002C9F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 3.exe, ipconfig.exe
Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000005.00000000.276361272.000000000F707000.00000004.00000001.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.glocp9.com/ogpo/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=Eb/5YKKvhsVSjoe7WKqK8lvHUaW+cW6NCkYNvfPB2x3dLSCrEs0nDFeyqabSLZo4f9MA&6lR=6lV0 HTTP/1.1Host: www.cartercavanaugh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=zC0kwP5bKctHlfLOB2+sibzcGKB3iMHeqEe/jIuGwpXwhXE0RzFo/zlZKctRC22ZSehm&6lR=6lV0 HTTP/1.1Host: www.ayco.sucksConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=/XqmpevXxgIJIxa5hFR8qIX06AkulEmPv+VC/TbkNW7S9I21kt2cK+1HkO47P92lOvxw&6lR=6lV0 HTTP/1.1Host: www.vigipharx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=CbUJuKt7Vosrs6ZfvMy9ZACJtxh5Vn+1+a7oDBWZt+TgGm/ZX/AruvxTHNafm6iWRnNw&6lR=6lV0 HTTP/1.1Host: www.plastictohydrogen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=Jl6F8JfRXKQuEgspHKEQWFx9lJkkJ81RWL0viny1sd20tPIEiWVj+so6v/m+sN8GJ3v/&6lR=6lV0 HTTP/1.1Host: www.amplifierconsulting.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=+lkBStlSiE9+OFshkPx+Yq+/zzAm/Md4bR1wj/5ry8M79budoFYJrIGh8Lqk2S+anP0V&6lR=6lV0 HTTP/1.1Host: www.plaquitasparamascota.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 54.147.194.143 54.147.194.143
Source: Joe Sandbox View IP Address: 81.17.18.198 81.17.18.198
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View ASN Name: PLI-ASCH PLI-ASCH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=Eb/5YKKvhsVSjoe7WKqK8lvHUaW+cW6NCkYNvfPB2x3dLSCrEs0nDFeyqabSLZo4f9MA&6lR=6lV0 HTTP/1.1Host: www.cartercavanaugh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=zC0kwP5bKctHlfLOB2+sibzcGKB3iMHeqEe/jIuGwpXwhXE0RzFo/zlZKctRC22ZSehm&6lR=6lV0 HTTP/1.1Host: www.ayco.sucksConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=/XqmpevXxgIJIxa5hFR8qIX06AkulEmPv+VC/TbkNW7S9I21kt2cK+1HkO47P92lOvxw&6lR=6lV0 HTTP/1.1Host: www.vigipharx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=CbUJuKt7Vosrs6ZfvMy9ZACJtxh5Vn+1+a7oDBWZt+TgGm/ZX/AruvxTHNafm6iWRnNw&6lR=6lV0 HTTP/1.1Host: www.plastictohydrogen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=Jl6F8JfRXKQuEgspHKEQWFx9lJkkJ81RWL0viny1sd20tPIEiWVj+so6v/m+sN8GJ3v/&6lR=6lV0 HTTP/1.1Host: www.amplifierconsulting.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogpo/?A48d=+lkBStlSiE9+OFshkPx+Yq+/zzAm/Md4bR1wj/5ry8M79budoFYJrIGh8Lqk2S+anP0V&6lR=6lV0 HTTP/1.1Host: www.plaquitasparamascota.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Jun 2021 10:23:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.3.27Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=ab594f30faefbfad908548750f3c4e85; path=/Vary: HostData Raw: 36 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b<!DOCTYPE html><html><head><title>404 Not Found</title></head><body>404 Not Found</body></html>0
Source: explorer.exe, 00000005.00000003.293007696.000000000F6C3000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49716 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\ipconfig.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_004181B0 NtCreateFile, 1_2_004181B0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00418260 NtReadFile, 1_2_00418260
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_004182E0 NtClose, 1_2_004182E0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00418390 NtAllocateVirtualMemory, 1_2_00418390
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_004182DA NtClose, 1_2_004182DA
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_0041838A NtAllocateVirtualMemory, 1_2_0041838A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00AE98F0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00AE9860
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9840 NtDelayExecution,LdrInitializeThunk, 1_2_00AE9840
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE99A0 NtCreateSection,LdrInitializeThunk, 1_2_00AE99A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00AE9910
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9A20 NtResumeThread,LdrInitializeThunk, 1_2_00AE9A20
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00AE9A00
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9A50 NtCreateFile,LdrInitializeThunk, 1_2_00AE9A50
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE95D0 NtClose,LdrInitializeThunk, 1_2_00AE95D0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9540 NtReadFile,LdrInitializeThunk, 1_2_00AE9540
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00AE96E0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00AE9660
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00AE97A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00AE9780
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9FE0 NtCreateMutant,LdrInitializeThunk, 1_2_00AE9FE0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00AE9710
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE98A0 NtWriteVirtualMemory, 1_2_00AE98A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9820 NtEnumerateKey, 1_2_00AE9820
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AEB040 NtSuspendThread, 1_2_00AEB040
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE99D0 NtCreateProcessEx, 1_2_00AE99D0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9950 NtQueueApcThread, 1_2_00AE9950
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9A80 NtOpenDirectoryObject, 1_2_00AE9A80
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9A10 NtQuerySection, 1_2_00AE9A10
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AEA3B0 NtGetContextThread, 1_2_00AEA3B0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9B00 NtSetValueKey, 1_2_00AE9B00
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE95F0 NtQueryInformationFile, 1_2_00AE95F0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9520 NtWaitForSingleObject, 1_2_00AE9520
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AEAD30 NtSetContextThread, 1_2_00AEAD30
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9560 NtWriteFile, 1_2_00AE9560
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE96D0 NtCreateKey, 1_2_00AE96D0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9610 NtEnumerateValueKey, 1_2_00AE9610
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9670 NtQueryInformationProcess, 1_2_00AE9670
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9650 NtQueryValueKey, 1_2_00AE9650
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9730 NtQueryVirtualMemory, 1_2_00AE9730
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AEA710 NtOpenProcessToken, 1_2_00AEA710
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9760 NtOpenProcess, 1_2_00AE9760
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE9770 NtSetInformationFile, 1_2_00AE9770
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AEA770 NtOpenThread, 1_2_00AEA770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9A50 NtCreateFile,LdrInitializeThunk, 19_2_02BE9A50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9860 NtQuerySystemInformation,LdrInitializeThunk, 19_2_02BE9860
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9840 NtDelayExecution,LdrInitializeThunk, 19_2_02BE9840
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE99A0 NtCreateSection,LdrInitializeThunk, 19_2_02BE99A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 19_2_02BE9910
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE96E0 NtFreeVirtualMemory,LdrInitializeThunk, 19_2_02BE96E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE96D0 NtCreateKey,LdrInitializeThunk, 19_2_02BE96D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9780 NtMapViewOfSection,LdrInitializeThunk, 19_2_02BE9780
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9FE0 NtCreateMutant,LdrInitializeThunk, 19_2_02BE9FE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9710 NtQueryInformationToken,LdrInitializeThunk, 19_2_02BE9710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE95D0 NtClose,LdrInitializeThunk, 19_2_02BE95D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9540 NtReadFile,LdrInitializeThunk, 19_2_02BE9540
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9A80 NtOpenDirectoryObject, 19_2_02BE9A80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9A20 NtResumeThread, 19_2_02BE9A20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9A10 NtQuerySection, 19_2_02BE9A10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9A00 NtProtectVirtualMemory, 19_2_02BE9A00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BEA3B0 NtGetContextThread, 19_2_02BEA3B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9B00 NtSetValueKey, 19_2_02BE9B00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE98A0 NtWriteVirtualMemory, 19_2_02BE98A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE98F0 NtReadVirtualMemory, 19_2_02BE98F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9820 NtEnumerateKey, 19_2_02BE9820
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BEB040 NtSuspendThread, 19_2_02BEB040
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE99D0 NtCreateProcessEx, 19_2_02BE99D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9950 NtQueueApcThread, 19_2_02BE9950
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9610 NtEnumerateValueKey, 19_2_02BE9610
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9670 NtQueryInformationProcess, 19_2_02BE9670
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9660 NtAllocateVirtualMemory, 19_2_02BE9660
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9650 NtQueryValueKey, 19_2_02BE9650
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE97A0 NtUnmapViewOfSection, 19_2_02BE97A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9730 NtQueryVirtualMemory, 19_2_02BE9730
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BEA710 NtOpenProcessToken, 19_2_02BEA710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BEA770 NtOpenThread, 19_2_02BEA770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9770 NtSetInformationFile, 19_2_02BE9770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9760 NtOpenProcess, 19_2_02BE9760
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE95F0 NtQueryInformationFile, 19_2_02BE95F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BEAD30 NtSetContextThread, 19_2_02BEAD30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9520 NtWaitForSingleObject, 19_2_02BE9520
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE9560 NtWriteFile, 19_2_02BE9560
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_001281B0 NtCreateFile, 19_2_001281B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_00128260 NtReadFile, 19_2_00128260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_001282E0 NtClose, 19_2_001282E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_001282DA NtClose, 19_2_001282DA
Detected potential crypto function
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_0230A098 0_3_0230A098
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02309FC2 0_3_02309FC2
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02309FC2 0_3_02309FC2
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02309C70 0_3_02309C70
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02309C70 0_3_02309C70
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_0230A098 0_3_0230A098
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02309FC2 0_3_02309FC2
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02309FC2 0_3_02309FC2
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02309C70 0_3_02309C70
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02309C70 0_3_02309C70
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_0041BBCF 1_2_0041BBCF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_0041C38B 1_2_0041C38B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00408C4C 1_2_00408C4C
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00408C50 1_2_00408C50
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_0041B493 1_2_0041B493
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_0041C573 1_2_0041C573
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00402D87 1_2_00402D87
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_0041CE28 1_2_0041CE28
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_0041BEFB 1_2_0041BEFB
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_0041CF7E 1_2_0041CF7E
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_0041C7EA 1_2_0041C7EA
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_0041BFAB 1_2_0041BFAB
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD20A0 1_2_00AD20A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B720A8 1_2_00B720A8
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABB090 1_2_00ABB090
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B728EC 1_2_00B728EC
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B7E824 1_2_00B7E824
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA830 1_2_00ACA830
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61002 1_2_00B61002
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC4120 1_2_00AC4120
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAF900 1_2_00AAF900
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B722AE 1_2_00B722AE
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B5FA2B 1_2_00B5FA2B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADEBB0 1_2_00ADEBB0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B523E3 1_2_00B523E3
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6DBD2 1_2_00B6DBD2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B603DA 1_2_00B603DA
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADABD8 1_2_00ADABD8
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B72B28 1_2_00B72B28
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACAB40 1_2_00ACAB40
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB841F 1_2_00AB841F
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6D466 1_2_00B6D466
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD2581 1_2_00AD2581
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABD5E0 1_2_00ABD5E0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B725DD 1_2_00B725DD
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA0D20 1_2_00AA0D20
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B72D07 1_2_00B72D07
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B71D55 1_2_00B71D55
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B72EF7 1_2_00B72EF7
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC6E30 1_2_00AC6E30
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6D616 1_2_00B6D616
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B71FF1 1_2_00B71FF1
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B7DFCE 1_2_00B7DFCE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C722AE 19_2_02C722AE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCB236 19_2_02BCB236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C5FA2B 19_2_02C5FA2B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BDEBB0 19_2_02BDEBB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C6DBD2 19_2_02C6DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C603DA 19_2_02C603DA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C523E3 19_2_02C523E3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD138B 19_2_02BD138B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BDABD8 19_2_02BDABD8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C4CB4F 19_2_02C4CB4F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C72B28 19_2_02C72B28
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCAB40 19_2_02BCAB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD20A0 19_2_02BD20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BBB090 19_2_02BBB090
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C728EC 19_2_02C728EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C720A8 19_2_02C720A8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA830 19_2_02BCA830
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C61002 19_2_02C61002
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C7E824 19_2_02C7E824
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BC99BF 19_2_02BC99BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BC4120 19_2_02BC4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BAF900 19_2_02BAF900
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C72EF7 19_2_02C72EF7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BC6E30 19_2_02BC6E30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C6D616 19_2_02C6D616
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C7DFCE 19_2_02C7DFCE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C71FF1 19_2_02C71FF1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64496 19_2_02C64496
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C6D466 19_2_02C6D466
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BB841F 19_2_02BB841F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCB477 19_2_02BCB477
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C725DD 19_2_02C725DD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD2581 19_2_02BD2581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C62D82 19_2_02C62D82
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BBD5E0 19_2_02BBD5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C71D55 19_2_02C71D55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA0D20 19_2_02BA0D20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C72D07 19_2_02C72D07
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_00111030 19_2_00111030
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_0012C38B 19_2_0012C38B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_00118C50 19_2_00118C50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_00118C4C 19_2_00118C4C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_0012B493 19_2_0012B493
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_0012C573 19_2_0012C573
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_00112D90 19_2_00112D90
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_00112D87 19_2_00112D87
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_0012CE28 19_2_0012CE28
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_0012CF7E 19_2_0012CF7E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_00112FB0 19_2_00112FB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_0012BFAA 19_2_0012BFAA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_0012C7EA 19_2_0012C7EA
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 02BAB150 appears 136 times
Source: C:\Users\user\Desktop\3.exe Code function: String function: 00AAB150 appears 90 times
Source: C:\Users\user\Desktop\3.exe Code function: String function: 0230A358 appears 40 times
Source: C:\Users\user\Desktop\3.exe Code function: String function: 02305898 appears 48 times
Source: C:\Users\user\Desktop\3.exe Code function: String function: 02304D43 appears 56 times
PE / OLE file has an invalid certificate
Source: 3.exe Static PE information: invalid certificate
PE file contains strange resources
Source: 3.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 3.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 3.exe, 00000001.00000003.242843726.0000000000866000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 3.exe
Source: 3.exe, 00000001.00000002.303149513.000000000066E000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameipconfig.exej% vs 3.exe
Uses 32bit PE files
Source: 3.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Yara signature match
Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.217187289.0000000003088000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.215422596.0000000003068000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.215851322.0000000003084000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.215763701.000000000306C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.215525181.0000000003080000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.216098891.0000000003098000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000003.215441416.0000000003084000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@14/5@14/5
Source: C:\Users\user\Desktop\3.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:204:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_01
Source: C:\Users\user\Desktop\3.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Users\user\Desktop\3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\3.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 3.exe Virustotal: Detection: 58%
Source: 3.exe Metadefender: Detection: 42%
Source: 3.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\Desktop\3.exe File read: C:\Users\user\Desktop\3.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\3.exe 'C:\Users\user\Desktop\3.exe'
Source: C:\Users\user\Desktop\3.exe Process created: C:\Users\user\Desktop\3.exe C:\Users\user\Desktop\3.exe
Source: C:\Users\user\Desktop\3.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3.exe Process created: C:\Users\user\Desktop\3.exe C:\Users\user\Desktop\3.exe Jump to behavior
Source: C:\Users\user\Desktop\3.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 3.exe Static file information: File size 1081696 > 1048576
Source: Binary string: ipconfig.pdb source: 3.exe, 00000001.00000002.303221252.0000000000930000.00000040.00000001.sdmp
Source: Binary string: ipconfig.pdbGCTL source: 3.exe, 00000001.00000002.303221252.0000000000930000.00000040.00000001.sdmp
Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000005.00000000.276361272.000000000F707000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: 3.exe, 00000001.00000003.242702997.0000000000750000.00000004.00000001.sdmp, ipconfig.exe, 00000013.00000002.468141767.0000000002C9F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 3.exe, ipconfig.exe
Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000005.00000000.276361272.000000000F707000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_0230927C push 0040C2C8h; ret 0_3_02309360
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_0230927C push 0040C2C8h; ret 0_3_02309360
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_0230936A push 0040C33Bh; ret 0_3_023093D3
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_0230936A push 0040C33Bh; ret 0_3_023093D3
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02302BF0 push 00405BA1h; ret 0_3_02302C39
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_023093E4 push 0040C378h; ret 0_3_02309410
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_023093E4 push 0040C378h; ret 0_3_02309410
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_023033C8 push 00406354h; ret 0_3_023033EC
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02304820 push ecx; mov dword ptr [esp], eax 0_3_02304821
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02304820 push ecx; mov dword ptr [esp], eax 0_3_02304821
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02304820 push ecx; mov dword ptr [esp], eax 0_3_02304821
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02304820 push ecx; mov dword ptr [esp], eax 0_3_02304821
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_023030B6 push 00406044h; ret 0_3_023030DC
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_023030B8 push 00406044h; ret 0_3_023030DC
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02300094 push eax; ret 0_3_023000D0
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02302ED0 push 00405E5Ch; ret 0_3_02302EF4
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02302ECE push 00405E5Ch; ret 0_3_02302EF4
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02308F1A push 0040C2C8h; ret 0_3_02309360
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02308F1A push 0040C2C8h; ret 0_3_02309360
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02302F08 push 00405E94h; ret 0_3_02302F2C
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_023075B0 push eax; ret 0_3_023075EC
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_023075B0 push eax; ret 0_3_023075EC
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_023075B0 push eax; ret 0_3_023075EC
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_023075B0 push eax; ret 0_3_023075EC
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_0230927C push 0040C2C8h; ret 0_3_02309360
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_0230927C push 0040C2C8h; ret 0_3_02309360
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_0230936A push 0040C33Bh; ret 0_3_023093D3
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_0230936A push 0040C33Bh; ret 0_3_023093D3
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_02302BF0 push 00405BA1h; ret 0_3_02302C39
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_023093E4 push 0040C378h; ret 0_3_02309410
Source: C:\Users\user\Desktop\3.exe Code function: 0_3_023093E4 push 0040C378h; ret 0_3_02309410

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\3.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 00000000001185E4 second address: 00000000001185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 000000000011896E second address: 0000000000118974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_004088A0 rdtsc 1_2_004088A0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 5680 Thread sleep time: -32000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe Last function: Thread delayed
Source: explorer.exe, 00000005.00000000.270082928.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.270082928.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000005.00000000.261950637.0000000004E61000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAR
Source: explorer.exe, 00000005.00000000.269457825.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.267696288.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.293624505.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000005.00000000.270082928.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.270082928.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.270166589.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000000.293662200.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000005.00000000.267696288.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.267696288.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.267696288.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\3.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\3.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_004088A0 rdtsc 1_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00409B10 LdrLoadDll, 1_2_00409B10
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE90AF mov eax, dword ptr fs:[00000030h] 1_2_00AE90AF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AD20A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AD20A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AD20A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AD20A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AD20A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AD20A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADF0BF mov ecx, dword ptr fs:[00000030h] 1_2_00ADF0BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADF0BF mov eax, dword ptr fs:[00000030h] 1_2_00ADF0BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADF0BF mov eax, dword ptr fs:[00000030h] 1_2_00ADF0BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA9080 mov eax, dword ptr fs:[00000030h] 1_2_00AA9080
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B23884 mov eax, dword ptr fs:[00000030h] 1_2_00B23884
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B23884 mov eax, dword ptr fs:[00000030h] 1_2_00B23884
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA58EC mov eax, dword ptr fs:[00000030h] 1_2_00AA58EC
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACB8E4 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8E4
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACB8E4 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8E4
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA40E1 mov eax, dword ptr fs:[00000030h] 1_2_00AA40E1
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA40E1 mov eax, dword ptr fs:[00000030h] 1_2_00AA40E1
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA40E1 mov eax, dword ptr fs:[00000030h] 1_2_00AA40E1
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B3B8D0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B3B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00B3B8D0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B3B8D0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B3B8D0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B3B8D0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B3B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B3B8D0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h] 1_2_00AD002D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h] 1_2_00AD002D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h] 1_2_00AD002D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h] 1_2_00AD002D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD002D mov eax, dword ptr fs:[00000030h] 1_2_00AD002D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h] 1_2_00ABB02A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h] 1_2_00ABB02A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h] 1_2_00ABB02A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABB02A mov eax, dword ptr fs:[00000030h] 1_2_00ABB02A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h] 1_2_00ACA830
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h] 1_2_00ACA830
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h] 1_2_00ACA830
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA830 mov eax, dword ptr fs:[00000030h] 1_2_00ACA830
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B74015 mov eax, dword ptr fs:[00000030h] 1_2_00B74015
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B74015 mov eax, dword ptr fs:[00000030h] 1_2_00B74015
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B27016 mov eax, dword ptr fs:[00000030h] 1_2_00B27016
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B27016 mov eax, dword ptr fs:[00000030h] 1_2_00B27016
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B27016 mov eax, dword ptr fs:[00000030h] 1_2_00B27016
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B71074 mov eax, dword ptr fs:[00000030h] 1_2_00B71074
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B62073 mov eax, dword ptr fs:[00000030h] 1_2_00B62073
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC0050 mov eax, dword ptr fs:[00000030h] 1_2_00AC0050
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC0050 mov eax, dword ptr fs:[00000030h] 1_2_00AC0050
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h] 1_2_00B251BE
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h] 1_2_00B251BE
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h] 1_2_00B251BE
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B251BE mov eax, dword ptr fs:[00000030h] 1_2_00B251BE
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD61A0 mov eax, dword ptr fs:[00000030h] 1_2_00AD61A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD61A0 mov eax, dword ptr fs:[00000030h] 1_2_00AD61A0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h] 1_2_00B649A4
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h] 1_2_00B649A4
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h] 1_2_00B649A4
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B649A4 mov eax, dword ptr fs:[00000030h] 1_2_00B649A4
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov ecx, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC99BF mov eax, dword ptr fs:[00000030h] 1_2_00AC99BF
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B269A6 mov eax, dword ptr fs:[00000030h] 1_2_00B269A6
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADA185 mov eax, dword ptr fs:[00000030h] 1_2_00ADA185
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACC182 mov eax, dword ptr fs:[00000030h] 1_2_00ACC182
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD2990 mov eax, dword ptr fs:[00000030h] 1_2_00AD2990
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00AAB1E1
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00AAB1E1
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00AAB1E1
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B341E8 mov eax, dword ptr fs:[00000030h] 1_2_00B341E8
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h] 1_2_00AC4120
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h] 1_2_00AC4120
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h] 1_2_00AC4120
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC4120 mov eax, dword ptr fs:[00000030h] 1_2_00AC4120
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC4120 mov ecx, dword ptr fs:[00000030h] 1_2_00AC4120
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD513A mov eax, dword ptr fs:[00000030h] 1_2_00AD513A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD513A mov eax, dword ptr fs:[00000030h] 1_2_00AD513A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA9100 mov eax, dword ptr fs:[00000030h] 1_2_00AA9100
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA9100 mov eax, dword ptr fs:[00000030h] 1_2_00AA9100
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA9100 mov eax, dword ptr fs:[00000030h] 1_2_00AA9100
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAC962 mov eax, dword ptr fs:[00000030h] 1_2_00AAC962
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAB171 mov eax, dword ptr fs:[00000030h] 1_2_00AAB171
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAB171 mov eax, dword ptr fs:[00000030h] 1_2_00AAB171
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACB944 mov eax, dword ptr fs:[00000030h] 1_2_00ACB944
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACB944 mov eax, dword ptr fs:[00000030h] 1_2_00ACB944
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AA52A5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AA52A5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AA52A5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AA52A5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AA52A5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00ABAAB0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00ABAAB0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADFAB0 mov eax, dword ptr fs:[00000030h] 1_2_00ADFAB0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADD294 mov eax, dword ptr fs:[00000030h] 1_2_00ADD294
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADD294 mov eax, dword ptr fs:[00000030h] 1_2_00ADD294
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD2AE4 mov eax, dword ptr fs:[00000030h] 1_2_00AD2AE4
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD2ACB mov eax, dword ptr fs:[00000030h] 1_2_00AD2ACB
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE4A2C mov eax, dword ptr fs:[00000030h] 1_2_00AE4A2C
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE4A2C mov eax, dword ptr fs:[00000030h] 1_2_00AE4A2C
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h] 1_2_00ACA229
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h] 1_2_00ACA229
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h] 1_2_00ACA229
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h] 1_2_00ACA229
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h] 1_2_00ACA229
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h] 1_2_00ACA229
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h] 1_2_00ACA229
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h] 1_2_00ACA229
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA229 mov eax, dword ptr fs:[00000030h] 1_2_00ACA229
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6AA16 mov eax, dword ptr fs:[00000030h] 1_2_00B6AA16
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6AA16 mov eax, dword ptr fs:[00000030h] 1_2_00B6AA16
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB8A0A mov eax, dword ptr fs:[00000030h] 1_2_00AB8A0A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC3A1C mov eax, dword ptr fs:[00000030h] 1_2_00AC3A1C
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA5210 mov eax, dword ptr fs:[00000030h] 1_2_00AA5210
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA5210 mov ecx, dword ptr fs:[00000030h] 1_2_00AA5210
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA5210 mov eax, dword ptr fs:[00000030h] 1_2_00AA5210
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA5210 mov eax, dword ptr fs:[00000030h] 1_2_00AA5210
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAAA16 mov eax, dword ptr fs:[00000030h] 1_2_00AAAA16
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAAA16 mov eax, dword ptr fs:[00000030h] 1_2_00AAAA16
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE927A mov eax, dword ptr fs:[00000030h] 1_2_00AE927A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B5B260 mov eax, dword ptr fs:[00000030h] 1_2_00B5B260
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B5B260 mov eax, dword ptr fs:[00000030h] 1_2_00B5B260
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B78A62 mov eax, dword ptr fs:[00000030h] 1_2_00B78A62
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6EA55 mov eax, dword ptr fs:[00000030h] 1_2_00B6EA55
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B34257 mov eax, dword ptr fs:[00000030h] 1_2_00B34257
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h] 1_2_00AA9240
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h] 1_2_00AA9240
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h] 1_2_00AA9240
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA9240 mov eax, dword ptr fs:[00000030h] 1_2_00AA9240
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AD4BAD
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AD4BAD
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AD4BAD
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B75BA5 mov eax, dword ptr fs:[00000030h] 1_2_00B75BA5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB1B8F mov eax, dword ptr fs:[00000030h] 1_2_00AB1B8F
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB1B8F mov eax, dword ptr fs:[00000030h] 1_2_00AB1B8F
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B5D380 mov ecx, dword ptr fs:[00000030h] 1_2_00B5D380
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD2397 mov eax, dword ptr fs:[00000030h] 1_2_00AD2397
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6138A mov eax, dword ptr fs:[00000030h] 1_2_00B6138A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADB390 mov eax, dword ptr fs:[00000030h] 1_2_00ADB390
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACDBE9 mov eax, dword ptr fs:[00000030h] 1_2_00ACDBE9
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AD03E2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AD03E2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AD03E2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AD03E2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AD03E2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AD03E2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B523E3 mov ecx, dword ptr fs:[00000030h] 1_2_00B523E3
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B523E3 mov ecx, dword ptr fs:[00000030h] 1_2_00B523E3
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B523E3 mov eax, dword ptr fs:[00000030h] 1_2_00B523E3
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B253CA mov eax, dword ptr fs:[00000030h] 1_2_00B253CA
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B253CA mov eax, dword ptr fs:[00000030h] 1_2_00B253CA
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACA309 mov eax, dword ptr fs:[00000030h] 1_2_00ACA309
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6131B mov eax, dword ptr fs:[00000030h] 1_2_00B6131B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AADB60 mov ecx, dword ptr fs:[00000030h] 1_2_00AADB60
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD3B7A mov eax, dword ptr fs:[00000030h] 1_2_00AD3B7A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD3B7A mov eax, dword ptr fs:[00000030h] 1_2_00AD3B7A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AADB40 mov eax, dword ptr fs:[00000030h] 1_2_00AADB40
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B78B58 mov eax, dword ptr fs:[00000030h] 1_2_00B78B58
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAF358 mov eax, dword ptr fs:[00000030h] 1_2_00AAF358
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB849B mov eax, dword ptr fs:[00000030h] 1_2_00AB849B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B26CF0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B26CF0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B26CF0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B614FB mov eax, dword ptr fs:[00000030h] 1_2_00B614FB
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B78CD6 mov eax, dword ptr fs:[00000030h] 1_2_00B78CD6
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADBC2C mov eax, dword ptr fs:[00000030h] 1_2_00ADBC2C
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61C06 mov eax, dword ptr fs:[00000030h] 1_2_00B61C06
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h] 1_2_00B26C0A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h] 1_2_00B26C0A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h] 1_2_00B26C0A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26C0A mov eax, dword ptr fs:[00000030h] 1_2_00B26C0A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B7740D mov eax, dword ptr fs:[00000030h] 1_2_00B7740D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B7740D mov eax, dword ptr fs:[00000030h] 1_2_00B7740D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B7740D mov eax, dword ptr fs:[00000030h] 1_2_00B7740D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC746D mov eax, dword ptr fs:[00000030h] 1_2_00AC746D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h] 1_2_00ADAC7B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h] 1_2_00ADAC7B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h] 1_2_00ADAC7B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h] 1_2_00ADAC7B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h] 1_2_00ADAC7B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h] 1_2_00ADAC7B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h] 1_2_00ADAC7B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h] 1_2_00ADAC7B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h] 1_2_00ADAC7B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h] 1_2_00ADAC7B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADAC7B mov eax, dword ptr fs:[00000030h] 1_2_00ADAC7B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B3C450 mov eax, dword ptr fs:[00000030h] 1_2_00B3C450
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B3C450 mov eax, dword ptr fs:[00000030h] 1_2_00B3C450
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADA44B mov eax, dword ptr fs:[00000030h] 1_2_00ADA44B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD35A1 mov eax, dword ptr fs:[00000030h] 1_2_00AD35A1
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AD1DB5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AD1DB5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AD1DB5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B705AC mov eax, dword ptr fs:[00000030h] 1_2_00B705AC
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B705AC mov eax, dword ptr fs:[00000030h] 1_2_00B705AC
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AA2D8A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AA2D8A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AA2D8A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AA2D8A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AA2D8A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h] 1_2_00AD2581
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h] 1_2_00AD2581
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h] 1_2_00AD2581
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD2581 mov eax, dword ptr fs:[00000030h] 1_2_00AD2581
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADFD9B mov eax, dword ptr fs:[00000030h] 1_2_00ADFD9B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADFD9B mov eax, dword ptr fs:[00000030h] 1_2_00ADFD9B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B58DF1 mov eax, dword ptr fs:[00000030h] 1_2_00B58DF1
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00ABD5E0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00ABD5E0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B6FDE2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B6FDE2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B6FDE2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B6FDE2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B26DC9
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B26DC9
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B26DC9
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00B26DC9
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B26DC9
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B26DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B26DC9
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B78D34 mov eax, dword ptr fs:[00000030h] 1_2_00B78D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B2A537 mov eax, dword ptr fs:[00000030h] 1_2_00B2A537
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6E539 mov eax, dword ptr fs:[00000030h] 1_2_00B6E539
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AD4D3B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AD4D3B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AD4D3B
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAAD30 mov eax, dword ptr fs:[00000030h] 1_2_00AAAD30
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D34
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACC577 mov eax, dword ptr fs:[00000030h] 1_2_00ACC577
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACC577 mov eax, dword ptr fs:[00000030h] 1_2_00ACC577
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE3D43 mov eax, dword ptr fs:[00000030h] 1_2_00AE3D43
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B23540 mov eax, dword ptr fs:[00000030h] 1_2_00B23540
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B53D40 mov eax, dword ptr fs:[00000030h] 1_2_00B53D40
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AC7D50 mov eax, dword ptr fs:[00000030h] 1_2_00AC7D50
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B70EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B70EA5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B70EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B70EA5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B70EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B70EA5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B246A7 mov eax, dword ptr fs:[00000030h] 1_2_00B246A7
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B3FE87 mov eax, dword ptr fs:[00000030h] 1_2_00B3FE87
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB76E2 mov eax, dword ptr fs:[00000030h] 1_2_00AB76E2
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD16E0 mov ecx, dword ptr fs:[00000030h] 1_2_00AD16E0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B78ED6 mov eax, dword ptr fs:[00000030h] 1_2_00B78ED6
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD36CC mov eax, dword ptr fs:[00000030h] 1_2_00AD36CC
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE8EC7 mov eax, dword ptr fs:[00000030h] 1_2_00AE8EC7
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B5FEC0 mov eax, dword ptr fs:[00000030h] 1_2_00B5FEC0
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B5FE3F mov eax, dword ptr fs:[00000030h] 1_2_00B5FE3F
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAE620 mov eax, dword ptr fs:[00000030h] 1_2_00AAE620
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAC600 mov eax, dword ptr fs:[00000030h] 1_2_00AAC600
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAC600 mov eax, dword ptr fs:[00000030h] 1_2_00AAC600
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AAC600 mov eax, dword ptr fs:[00000030h] 1_2_00AAC600
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AD8E00 mov eax, dword ptr fs:[00000030h] 1_2_00AD8E00
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADA61C mov eax, dword ptr fs:[00000030h] 1_2_00ADA61C
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADA61C mov eax, dword ptr fs:[00000030h] 1_2_00ADA61C
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B61608 mov eax, dword ptr fs:[00000030h] 1_2_00B61608
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB766D mov eax, dword ptr fs:[00000030h] 1_2_00AB766D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ACAE73
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ACAE73
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ACAE73
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ACAE73
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ACAE73
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AB7E41
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AB7E41
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AB7E41
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AB7E41
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AB7E41
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AB7E41
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6AE44 mov eax, dword ptr fs:[00000030h] 1_2_00B6AE44
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B6AE44 mov eax, dword ptr fs:[00000030h] 1_2_00B6AE44
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B27794 mov eax, dword ptr fs:[00000030h] 1_2_00B27794
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B27794 mov eax, dword ptr fs:[00000030h] 1_2_00B27794
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B27794 mov eax, dword ptr fs:[00000030h] 1_2_00B27794
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AB8794 mov eax, dword ptr fs:[00000030h] 1_2_00AB8794
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AE37F5 mov eax, dword ptr fs:[00000030h] 1_2_00AE37F5
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA4F2E mov eax, dword ptr fs:[00000030h] 1_2_00AA4F2E
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00AA4F2E mov eax, dword ptr fs:[00000030h] 1_2_00AA4F2E
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACB73D mov eax, dword ptr fs:[00000030h] 1_2_00ACB73D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACB73D mov eax, dword ptr fs:[00000030h] 1_2_00ACB73D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADE730 mov eax, dword ptr fs:[00000030h] 1_2_00ADE730
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B3FF10 mov eax, dword ptr fs:[00000030h] 1_2_00B3FF10
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B3FF10 mov eax, dword ptr fs:[00000030h] 1_2_00B3FF10
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADA70E mov eax, dword ptr fs:[00000030h] 1_2_00ADA70E
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ADA70E mov eax, dword ptr fs:[00000030h] 1_2_00ADA70E
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B7070D mov eax, dword ptr fs:[00000030h] 1_2_00B7070D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B7070D mov eax, dword ptr fs:[00000030h] 1_2_00B7070D
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ACF716 mov eax, dword ptr fs:[00000030h] 1_2_00ACF716
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABFF60 mov eax, dword ptr fs:[00000030h] 1_2_00ABFF60
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00B78F6A mov eax, dword ptr fs:[00000030h] 1_2_00B78F6A
Source: C:\Users\user\Desktop\3.exe Code function: 1_2_00ABEF40 mov eax, dword ptr fs:[00000030h] 1_2_00ABEF40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BBAAB0 mov eax, dword ptr fs:[00000030h] 19_2_02BBAAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BBAAB0 mov eax, dword ptr fs:[00000030h] 19_2_02BBAAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BDFAB0 mov eax, dword ptr fs:[00000030h] 19_2_02BDFAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA52A5 mov eax, dword ptr fs:[00000030h] 19_2_02BA52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA52A5 mov eax, dword ptr fs:[00000030h] 19_2_02BA52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA52A5 mov eax, dword ptr fs:[00000030h] 19_2_02BA52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA52A5 mov eax, dword ptr fs:[00000030h] 19_2_02BA52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA52A5 mov eax, dword ptr fs:[00000030h] 19_2_02BA52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BDD294 mov eax, dword ptr fs:[00000030h] 19_2_02BDD294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BDD294 mov eax, dword ptr fs:[00000030h] 19_2_02BDD294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C64AEF mov eax, dword ptr fs:[00000030h] 19_2_02C64AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD2AE4 mov eax, dword ptr fs:[00000030h] 19_2_02BD2AE4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD2ACB mov eax, dword ptr fs:[00000030h] 19_2_02BD2ACB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h] 19_2_02BCB236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h] 19_2_02BCB236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h] 19_2_02BCB236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h] 19_2_02BCB236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h] 19_2_02BCB236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCB236 mov eax, dword ptr fs:[00000030h] 19_2_02BCB236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE4A2C mov eax, dword ptr fs:[00000030h] 19_2_02BE4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE4A2C mov eax, dword ptr fs:[00000030h] 19_2_02BE4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C6EA55 mov eax, dword ptr fs:[00000030h] 19_2_02C6EA55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C34257 mov eax, dword ptr fs:[00000030h] 19_2_02C34257
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h] 19_2_02BCA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h] 19_2_02BCA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h] 19_2_02BCA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h] 19_2_02BCA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h] 19_2_02BCA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h] 19_2_02BCA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h] 19_2_02BCA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h] 19_2_02BCA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA229 mov eax, dword ptr fs:[00000030h] 19_2_02BCA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BC3A1C mov eax, dword ptr fs:[00000030h] 19_2_02BC3A1C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C5B260 mov eax, dword ptr fs:[00000030h] 19_2_02C5B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C5B260 mov eax, dword ptr fs:[00000030h] 19_2_02C5B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C78A62 mov eax, dword ptr fs:[00000030h] 19_2_02C78A62
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA5210 mov eax, dword ptr fs:[00000030h] 19_2_02BA5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA5210 mov ecx, dword ptr fs:[00000030h] 19_2_02BA5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA5210 mov eax, dword ptr fs:[00000030h] 19_2_02BA5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA5210 mov eax, dword ptr fs:[00000030h] 19_2_02BA5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BAAA16 mov eax, dword ptr fs:[00000030h] 19_2_02BAAA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BAAA16 mov eax, dword ptr fs:[00000030h] 19_2_02BAAA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BB8A0A mov eax, dword ptr fs:[00000030h] 19_2_02BB8A0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE927A mov eax, dword ptr fs:[00000030h] 19_2_02BE927A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C6AA16 mov eax, dword ptr fs:[00000030h] 19_2_02C6AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C6AA16 mov eax, dword ptr fs:[00000030h] 19_2_02C6AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA9240 mov eax, dword ptr fs:[00000030h] 19_2_02BA9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA9240 mov eax, dword ptr fs:[00000030h] 19_2_02BA9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA9240 mov eax, dword ptr fs:[00000030h] 19_2_02BA9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA9240 mov eax, dword ptr fs:[00000030h] 19_2_02BA9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C253CA mov eax, dword ptr fs:[00000030h] 19_2_02C253CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C253CA mov eax, dword ptr fs:[00000030h] 19_2_02C253CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD4BAD mov eax, dword ptr fs:[00000030h] 19_2_02BD4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD4BAD mov eax, dword ptr fs:[00000030h] 19_2_02BD4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD4BAD mov eax, dword ptr fs:[00000030h] 19_2_02BD4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C523E3 mov ecx, dword ptr fs:[00000030h] 19_2_02C523E3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C523E3 mov ecx, dword ptr fs:[00000030h] 19_2_02C523E3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C523E3 mov eax, dword ptr fs:[00000030h] 19_2_02C523E3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD2397 mov eax, dword ptr fs:[00000030h] 19_2_02BD2397
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BDB390 mov eax, dword ptr fs:[00000030h] 19_2_02BDB390
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BB1B8F mov eax, dword ptr fs:[00000030h] 19_2_02BB1B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BB1B8F mov eax, dword ptr fs:[00000030h] 19_2_02BB1B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD138B mov eax, dword ptr fs:[00000030h] 19_2_02BD138B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD138B mov eax, dword ptr fs:[00000030h] 19_2_02BD138B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD138B mov eax, dword ptr fs:[00000030h] 19_2_02BD138B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C5D380 mov ecx, dword ptr fs:[00000030h] 19_2_02C5D380
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C6138A mov eax, dword ptr fs:[00000030h] 19_2_02C6138A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCDBE9 mov eax, dword ptr fs:[00000030h] 19_2_02BCDBE9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h] 19_2_02BD03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h] 19_2_02BD03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h] 19_2_02BD03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h] 19_2_02BD03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h] 19_2_02BD03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD03E2 mov eax, dword ptr fs:[00000030h] 19_2_02BD03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C75BA5 mov eax, dword ptr fs:[00000030h] 19_2_02C75BA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C78B58 mov eax, dword ptr fs:[00000030h] 19_2_02C78B58
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA309 mov eax, dword ptr fs:[00000030h] 19_2_02BCA309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD3B7A mov eax, dword ptr fs:[00000030h] 19_2_02BD3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD3B7A mov eax, dword ptr fs:[00000030h] 19_2_02BD3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BADB60 mov ecx, dword ptr fs:[00000030h] 19_2_02BADB60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C6131B mov eax, dword ptr fs:[00000030h] 19_2_02C6131B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BAF358 mov eax, dword ptr fs:[00000030h] 19_2_02BAF358
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BADB40 mov eax, dword ptr fs:[00000030h] 19_2_02BADB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BDF0BF mov ecx, dword ptr fs:[00000030h] 19_2_02BDF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BDF0BF mov eax, dword ptr fs:[00000030h] 19_2_02BDF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BDF0BF mov eax, dword ptr fs:[00000030h] 19_2_02BDF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BE90AF mov eax, dword ptr fs:[00000030h] 19_2_02BE90AF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C3B8D0 mov eax, dword ptr fs:[00000030h] 19_2_02C3B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C3B8D0 mov ecx, dword ptr fs:[00000030h] 19_2_02C3B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C3B8D0 mov eax, dword ptr fs:[00000030h] 19_2_02C3B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C3B8D0 mov eax, dword ptr fs:[00000030h] 19_2_02C3B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C3B8D0 mov eax, dword ptr fs:[00000030h] 19_2_02C3B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C3B8D0 mov eax, dword ptr fs:[00000030h] 19_2_02C3B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h] 19_2_02BD20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h] 19_2_02BD20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h] 19_2_02BD20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h] 19_2_02BD20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h] 19_2_02BD20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD20A0 mov eax, dword ptr fs:[00000030h] 19_2_02BD20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA9080 mov eax, dword ptr fs:[00000030h] 19_2_02BA9080
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C23884 mov eax, dword ptr fs:[00000030h] 19_2_02C23884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C23884 mov eax, dword ptr fs:[00000030h] 19_2_02C23884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA58EC mov eax, dword ptr fs:[00000030h] 19_2_02BA58EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCB8E4 mov eax, dword ptr fs:[00000030h] 19_2_02BCB8E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCB8E4 mov eax, dword ptr fs:[00000030h] 19_2_02BCB8E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA40E1 mov eax, dword ptr fs:[00000030h] 19_2_02BA40E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA40E1 mov eax, dword ptr fs:[00000030h] 19_2_02BA40E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BA40E1 mov eax, dword ptr fs:[00000030h] 19_2_02BA40E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA830 mov eax, dword ptr fs:[00000030h] 19_2_02BCA830
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA830 mov eax, dword ptr fs:[00000030h] 19_2_02BCA830
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA830 mov eax, dword ptr fs:[00000030h] 19_2_02BCA830
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BCA830 mov eax, dword ptr fs:[00000030h] 19_2_02BCA830
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD002D mov eax, dword ptr fs:[00000030h] 19_2_02BD002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD002D mov eax, dword ptr fs:[00000030h] 19_2_02BD002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD002D mov eax, dword ptr fs:[00000030h] 19_2_02BD002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD002D mov eax, dword ptr fs:[00000030h] 19_2_02BD002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BD002D mov eax, dword ptr fs:[00000030h] 19_2_02BD002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BBB02A mov eax, dword ptr fs:[00000030h] 19_2_02BBB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BBB02A mov eax, dword ptr fs:[00000030h] 19_2_02BBB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BBB02A mov eax, dword ptr fs:[00000030h] 19_2_02BBB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BBB02A mov eax, dword ptr fs:[00000030h] 19_2_02BBB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C71074 mov eax, dword ptr fs:[00000030h] 19_2_02C71074
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C62073 mov eax, dword ptr fs:[00000030h] 19_2_02C62073
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C74015 mov eax, dword ptr fs:[00000030h] 19_2_02C74015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C74015 mov eax, dword ptr fs:[00000030h] 19_2_02C74015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C27016 mov eax, dword ptr fs:[00000030h] 19_2_02C27016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C27016 mov eax, dword ptr fs:[00000030h] 19_2_02C27016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02C27016 mov eax, dword ptr fs:[00000030h] 19_2_02C27016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 19_2_02BC0050 mov eax, dword ptr fs:[00000030h] 19_2_02BC0050
Enables debug privileges
Source: C:\Users\user\Desktop\3.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.plastictohydrogen.com
Source: C:\Windows\explorer.exe Network Connect: 81.17.18.198 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.cartercavanaugh.com
Source: C:\Windows\explorer.exe Network Connect: 185.98.131.46 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 54.147.194.143 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.vigipharx.com
Source: C:\Windows\explorer.exe Domain query: www.glocp9.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ayco.sucks
Source: C:\Windows\explorer.exe Domain query: www.mortgagenewsdailt.com
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\3.exe Memory written: C:\Users\user\Desktop\3.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\3.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\3.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\3.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\3.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\3.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\3.exe Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 830000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\3.exe Process created: C:\Users\user\Desktop\3.exe C:\Users\user\Desktop\3.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\3.exe' Jump to behavior
Source: explorer.exe, 00000005.00000000.256260083.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.281921519.0000000001980000.00000002.00000001.sdmp, ipconfig.exe, 00000013.00000002.473898302.0000000005510000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.265742554.0000000006860000.00000004.00000001.sdmp, ipconfig.exe, 00000013.00000002.473898302.0000000005510000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.281921519.0000000001980000.00000002.00000001.sdmp, ipconfig.exe, 00000013.00000002.473898302.0000000005510000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.281921519.0000000001980000.00000002.00000001.sdmp, ipconfig.exe, 00000013.00000002.473898302.0000000005510000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs