Windows Analysis Report WXs8v9QuE7.exe

Overview

General Information

Sample Name: WXs8v9QuE7.exe
Analysis ID: 438542
MD5: 1f45b0e2bd669bce49b2140373243a91
SHA1: 6ea61f1b39548a8b9192c0606d6daeb2c071a190
SHA256: ef05dd27e2dc499d3c1f42f00525fea7204735acd45c7a03efb78a241a9f9660
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.purpleqube.com/bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&ApZx=O2MHiVr0W Avira URL Cloud: Label: phishing
Found malware configuration
Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.oceancollaborative.com/bp3i/"], "decoy": ["bancambios.network", "centroufologicosiciliano.info", "personalloansonline.xyz", "xn---yado-8e4dze0c.site", "americanscientific.net", "5australiacl.com", "sportsiri.com", "harchain.com", "oakandivywedding.com", "getbattlevizion.com", "laurenamason.com", "middreampostal.com", "realityawarenetworks.com", "purpleqube.com", "reufhroir.com", "dr-farshidtajik.com", "spinecompanion.com", "grpsexportsandimports.com", "nodeaths.com", "indylead.com", "payplrif617592.info", "counteraction.fund", "t4mall.com", "lnbes.com", "5xlsteve.com", "kocaelimanliftkiralama.site", "jacksonmesser.com", "nicehips.xyz", "accelerator.sydney", "dembyanndson.com", "tori2020.com", "ilium-partners.com", "amazingfinds4u.com", "therebelpartyband.com", "mutanterestaurante.com", "underce.com", "foldarusa.com", "canyoufindme.info", "fewo-zweifall.com", "fredrika-stahl.com", "bankalmatajer.com", "themindsetbreakthrough.com", "kesat-ya10.com", "9wsc.com", "jimmymasks.com", "bluebeltpanobuy.com", "my-ela.com", "motivactivewear.com", "myrivercityhomeimprovements.com", "xn--2o2b1z87x8sb.com", "pholbhf.icu", "8ballsportsbook.com", "doodstore.net", "shenghui118.com", "glavstore.com", "mydystopianlife.com", "woodlandsceinics.com", "trickshow.club", "vitali-tea.online", "thechandeck.com", "blinbins.com", "mcgcompetition.com", "xrglm.com", "mikefling.com"]}
Multi AV Scanner detection for submitted file
Source: WXs8v9QuE7.exe Virustotal: Detection: 18% Perma Link
Source: WXs8v9QuE7.exe ReversingLabs: Detection: 19%
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: WXs8v9QuE7.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 18.2.cscript.exe.748a10.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 18.2.cscript.exe.4d87960.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.1.WXs8v9QuE7.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.WXs8v9QuE7.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: WXs8v9QuE7.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: cscript.pdbUGP source: WXs8v9QuE7.exe, 00000001.00000002.302941895.0000000002AC0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: WXs8v9QuE7.exe, 00000000.00000003.228184886.0000000009990000.00000004.00000001.sdmp, WXs8v9QuE7.exe, 00000001.00000002.302101367.0000000000B8F000.00000040.00000001.sdmp, cscript.exe, 00000012.00000002.495021689.0000000004850000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: WXs8v9QuE7.exe, cscript.exe
Source: Binary string: cscript.pdb source: WXs8v9QuE7.exe, 00000001.00000002.302941895.0000000002AC0000.00000040.00000001.sdmp
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 4x nop then pop esi 1_2_00415851
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 4x nop then pop ebx 1_2_00406A98
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 4x nop then pop esi 1_1_00415851
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 4x nop then pop ebx 1_1_00406A98
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop esi 18_2_00575851
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop ebx 18_2_00566A99

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 75.2.124.199:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 75.2.124.199:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 75.2.124.199:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49750 -> 23.225.101.32:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49750 -> 23.225.101.32:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49750 -> 23.225.101.32:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 94.136.40.51:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 94.136.40.51:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 94.136.40.51:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 45.192.104.89:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 45.192.104.89:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49755 -> 45.192.104.89:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.oceancollaborative.com/bp3i/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&ApZx=O2MHiVr0W HTTP/1.1Host: www.purpleqube.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=MlxGGjj2GILR3uc1yrCD+B+Qm9+cwVH8bO7hosl1JjKtZPf8ruvdLFpmglVOZIulzoDe&ApZx=O2MHiVr0W HTTP/1.1Host: www.tori2020.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=80R/aSnQ9cMncl3xr61KDuAjYp2ZOr6pxPcjEdydNICfLnQ2vp9ekDHPlA0NjzWfFYRL&ApZx=O2MHiVr0W HTTP/1.1Host: www.underce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=cas+hsZJvZFo3GF+EdMNCMOiV1dGjFKaknimsFdRmzAJWDDXgl+w3pBTGW4WB38KsB49&ApZx=O2MHiVr0W HTTP/1.1Host: www.fredrika-stahl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=/O9fLU9fKPl9hp8FjcQBjfSEDJBN8B2QQZ2zni9zphKaS5k3K3CvlS+mwENkfwkv1cT8&ApZx=O2MHiVr0W HTTP/1.1Host: www.doodstore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=E7M2l69Gv0yeE4KBOXHGh6mx//FtP199Dh6qlRwE96ss/V1ksNZ+8ksSpGi6EwZCpyax&ApZx=O2MHiVr0W HTTP/1.1Host: www.mutanterestaurante.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=zwAt45JEztQSRxPdch59MI6sbMm9ozxv/QrdgZuHtz8DMTYJ2HUJlOY3K2JoQYzD174Y&ApZx=O2MHiVr0W HTTP/1.1Host: www.9wsc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=zbNXh78uhP7VzN8kPHFueaY47g6J6psPJhyFJvfKuCHih9LJaB8PnmAAQmuNnVgiv7yX&ApZx=O2MHiVr0W HTTP/1.1Host: www.5xlsteve.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOd38qIM/2l+B&ApZx=O2MHiVr0W HTTP/1.1Host: www.oceancollaborative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=zzYPr0OAQH7TXWaM6HNOV25V/HRJbXLG3d0AEq0Xu0niOsubCwaCiuhJfb7NIA/TR+lf&ApZx=O2MHiVr0W HTTP/1.1Host: www.motivactivewear.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&ApZx=O2MHiVr0W HTTP/1.1Host: www.purpleqube.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=MlxGGjj2GILR3uc1yrCD+B+Qm9+cwVH8bO7hosl1JjKtZPf8ruvdLFpmglVOZIulzoDe&ApZx=O2MHiVr0W HTTP/1.1Host: www.tori2020.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=80R/aSnQ9cMncl3xr61KDuAjYp2ZOr6pxPcjEdydNICfLnQ2vp9ekDHPlA0NjzWfFYRL&ApZx=O2MHiVr0W HTTP/1.1Host: www.underce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=cas+hsZJvZFo3GF+EdMNCMOiV1dGjFKaknimsFdRmzAJWDDXgl+w3pBTGW4WB38KsB49&ApZx=O2MHiVr0W HTTP/1.1Host: www.fredrika-stahl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=/O9fLU9fKPl9hp8FjcQBjfSEDJBN8B2QQZ2zni9zphKaS5k3K3CvlS+mwENkfwkv1cT8&ApZx=O2MHiVr0W HTTP/1.1Host: www.doodstore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=E7M2l69Gv0yeE4KBOXHGh6mx//FtP199Dh6qlRwE96ss/V1ksNZ+8ksSpGi6EwZCpyax&ApZx=O2MHiVr0W HTTP/1.1Host: www.mutanterestaurante.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=zwAt45JEztQSRxPdch59MI6sbMm9ozxv/QrdgZuHtz8DMTYJ2HUJlOY3K2JoQYzD174Y&ApZx=O2MHiVr0W HTTP/1.1Host: www.9wsc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=zbNXh78uhP7VzN8kPHFueaY47g6J6psPJhyFJvfKuCHih9LJaB8PnmAAQmuNnVgiv7yX&ApZx=O2MHiVr0W HTTP/1.1Host: www.5xlsteve.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOd38qIM/2l+B&ApZx=O2MHiVr0W HTTP/1.1Host: www.oceancollaborative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bp3i/?2db=zzYPr0OAQH7TXWaM6HNOV25V/HRJbXLG3d0AEq0Xu0niOsubCwaCiuhJfb7NIA/TR+lf&ApZx=O2MHiVr0W HTTP/1.1Host: www.motivactivewear.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.reufhroir.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Jun 2021 16:25:18 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 62 70 33 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /bp3i/ was not found on this server.</p></body></html>
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: WXs8v9QuE7.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: WXs8v9QuE7.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.252919893.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: cscript.exe, 00000012.00000002.496418412.0000000004F02000.00000004.00000001.sdmp String found in binary or memory: https://www.123-reg-new-domain.co.uk/iframe.html

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FC2
Creates a DirectInput object (often for capturing keystrokes)
Source: WXs8v9QuE7.exe, 00000000.00000002.233934690.000000000075A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_004181D0 NtCreateFile, 1_2_004181D0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00418280 NtReadFile, 1_2_00418280
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00418300 NtClose, 1_2_00418300
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_004183B0 NtAllocateVirtualMemory, 1_2_004183B0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_004181CE NtCreateFile, 1_2_004181CE
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041827A NtReadFile, 1_2_0041827A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_004183AB NtAllocateVirtualMemory, 1_2_004183AB
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00AD98F0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00AD9860
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9840 NtDelayExecution,LdrInitializeThunk, 1_2_00AD9840
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD99A0 NtCreateSection,LdrInitializeThunk, 1_2_00AD99A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00AD9910
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9A20 NtResumeThread,LdrInitializeThunk, 1_2_00AD9A20
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00AD9A00
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9A50 NtCreateFile,LdrInitializeThunk, 1_2_00AD9A50
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD95D0 NtClose,LdrInitializeThunk, 1_2_00AD95D0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9540 NtReadFile,LdrInitializeThunk, 1_2_00AD9540
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00AD96E0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00AD9660
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00AD97A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00AD9780
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9FE0 NtCreateMutant,LdrInitializeThunk, 1_2_00AD9FE0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00AD9710
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD98A0 NtWriteVirtualMemory, 1_2_00AD98A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9820 NtEnumerateKey, 1_2_00AD9820
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ADB040 NtSuspendThread, 1_2_00ADB040
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD99D0 NtCreateProcessEx, 1_2_00AD99D0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9950 NtQueueApcThread, 1_2_00AD9950
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9A80 NtOpenDirectoryObject, 1_2_00AD9A80
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9A10 NtQuerySection, 1_2_00AD9A10
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ADA3B0 NtGetContextThread, 1_2_00ADA3B0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9B00 NtSetValueKey, 1_2_00AD9B00
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD95F0 NtQueryInformationFile, 1_2_00AD95F0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9520 NtWaitForSingleObject, 1_2_00AD9520
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ADAD30 NtSetContextThread, 1_2_00ADAD30
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9560 NtWriteFile, 1_2_00AD9560
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD96D0 NtCreateKey, 1_2_00AD96D0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9610 NtEnumerateValueKey, 1_2_00AD9610
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9670 NtQueryInformationProcess, 1_2_00AD9670
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9650 NtQueryValueKey, 1_2_00AD9650
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9730 NtQueryVirtualMemory, 1_2_00AD9730
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ADA710 NtOpenProcessToken, 1_2_00ADA710
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9760 NtOpenProcess, 1_2_00AD9760
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD9770 NtSetInformationFile, 1_2_00AD9770
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ADA770 NtOpenThread, 1_2_00ADA770
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_004181D0 NtCreateFile, 1_1_004181D0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_00418280 NtReadFile, 1_1_00418280
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_00418300 NtClose, 1_1_00418300
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_004183B0 NtAllocateVirtualMemory, 1_1_004183B0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_004181CE NtCreateFile, 1_1_004181CE
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_0041827A NtReadFile, 1_1_0041827A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B95D0 NtClose,LdrInitializeThunk, 18_2_048B95D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9540 NtReadFile,LdrInitializeThunk, 18_2_048B9540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B96D0 NtCreateKey,LdrInitializeThunk, 18_2_048B96D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_048B96E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9650 NtQueryValueKey,LdrInitializeThunk, 18_2_048B9650
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_048B9660
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9780 NtMapViewOfSection,LdrInitializeThunk, 18_2_048B9780
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9FE0 NtCreateMutant,LdrInitializeThunk, 18_2_048B9FE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9710 NtQueryInformationToken,LdrInitializeThunk, 18_2_048B9710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9840 NtDelayExecution,LdrInitializeThunk, 18_2_048B9840
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_048B9860
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B99A0 NtCreateSection,LdrInitializeThunk, 18_2_048B99A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_048B9910
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9A50 NtCreateFile,LdrInitializeThunk, 18_2_048B9A50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B95F0 NtQueryInformationFile, 18_2_048B95F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9520 NtWaitForSingleObject, 18_2_048B9520
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048BAD30 NtSetContextThread, 18_2_048BAD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9560 NtWriteFile, 18_2_048B9560
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9610 NtEnumerateValueKey, 18_2_048B9610
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9670 NtQueryInformationProcess, 18_2_048B9670
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B97A0 NtUnmapViewOfSection, 18_2_048B97A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048BA710 NtOpenProcessToken, 18_2_048BA710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9730 NtQueryVirtualMemory, 18_2_048B9730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9760 NtOpenProcess, 18_2_048B9760
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048BA770 NtOpenThread, 18_2_048BA770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9770 NtSetInformationFile, 18_2_048B9770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B98A0 NtWriteVirtualMemory, 18_2_048B98A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B98F0 NtReadVirtualMemory, 18_2_048B98F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9820 NtEnumerateKey, 18_2_048B9820
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048BB040 NtSuspendThread, 18_2_048BB040
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B99D0 NtCreateProcessEx, 18_2_048B99D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9950 NtQueueApcThread, 18_2_048B9950
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9A80 NtOpenDirectoryObject, 18_2_048B9A80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9A00 NtProtectVirtualMemory, 18_2_048B9A00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9A10 NtQuerySection, 18_2_048B9A10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9A20 NtResumeThread, 18_2_048B9A20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048BA3B0 NtGetContextThread, 18_2_048BA3B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B9B00 NtSetValueKey, 18_2_048B9B00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_005781D0 NtCreateFile, 18_2_005781D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_00578280 NtReadFile, 18_2_00578280
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_00578300 NtClose, 18_2_00578300
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_005783B0 NtAllocateVirtualMemory, 18_2_005783B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_005781CE NtCreateFile, 18_2_005781CE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0057827A NtReadFile, 18_2_0057827A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_005783AB NtAllocateVirtualMemory, 18_2_005783AB
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB
Detected potential crypto function
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_004047D3 0_2_004047D3
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_004061D4 0_2_004061D4
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041C0A9 1_2_0041C0A9
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041C1CD 1_2_0041C1CD
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041B992 1_2_0041B992
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041A302 1_2_0041A302
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041C383 1_2_0041C383
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00408C6B 1_2_00408C6B
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00408C70 1_2_00408C70
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041B4B3 1_2_0041B4B3
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00402D87 1_2_00402D87
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041BD9E 1_2_0041BD9E
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC20A0 1_2_00AC20A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B620A8 1_2_00B620A8
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAB090 1_2_00AAB090
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51002 1_2_00B51002
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB4120 1_2_00AB4120
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9F900 1_2_00A9F900
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B622AE 1_2_00B622AE
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACEBB0 1_2_00ACEBB0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B62B28 1_2_00B62B28
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA841F 1_2_00AA841F
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC2581 1_2_00AC2581
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAD5E0 1_2_00AAD5E0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A90D20 1_2_00A90D20
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B62D07 1_2_00B62D07
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B61D55 1_2_00B61D55
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B62EF7 1_2_00B62EF7
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB6E30 1_2_00AB6E30
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B61FF1 1_2_00B61FF1
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_00401030 1_1_00401030
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_0041C0A9 1_1_0041C0A9
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_0041C1CD 1_1_0041C1CD
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_0041B992 1_1_0041B992
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_0041A302 1_1_0041A302
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488841F 18_2_0488841F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493D466 18_2_0493D466
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A2581 18_2_048A2581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049425DD 18_2_049425DD
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488D5E0 18_2_0488D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04942D07 18_2_04942D07
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04870D20 18_2_04870D20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04941D55 18_2_04941D55
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04942EF7 18_2_04942EF7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493D616 18_2_0493D616
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04896E30 18_2_04896E30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0494DFCE 18_2_0494DFCE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04941FF1 18_2_04941FF1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488B090 18_2_0488B090
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A20A0 18_2_048A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049420A8 18_2_049420A8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049428EC 18_2_049428EC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931002 18_2_04931002
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0494E824 18_2_0494E824
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487F900 18_2_0487F900
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04894120 18_2_04894120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049422AE 18_2_049422AE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0492FA2B 18_2_0492FA2B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AEBB0 18_2_048AEBB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493DBD2 18_2_0493DBD2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049303DA 18_2_049303DA
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04942B28 18_2_04942B28
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0057A302 18_2_0057A302
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_00568C70 18_2_00568C70
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_00568C6B 18_2_00568C6B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_00562D90 18_2_00562D90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_00562D87 18_2_00562D87
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_00562FB0 18_2_00562FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: String function: 0041A0B0 appears 38 times
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: String function: 00A9B150 appears 35 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0487B150 appears 45 times
Sample file is different than original file name gathered from version info
Source: WXs8v9QuE7.exe, 00000000.00000003.228374222.0000000009AAF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs WXs8v9QuE7.exe
Source: WXs8v9QuE7.exe, 00000001.00000002.302101367.0000000000B8F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs WXs8v9QuE7.exe
Source: WXs8v9QuE7.exe, 00000001.00000002.302941895.0000000002AC0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamecscript.exe` vs WXs8v9QuE7.exe
Uses 32bit PE files
Source: WXs8v9QuE7.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/3@16/10
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404292
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_01
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe File created: C:\Users\user\AppData\Local\Temp\nsa7684.tmp Jump to behavior
Source: WXs8v9QuE7.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: WXs8v9QuE7.exe Virustotal: Detection: 18%
Source: WXs8v9QuE7.exe ReversingLabs: Detection: 19%
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe File read: C:\Users\user\Desktop\WXs8v9QuE7.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\WXs8v9QuE7.exe 'C:\Users\user\Desktop\WXs8v9QuE7.exe'
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Process created: C:\Users\user\Desktop\WXs8v9QuE7.exe 'C:\Users\user\Desktop\WXs8v9QuE7.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\WXs8v9QuE7.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Process created: C:\Users\user\Desktop\WXs8v9QuE7.exe 'C:\Users\user\Desktop\WXs8v9QuE7.exe' Jump to behavior
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\WXs8v9QuE7.exe' Jump to behavior
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: cscript.pdbUGP source: WXs8v9QuE7.exe, 00000001.00000002.302941895.0000000002AC0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: WXs8v9QuE7.exe, 00000000.00000003.228184886.0000000009990000.00000004.00000001.sdmp, WXs8v9QuE7.exe, 00000001.00000002.302101367.0000000000B8F000.00000040.00000001.sdmp, cscript.exe, 00000012.00000002.495021689.0000000004850000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: WXs8v9QuE7.exe, cscript.exe
Source: Binary string: cscript.pdb source: WXs8v9QuE7.exe, 00000001.00000002.302941895.0000000002AC0000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Unpacked PE file: 1.2.WXs8v9QuE7.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress, 0_2_10001D3B
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_100029F0 push eax; ret 0_2_10002A1E
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041624A pushad ; ret 1_2_0041625B
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041B3C5 push eax; ret 1_2_0041B418
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041B47C push eax; ret 1_2_0041B482
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041B412 push eax; ret 1_2_0041B418
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0041B41B push eax; ret 1_2_0041B482
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_0040B7D2 push ebx; retf 1_2_0040B7D5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AED0D1 push ecx; ret 1_2_00AED0E4
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_1_0041624A pushad ; ret 1_1_0041625B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048CD0D1 push ecx; ret 18_2_048CD0E4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0057624A pushad ; ret 18_2_0057625B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0057B3C5 push eax; ret 18_2_0057B418
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0057B47C push eax; ret 18_2_0057B482
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0057B412 push eax; ret 18_2_0057B418
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0057B41B push eax; ret 18_2_0057B482
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0056B7D2 push ebx; retf 18_2_0056B7D5

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe File created: C:\Users\user\AppData\Local\Temp\nsa7685.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 00000000005685F4 second address: 00000000005685FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 000000000056898E second address: 0000000000568994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_004088C0 rdtsc 1_2_004088C0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 1848 Thread sleep time: -45000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 612 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: explorer.exe, 00000004.00000000.250033211.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.258894278.00000000011B3000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t
Source: explorer.exe, 00000004.00000000.258969354.0000000001218000.00000004.00000020.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.250033211.000000000891C000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.249626505.0000000008270000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.261945560.0000000003767000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.258894278.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000004.00000000.250088865.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.249626505.0000000008270000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.268841101.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.249626505.0000000008270000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.250088865.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000004.00000000.249626505.0000000008270000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_004088C0 rdtsc 1_2_004088C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00409B30 LdrLoadDll, 1_2_00409B30
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress, 0_2_10001D3B
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD90AF mov eax, dword ptr fs:[00000030h] 1_2_00AD90AF
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC20A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACF0BF mov ecx, dword ptr fs:[00000030h] 1_2_00ACF0BF
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACF0BF mov eax, dword ptr fs:[00000030h] 1_2_00ACF0BF
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACF0BF mov eax, dword ptr fs:[00000030h] 1_2_00ACF0BF
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A99080 mov eax, dword ptr fs:[00000030h] 1_2_00A99080
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B13884 mov eax, dword ptr fs:[00000030h] 1_2_00B13884
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B13884 mov eax, dword ptr fs:[00000030h] 1_2_00B13884
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A958EC mov eax, dword ptr fs:[00000030h] 1_2_00A958EC
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B2B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B2B8D0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h] 1_2_00AAB02A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h] 1_2_00AAB02A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h] 1_2_00AAB02A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAB02A mov eax, dword ptr fs:[00000030h] 1_2_00AAB02A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h] 1_2_00AC002D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h] 1_2_00AC002D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h] 1_2_00AC002D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h] 1_2_00AC002D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC002D mov eax, dword ptr fs:[00000030h] 1_2_00AC002D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B64015 mov eax, dword ptr fs:[00000030h] 1_2_00B64015
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B64015 mov eax, dword ptr fs:[00000030h] 1_2_00B64015
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h] 1_2_00B17016
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h] 1_2_00B17016
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B17016 mov eax, dword ptr fs:[00000030h] 1_2_00B17016
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B61074 mov eax, dword ptr fs:[00000030h] 1_2_00B61074
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B52073 mov eax, dword ptr fs:[00000030h] 1_2_00B52073
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB0050 mov eax, dword ptr fs:[00000030h] 1_2_00AB0050
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB0050 mov eax, dword ptr fs:[00000030h] 1_2_00AB0050
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC61A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC61A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC61A0 mov eax, dword ptr fs:[00000030h] 1_2_00AC61A0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h] 1_2_00B151BE
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h] 1_2_00B151BE
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h] 1_2_00B151BE
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B151BE mov eax, dword ptr fs:[00000030h] 1_2_00B151BE
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B169A6 mov eax, dword ptr fs:[00000030h] 1_2_00B169A6
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACA185 mov eax, dword ptr fs:[00000030h] 1_2_00ACA185
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABC182 mov eax, dword ptr fs:[00000030h] 1_2_00ABC182
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC2990 mov eax, dword ptr fs:[00000030h] 1_2_00AC2990
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A9B1E1
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A9B1E1
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A9B1E1
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B241E8 mov eax, dword ptr fs:[00000030h] 1_2_00B241E8
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h] 1_2_00AB4120
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h] 1_2_00AB4120
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h] 1_2_00AB4120
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB4120 mov eax, dword ptr fs:[00000030h] 1_2_00AB4120
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB4120 mov ecx, dword ptr fs:[00000030h] 1_2_00AB4120
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC513A mov eax, dword ptr fs:[00000030h] 1_2_00AC513A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC513A mov eax, dword ptr fs:[00000030h] 1_2_00AC513A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h] 1_2_00A99100
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h] 1_2_00A99100
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A99100 mov eax, dword ptr fs:[00000030h] 1_2_00A99100
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9C962 mov eax, dword ptr fs:[00000030h] 1_2_00A9C962
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9B171 mov eax, dword ptr fs:[00000030h] 1_2_00A9B171
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9B171 mov eax, dword ptr fs:[00000030h] 1_2_00A9B171
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABB944 mov eax, dword ptr fs:[00000030h] 1_2_00ABB944
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABB944 mov eax, dword ptr fs:[00000030h] 1_2_00ABB944
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h] 1_2_00A952A5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h] 1_2_00A952A5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h] 1_2_00A952A5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h] 1_2_00A952A5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A952A5 mov eax, dword ptr fs:[00000030h] 1_2_00A952A5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00AAAAB0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00AAAAB0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACFAB0 mov eax, dword ptr fs:[00000030h] 1_2_00ACFAB0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACD294 mov eax, dword ptr fs:[00000030h] 1_2_00ACD294
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACD294 mov eax, dword ptr fs:[00000030h] 1_2_00ACD294
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC2AE4 mov eax, dword ptr fs:[00000030h] 1_2_00AC2AE4
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC2ACB mov eax, dword ptr fs:[00000030h] 1_2_00AC2ACB
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD4A2C mov eax, dword ptr fs:[00000030h] 1_2_00AD4A2C
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD4A2C mov eax, dword ptr fs:[00000030h] 1_2_00AD4A2C
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA8A0A mov eax, dword ptr fs:[00000030h] 1_2_00AA8A0A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB3A1C mov eax, dword ptr fs:[00000030h] 1_2_00AB3A1C
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h] 1_2_00A95210
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A95210 mov ecx, dword ptr fs:[00000030h] 1_2_00A95210
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h] 1_2_00A95210
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A95210 mov eax, dword ptr fs:[00000030h] 1_2_00A95210
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A9AA16
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A9AA16
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B4B260 mov eax, dword ptr fs:[00000030h] 1_2_00B4B260
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B4B260 mov eax, dword ptr fs:[00000030h] 1_2_00B4B260
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B68A62 mov eax, dword ptr fs:[00000030h] 1_2_00B68A62
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD927A mov eax, dword ptr fs:[00000030h] 1_2_00AD927A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B24257 mov eax, dword ptr fs:[00000030h] 1_2_00B24257
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h] 1_2_00A99240
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h] 1_2_00A99240
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h] 1_2_00A99240
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A99240 mov eax, dword ptr fs:[00000030h] 1_2_00A99240
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AC4BAD
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AC4BAD
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AC4BAD
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B65BA5 mov eax, dword ptr fs:[00000030h] 1_2_00B65BA5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA1B8F mov eax, dword ptr fs:[00000030h] 1_2_00AA1B8F
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA1B8F mov eax, dword ptr fs:[00000030h] 1_2_00AA1B8F
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B4D380 mov ecx, dword ptr fs:[00000030h] 1_2_00B4D380
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC2397 mov eax, dword ptr fs:[00000030h] 1_2_00AC2397
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACB390 mov eax, dword ptr fs:[00000030h] 1_2_00ACB390
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B5138A mov eax, dword ptr fs:[00000030h] 1_2_00B5138A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABDBE9 mov eax, dword ptr fs:[00000030h] 1_2_00ABDBE9
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC03E2
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B153CA mov eax, dword ptr fs:[00000030h] 1_2_00B153CA
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B153CA mov eax, dword ptr fs:[00000030h] 1_2_00B153CA
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B5131B mov eax, dword ptr fs:[00000030h] 1_2_00B5131B
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9DB60 mov ecx, dword ptr fs:[00000030h] 1_2_00A9DB60
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC3B7A mov eax, dword ptr fs:[00000030h] 1_2_00AC3B7A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC3B7A mov eax, dword ptr fs:[00000030h] 1_2_00AC3B7A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9DB40 mov eax, dword ptr fs:[00000030h] 1_2_00A9DB40
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B68B58 mov eax, dword ptr fs:[00000030h] 1_2_00B68B58
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9F358 mov eax, dword ptr fs:[00000030h] 1_2_00A9F358
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA849B mov eax, dword ptr fs:[00000030h] 1_2_00AA849B
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B16CF0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B16CF0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B16CF0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B514FB mov eax, dword ptr fs:[00000030h] 1_2_00B514FB
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B68CD6 mov eax, dword ptr fs:[00000030h] 1_2_00B68CD6
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACBC2C mov eax, dword ptr fs:[00000030h] 1_2_00ACBC2C
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51C06 mov eax, dword ptr fs:[00000030h] 1_2_00B51C06
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h] 1_2_00B6740D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h] 1_2_00B6740D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B6740D mov eax, dword ptr fs:[00000030h] 1_2_00B6740D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h] 1_2_00B16C0A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h] 1_2_00B16C0A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h] 1_2_00B16C0A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16C0A mov eax, dword ptr fs:[00000030h] 1_2_00B16C0A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB746D mov eax, dword ptr fs:[00000030h] 1_2_00AB746D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B2C450 mov eax, dword ptr fs:[00000030h] 1_2_00B2C450
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B2C450 mov eax, dword ptr fs:[00000030h] 1_2_00B2C450
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACA44B mov eax, dword ptr fs:[00000030h] 1_2_00ACA44B
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC35A1 mov eax, dword ptr fs:[00000030h] 1_2_00AC35A1
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AC1DB5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AC1DB5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AC1DB5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B605AC mov eax, dword ptr fs:[00000030h] 1_2_00B605AC
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B605AC mov eax, dword ptr fs:[00000030h] 1_2_00B605AC
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h] 1_2_00A92D8A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h] 1_2_00A92D8A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h] 1_2_00A92D8A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h] 1_2_00A92D8A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A92D8A mov eax, dword ptr fs:[00000030h] 1_2_00A92D8A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h] 1_2_00AC2581
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h] 1_2_00AC2581
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h] 1_2_00AC2581
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC2581 mov eax, dword ptr fs:[00000030h] 1_2_00AC2581
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACFD9B mov eax, dword ptr fs:[00000030h] 1_2_00ACFD9B
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACFD9B mov eax, dword ptr fs:[00000030h] 1_2_00ACFD9B
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B48DF1 mov eax, dword ptr fs:[00000030h] 1_2_00B48DF1
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00AAD5E0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00AAD5E0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B16DC9
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B68D34 mov eax, dword ptr fs:[00000030h] 1_2_00B68D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B1A537 mov eax, dword ptr fs:[00000030h] 1_2_00B1A537
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AC4D3B
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AC4D3B
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AC4D3B
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9AD30 mov eax, dword ptr fs:[00000030h] 1_2_00A9AD30
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AA3D34
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABC577 mov eax, dword ptr fs:[00000030h] 1_2_00ABC577
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABC577 mov eax, dword ptr fs:[00000030h] 1_2_00ABC577
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD3D43 mov eax, dword ptr fs:[00000030h] 1_2_00AD3D43
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B13540 mov eax, dword ptr fs:[00000030h] 1_2_00B13540
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AB7D50 mov eax, dword ptr fs:[00000030h] 1_2_00AB7D50
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B60EA5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B60EA5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B60EA5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B146A7 mov eax, dword ptr fs:[00000030h] 1_2_00B146A7
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B2FE87 mov eax, dword ptr fs:[00000030h] 1_2_00B2FE87
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA76E2 mov eax, dword ptr fs:[00000030h] 1_2_00AA76E2
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC16E0 mov ecx, dword ptr fs:[00000030h] 1_2_00AC16E0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B68ED6 mov eax, dword ptr fs:[00000030h] 1_2_00B68ED6
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC36CC mov eax, dword ptr fs:[00000030h] 1_2_00AC36CC
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD8EC7 mov eax, dword ptr fs:[00000030h] 1_2_00AD8EC7
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B4FEC0 mov eax, dword ptr fs:[00000030h] 1_2_00B4FEC0
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9E620 mov eax, dword ptr fs:[00000030h] 1_2_00A9E620
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B4FE3F mov eax, dword ptr fs:[00000030h] 1_2_00B4FE3F
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9C600 mov eax, dword ptr fs:[00000030h] 1_2_00A9C600
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9C600 mov eax, dword ptr fs:[00000030h] 1_2_00A9C600
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A9C600 mov eax, dword ptr fs:[00000030h] 1_2_00A9C600
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AC8E00 mov eax, dword ptr fs:[00000030h] 1_2_00AC8E00
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACA61C mov eax, dword ptr fs:[00000030h] 1_2_00ACA61C
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACA61C mov eax, dword ptr fs:[00000030h] 1_2_00ACA61C
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B51608 mov eax, dword ptr fs:[00000030h] 1_2_00B51608
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA766D mov eax, dword ptr fs:[00000030h] 1_2_00AA766D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ABAE73
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ABAE73
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ABAE73
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ABAE73
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ABAE73
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AA7E41
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AA7E41
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AA7E41
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AA7E41
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AA7E41
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AA7E41
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B17794 mov eax, dword ptr fs:[00000030h] 1_2_00B17794
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B17794 mov eax, dword ptr fs:[00000030h] 1_2_00B17794
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B17794 mov eax, dword ptr fs:[00000030h] 1_2_00B17794
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AA8794 mov eax, dword ptr fs:[00000030h] 1_2_00AA8794
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AD37F5 mov eax, dword ptr fs:[00000030h] 1_2_00AD37F5
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A94F2E mov eax, dword ptr fs:[00000030h] 1_2_00A94F2E
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00A94F2E mov eax, dword ptr fs:[00000030h] 1_2_00A94F2E
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACE730 mov eax, dword ptr fs:[00000030h] 1_2_00ACE730
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B2FF10 mov eax, dword ptr fs:[00000030h] 1_2_00B2FF10
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B2FF10 mov eax, dword ptr fs:[00000030h] 1_2_00B2FF10
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACA70E mov eax, dword ptr fs:[00000030h] 1_2_00ACA70E
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ACA70E mov eax, dword ptr fs:[00000030h] 1_2_00ACA70E
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B6070D mov eax, dword ptr fs:[00000030h] 1_2_00B6070D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B6070D mov eax, dword ptr fs:[00000030h] 1_2_00B6070D
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00ABF716 mov eax, dword ptr fs:[00000030h] 1_2_00ABF716
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAFF60 mov eax, dword ptr fs:[00000030h] 1_2_00AAFF60
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00B68F6A mov eax, dword ptr fs:[00000030h] 1_2_00B68F6A
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 1_2_00AAEF40 mov eax, dword ptr fs:[00000030h] 1_2_00AAEF40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488849B mov eax, dword ptr fs:[00000030h] 18_2_0488849B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04948CD6 mov eax, dword ptr fs:[00000030h] 18_2_04948CD6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049314FB mov eax, dword ptr fs:[00000030h] 18_2_049314FB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6CF0 mov eax, dword ptr fs:[00000030h] 18_2_048F6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6CF0 mov eax, dword ptr fs:[00000030h] 18_2_048F6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6CF0 mov eax, dword ptr fs:[00000030h] 18_2_048F6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6C0A mov eax, dword ptr fs:[00000030h] 18_2_048F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6C0A mov eax, dword ptr fs:[00000030h] 18_2_048F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6C0A mov eax, dword ptr fs:[00000030h] 18_2_048F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6C0A mov eax, dword ptr fs:[00000030h] 18_2_048F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931C06 mov eax, dword ptr fs:[00000030h] 18_2_04931C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0494740D mov eax, dword ptr fs:[00000030h] 18_2_0494740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0494740D mov eax, dword ptr fs:[00000030h] 18_2_0494740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0494740D mov eax, dword ptr fs:[00000030h] 18_2_0494740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048ABC2C mov eax, dword ptr fs:[00000030h] 18_2_048ABC2C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0490C450 mov eax, dword ptr fs:[00000030h] 18_2_0490C450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0490C450 mov eax, dword ptr fs:[00000030h] 18_2_0490C450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AA44B mov eax, dword ptr fs:[00000030h] 18_2_048AA44B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489746D mov eax, dword ptr fs:[00000030h] 18_2_0489746D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A2581 mov eax, dword ptr fs:[00000030h] 18_2_048A2581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A2581 mov eax, dword ptr fs:[00000030h] 18_2_048A2581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A2581 mov eax, dword ptr fs:[00000030h] 18_2_048A2581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A2581 mov eax, dword ptr fs:[00000030h] 18_2_048A2581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04872D8A mov eax, dword ptr fs:[00000030h] 18_2_04872D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04872D8A mov eax, dword ptr fs:[00000030h] 18_2_04872D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04872D8A mov eax, dword ptr fs:[00000030h] 18_2_04872D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04872D8A mov eax, dword ptr fs:[00000030h] 18_2_04872D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04872D8A mov eax, dword ptr fs:[00000030h] 18_2_04872D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AFD9B mov eax, dword ptr fs:[00000030h] 18_2_048AFD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AFD9B mov eax, dword ptr fs:[00000030h] 18_2_048AFD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A35A1 mov eax, dword ptr fs:[00000030h] 18_2_048A35A1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049405AC mov eax, dword ptr fs:[00000030h] 18_2_049405AC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049405AC mov eax, dword ptr fs:[00000030h] 18_2_049405AC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A1DB5 mov eax, dword ptr fs:[00000030h] 18_2_048A1DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A1DB5 mov eax, dword ptr fs:[00000030h] 18_2_048A1DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A1DB5 mov eax, dword ptr fs:[00000030h] 18_2_048A1DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6DC9 mov eax, dword ptr fs:[00000030h] 18_2_048F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6DC9 mov eax, dword ptr fs:[00000030h] 18_2_048F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6DC9 mov eax, dword ptr fs:[00000030h] 18_2_048F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6DC9 mov ecx, dword ptr fs:[00000030h] 18_2_048F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6DC9 mov eax, dword ptr fs:[00000030h] 18_2_048F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F6DC9 mov eax, dword ptr fs:[00000030h] 18_2_048F6DC9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04928DF1 mov eax, dword ptr fs:[00000030h] 18_2_04928DF1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488D5E0 mov eax, dword ptr fs:[00000030h] 18_2_0488D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488D5E0 mov eax, dword ptr fs:[00000030h] 18_2_0488D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493FDE2 mov eax, dword ptr fs:[00000030h] 18_2_0493FDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493FDE2 mov eax, dword ptr fs:[00000030h] 18_2_0493FDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493FDE2 mov eax, dword ptr fs:[00000030h] 18_2_0493FDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493FDE2 mov eax, dword ptr fs:[00000030h] 18_2_0493FDE2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04948D34 mov eax, dword ptr fs:[00000030h] 18_2_04948D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493E539 mov eax, dword ptr fs:[00000030h] 18_2_0493E539
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A4D3B mov eax, dword ptr fs:[00000030h] 18_2_048A4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A4D3B mov eax, dword ptr fs:[00000030h] 18_2_048A4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A4D3B mov eax, dword ptr fs:[00000030h] 18_2_048A4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487AD30 mov eax, dword ptr fs:[00000030h] 18_2_0487AD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048FA537 mov eax, dword ptr fs:[00000030h] 18_2_048FA537
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04883D34 mov eax, dword ptr fs:[00000030h] 18_2_04883D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B3D43 mov eax, dword ptr fs:[00000030h] 18_2_048B3D43
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F3540 mov eax, dword ptr fs:[00000030h] 18_2_048F3540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04923D40 mov eax, dword ptr fs:[00000030h] 18_2_04923D40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04897D50 mov eax, dword ptr fs:[00000030h] 18_2_04897D50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489C577 mov eax, dword ptr fs:[00000030h] 18_2_0489C577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489C577 mov eax, dword ptr fs:[00000030h] 18_2_0489C577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0490FE87 mov eax, dword ptr fs:[00000030h] 18_2_0490FE87
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F46A7 mov eax, dword ptr fs:[00000030h] 18_2_048F46A7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04940EA5 mov eax, dword ptr fs:[00000030h] 18_2_04940EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04940EA5 mov eax, dword ptr fs:[00000030h] 18_2_04940EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04940EA5 mov eax, dword ptr fs:[00000030h] 18_2_04940EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04948ED6 mov eax, dword ptr fs:[00000030h] 18_2_04948ED6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A36CC mov eax, dword ptr fs:[00000030h] 18_2_048A36CC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B8EC7 mov eax, dword ptr fs:[00000030h] 18_2_048B8EC7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0492FEC0 mov eax, dword ptr fs:[00000030h] 18_2_0492FEC0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A16E0 mov ecx, dword ptr fs:[00000030h] 18_2_048A16E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048876E2 mov eax, dword ptr fs:[00000030h] 18_2_048876E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487C600 mov eax, dword ptr fs:[00000030h] 18_2_0487C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487C600 mov eax, dword ptr fs:[00000030h] 18_2_0487C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487C600 mov eax, dword ptr fs:[00000030h] 18_2_0487C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A8E00 mov eax, dword ptr fs:[00000030h] 18_2_048A8E00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AA61C mov eax, dword ptr fs:[00000030h] 18_2_048AA61C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AA61C mov eax, dword ptr fs:[00000030h] 18_2_048AA61C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04931608 mov eax, dword ptr fs:[00000030h] 18_2_04931608
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487E620 mov eax, dword ptr fs:[00000030h] 18_2_0487E620
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0492FE3F mov eax, dword ptr fs:[00000030h] 18_2_0492FE3F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h] 18_2_04887E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h] 18_2_04887E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h] 18_2_04887E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h] 18_2_04887E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h] 18_2_04887E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04887E41 mov eax, dword ptr fs:[00000030h] 18_2_04887E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493AE44 mov eax, dword ptr fs:[00000030h] 18_2_0493AE44
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493AE44 mov eax, dword ptr fs:[00000030h] 18_2_0493AE44
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488766D mov eax, dword ptr fs:[00000030h] 18_2_0488766D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489AE73 mov eax, dword ptr fs:[00000030h] 18_2_0489AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489AE73 mov eax, dword ptr fs:[00000030h] 18_2_0489AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489AE73 mov eax, dword ptr fs:[00000030h] 18_2_0489AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489AE73 mov eax, dword ptr fs:[00000030h] 18_2_0489AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489AE73 mov eax, dword ptr fs:[00000030h] 18_2_0489AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F7794 mov eax, dword ptr fs:[00000030h] 18_2_048F7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F7794 mov eax, dword ptr fs:[00000030h] 18_2_048F7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F7794 mov eax, dword ptr fs:[00000030h] 18_2_048F7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04888794 mov eax, dword ptr fs:[00000030h] 18_2_04888794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B37F5 mov eax, dword ptr fs:[00000030h] 18_2_048B37F5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0490FF10 mov eax, dword ptr fs:[00000030h] 18_2_0490FF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0490FF10 mov eax, dword ptr fs:[00000030h] 18_2_0490FF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AA70E mov eax, dword ptr fs:[00000030h] 18_2_048AA70E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AA70E mov eax, dword ptr fs:[00000030h] 18_2_048AA70E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0494070D mov eax, dword ptr fs:[00000030h] 18_2_0494070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0494070D mov eax, dword ptr fs:[00000030h] 18_2_0494070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489F716 mov eax, dword ptr fs:[00000030h] 18_2_0489F716
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04874F2E mov eax, dword ptr fs:[00000030h] 18_2_04874F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04874F2E mov eax, dword ptr fs:[00000030h] 18_2_04874F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AE730 mov eax, dword ptr fs:[00000030h] 18_2_048AE730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488EF40 mov eax, dword ptr fs:[00000030h] 18_2_0488EF40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488FF60 mov eax, dword ptr fs:[00000030h] 18_2_0488FF60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04948F6A mov eax, dword ptr fs:[00000030h] 18_2_04948F6A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04879080 mov eax, dword ptr fs:[00000030h] 18_2_04879080
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F3884 mov eax, dword ptr fs:[00000030h] 18_2_048F3884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F3884 mov eax, dword ptr fs:[00000030h] 18_2_048F3884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B90AF mov eax, dword ptr fs:[00000030h] 18_2_048B90AF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h] 18_2_048A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h] 18_2_048A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h] 18_2_048A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h] 18_2_048A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h] 18_2_048A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A20A0 mov eax, dword ptr fs:[00000030h] 18_2_048A20A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AF0BF mov ecx, dword ptr fs:[00000030h] 18_2_048AF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AF0BF mov eax, dword ptr fs:[00000030h] 18_2_048AF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AF0BF mov eax, dword ptr fs:[00000030h] 18_2_048AF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0490B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0490B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0490B8D0 mov ecx, dword ptr fs:[00000030h] 18_2_0490B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0490B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0490B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0490B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0490B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0490B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0490B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0490B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0490B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048740E1 mov eax, dword ptr fs:[00000030h] 18_2_048740E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048740E1 mov eax, dword ptr fs:[00000030h] 18_2_048740E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048740E1 mov eax, dword ptr fs:[00000030h] 18_2_048740E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048758EC mov eax, dword ptr fs:[00000030h] 18_2_048758EC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04944015 mov eax, dword ptr fs:[00000030h] 18_2_04944015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04944015 mov eax, dword ptr fs:[00000030h] 18_2_04944015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F7016 mov eax, dword ptr fs:[00000030h] 18_2_048F7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F7016 mov eax, dword ptr fs:[00000030h] 18_2_048F7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F7016 mov eax, dword ptr fs:[00000030h] 18_2_048F7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488B02A mov eax, dword ptr fs:[00000030h] 18_2_0488B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488B02A mov eax, dword ptr fs:[00000030h] 18_2_0488B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488B02A mov eax, dword ptr fs:[00000030h] 18_2_0488B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488B02A mov eax, dword ptr fs:[00000030h] 18_2_0488B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A002D mov eax, dword ptr fs:[00000030h] 18_2_048A002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A002D mov eax, dword ptr fs:[00000030h] 18_2_048A002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A002D mov eax, dword ptr fs:[00000030h] 18_2_048A002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A002D mov eax, dword ptr fs:[00000030h] 18_2_048A002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A002D mov eax, dword ptr fs:[00000030h] 18_2_048A002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04890050 mov eax, dword ptr fs:[00000030h] 18_2_04890050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04890050 mov eax, dword ptr fs:[00000030h] 18_2_04890050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04932073 mov eax, dword ptr fs:[00000030h] 18_2_04932073
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04941074 mov eax, dword ptr fs:[00000030h] 18_2_04941074
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489C182 mov eax, dword ptr fs:[00000030h] 18_2_0489C182
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AA185 mov eax, dword ptr fs:[00000030h] 18_2_048AA185
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A2990 mov eax, dword ptr fs:[00000030h] 18_2_048A2990
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F69A6 mov eax, dword ptr fs:[00000030h] 18_2_048F69A6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A61A0 mov eax, dword ptr fs:[00000030h] 18_2_048A61A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A61A0 mov eax, dword ptr fs:[00000030h] 18_2_048A61A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F51BE mov eax, dword ptr fs:[00000030h] 18_2_048F51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F51BE mov eax, dword ptr fs:[00000030h] 18_2_048F51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F51BE mov eax, dword ptr fs:[00000030h] 18_2_048F51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048F51BE mov eax, dword ptr fs:[00000030h] 18_2_048F51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049349A4 mov eax, dword ptr fs:[00000030h] 18_2_049349A4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049349A4 mov eax, dword ptr fs:[00000030h] 18_2_049349A4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049349A4 mov eax, dword ptr fs:[00000030h] 18_2_049349A4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049349A4 mov eax, dword ptr fs:[00000030h] 18_2_049349A4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487B1E1 mov eax, dword ptr fs:[00000030h] 18_2_0487B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487B1E1 mov eax, dword ptr fs:[00000030h] 18_2_0487B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487B1E1 mov eax, dword ptr fs:[00000030h] 18_2_0487B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_049041E8 mov eax, dword ptr fs:[00000030h] 18_2_049041E8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04879100 mov eax, dword ptr fs:[00000030h] 18_2_04879100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04879100 mov eax, dword ptr fs:[00000030h] 18_2_04879100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04879100 mov eax, dword ptr fs:[00000030h] 18_2_04879100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04894120 mov eax, dword ptr fs:[00000030h] 18_2_04894120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04894120 mov eax, dword ptr fs:[00000030h] 18_2_04894120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04894120 mov eax, dword ptr fs:[00000030h] 18_2_04894120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04894120 mov eax, dword ptr fs:[00000030h] 18_2_04894120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04894120 mov ecx, dword ptr fs:[00000030h] 18_2_04894120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A513A mov eax, dword ptr fs:[00000030h] 18_2_048A513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A513A mov eax, dword ptr fs:[00000030h] 18_2_048A513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489B944 mov eax, dword ptr fs:[00000030h] 18_2_0489B944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0489B944 mov eax, dword ptr fs:[00000030h] 18_2_0489B944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487C962 mov eax, dword ptr fs:[00000030h] 18_2_0487C962
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487B171 mov eax, dword ptr fs:[00000030h] 18_2_0487B171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487B171 mov eax, dword ptr fs:[00000030h] 18_2_0487B171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AD294 mov eax, dword ptr fs:[00000030h] 18_2_048AD294
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AD294 mov eax, dword ptr fs:[00000030h] 18_2_048AD294
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048752A5 mov eax, dword ptr fs:[00000030h] 18_2_048752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048752A5 mov eax, dword ptr fs:[00000030h] 18_2_048752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048752A5 mov eax, dword ptr fs:[00000030h] 18_2_048752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048752A5 mov eax, dword ptr fs:[00000030h] 18_2_048752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048752A5 mov eax, dword ptr fs:[00000030h] 18_2_048752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488AAB0 mov eax, dword ptr fs:[00000030h] 18_2_0488AAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0488AAB0 mov eax, dword ptr fs:[00000030h] 18_2_0488AAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048AFAB0 mov eax, dword ptr fs:[00000030h] 18_2_048AFAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A2ACB mov eax, dword ptr fs:[00000030h] 18_2_048A2ACB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048A2AE4 mov eax, dword ptr fs:[00000030h] 18_2_048A2AE4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04888A0A mov eax, dword ptr fs:[00000030h] 18_2_04888A0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493AA16 mov eax, dword ptr fs:[00000030h] 18_2_0493AA16
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493AA16 mov eax, dword ptr fs:[00000030h] 18_2_0493AA16
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487AA16 mov eax, dword ptr fs:[00000030h] 18_2_0487AA16
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0487AA16 mov eax, dword ptr fs:[00000030h] 18_2_0487AA16
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04893A1C mov eax, dword ptr fs:[00000030h] 18_2_04893A1C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04875210 mov eax, dword ptr fs:[00000030h] 18_2_04875210
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04875210 mov ecx, dword ptr fs:[00000030h] 18_2_04875210
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04875210 mov eax, dword ptr fs:[00000030h] 18_2_04875210
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04875210 mov eax, dword ptr fs:[00000030h] 18_2_04875210
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B4A2C mov eax, dword ptr fs:[00000030h] 18_2_048B4A2C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_048B4A2C mov eax, dword ptr fs:[00000030h] 18_2_048B4A2C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_0493EA55 mov eax, dword ptr fs:[00000030h] 18_2_0493EA55
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04879240 mov eax, dword ptr fs:[00000030h] 18_2_04879240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04879240 mov eax, dword ptr fs:[00000030h] 18_2_04879240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04879240 mov eax, dword ptr fs:[00000030h] 18_2_04879240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04879240 mov eax, dword ptr fs:[00000030h] 18_2_04879240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 18_2_04904257 mov eax, dword ptr fs:[00000030h] 18_2_04904257
Enables debug privileges
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.fredrika-stahl.com
Source: C:\Windows\explorer.exe Domain query: www.purpleqube.com
Source: C:\Windows\explorer.exe Domain query: www.motivactivewear.com
Source: C:\Windows\explorer.exe Domain query: www.reufhroir.com
Source: C:\Windows\explorer.exe Network Connect: 119.81.95.146 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tori2020.com
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 94.136.40.51 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.doodstore.net
Source: C:\Windows\explorer.exe Domain query: www.mutanterestaurante.com
Source: C:\Windows\explorer.exe Domain query: www.5xlsteve.com
Source: C:\Windows\explorer.exe Network Connect: 185.53.177.12 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 50.87.146.99 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.oceancollaborative.com
Source: C:\Windows\explorer.exe Network Connect: 75.2.124.199 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.9wsc.com
Source: C:\Windows\explorer.exe Domain query: www.underce.com
Source: C:\Windows\explorer.exe Network Connect: 222.239.248.209 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.kocaelimanliftkiralama.site
Source: C:\Windows\explorer.exe Network Connect: 67.199.248.12 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.225.101.32 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Section loaded: unknown target: C:\Users\user\Desktop\WXs8v9QuE7.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Thread register set: target process: 3472 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: AC0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Process created: C:\Users\user\Desktop\WXs8v9QuE7.exe 'C:\Users\user\Desktop\WXs8v9QuE7.exe' Jump to behavior
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\WXs8v9QuE7.exe' Jump to behavior
Source: explorer.exe, 00000004.00000000.245636520.0000000005EA0000.00000004.00000001.sdmp, cscript.exe, 00000012.00000002.494686146.0000000003100000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.235951037.0000000001640000.00000002.00000001.sdmp, cscript.exe, 00000012.00000002.494686146.0000000003100000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.235951037.0000000001640000.00000002.00000001.sdmp, cscript.exe, 00000012.00000002.494686146.0000000003100000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.258808512.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000004.00000000.235951037.0000000001640000.00000002.00000001.sdmp, cscript.exe, 00000012.00000002.494686146.0000000003100000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.235951037.0000000001640000.00000002.00000001.sdmp, cscript.exe, 00000012.00000002.494686146.0000000003100000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\WXs8v9QuE7.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.231883360.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301526292.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301567040.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.234632284.0000000002280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.493603616.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.492153305.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.494502874.0000000002CF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.301714612.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WXs8v9QuE7.exe.2280000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.WXs8v9QuE7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.WXs8v9QuE7.exe.2280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.WXs8v9QuE7.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438542 Sample: WXs8v9QuE7.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 33 www.shenghui118.com 2->33 35 www.reufhroir.com 2->35 37 2 other IPs or domains 2->37 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 5 other signatures 2->59 10 WXs8v9QuE7.exe 19 2->10         started        14 explorer.exe 2->14         started        signatures3 process4 dnsIp5 29 C:\Users\user\AppData\Local\...\pplsesniiplv, DOS 10->29 dropped 31 C:\Users\user\AppData\Local\...\System.dll, PE32 10->31 dropped 67 Detected unpacking (changes PE section rights) 10->67 69 Maps a DLL or memory area into another process 10->69 71 Tries to detect virtualization through RDTSC time measurements 10->71 17 WXs8v9QuE7.exe 10->17         started        39 mutanterestaurante.com 50.87.146.99, 49749, 80 UNIFIEDLAYER-AS-1US United States 14->39 41 www.fredrika-stahl.com 185.53.177.12, 49743, 80 TEAMINTERNET-ASDE Germany 14->41 43 16 other IPs or domains 14->43 73 System process connects to network (likely due to code injection or exploit) 14->73 20 autoconv.exe 14->20         started        file6 signatures7 process8 signatures9 45 Modifies the context of a thread in another process (thread injection) 17->45 47 Maps a DLL or memory area into another process 17->47 49 Sample uses process hollowing technique 17->49 51 Queues an APC in another process (thread injection) 17->51 22 cscript.exe 17->22         started        process10 signatures11 61 Modifies the context of a thread in another process (thread injection) 22->61 63 Maps a DLL or memory area into another process 22->63 65 Tries to detect virtualization through RDTSC time measurements 22->65 25 cmd.exe 1 22->25         started        process12 process13 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.53.177.12
 www.fredrika-stahl.com Germany
61969 TEAMINTERNET-ASDE true
50.87.146.99
 mutanterestaurante.com United States
46606 UNIFIEDLAYER-AS-1US true
75.2.124.199
 vallble01.xshoppy.shop United States
16509 AMAZON-02US true
119.81.95.146
 purpleqube.com Singapore
36351 SOFTLAYERUS true
34.102.136.180
 motivactivewear.com United States
15169 GOOGLEUS false
184.168.131.241
 oceancollaborative.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
222.239.248.209
 www.tori2020.com Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
94.136.40.51
 www.5xlsteve.com United Kingdom
20738 GD-EMEA-DC-LD5GB true
67.199.248.12
 doodstore.net United States
396982 GOOGLE-PRIVATE-CLOUDUS true
23.225.101.32
 www.9wsc.com United States
40065 CNSERVERSUS true

Contacted Domains

Name IP Active
www.5xlsteve.com 94.136.40.51 true
www.fredrika-stahl.com 185.53.177.12 true
vallble01.xshoppy.shop 75.2.124.199 true
www.grpsexportsandimports.com 52.74.134.26 true
www.shenghui118.com 45.192.104.89 true
doodstore.net 67.199.248.12 true
purpleqube.com 119.81.95.146 true
www.tori2020.com 222.239.248.209 true
www.9wsc.com 23.225.101.32 true
mutanterestaurante.com 50.87.146.99 true
motivactivewear.com 34.102.136.180 true
oceancollaborative.com 184.168.131.241 true
www.purpleqube.com unknown unknown
www.motivactivewear.com unknown unknown
www.reufhroir.com unknown unknown
www.doodstore.net unknown unknown
www.mutanterestaurante.com unknown unknown
www.oceancollaborative.com unknown unknown
www.underce.com unknown unknown
www.kocaelimanliftkiralama.site unknown unknown
www.kesat-ya10.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.doodstore.net/bp3i/?2db=/O9fLU9fKPl9hp8FjcQBjfSEDJBN8B2QQZ2zni9zphKaS5k3K3CvlS+mwENkfwkv1cT8&ApZx=O2MHiVr0W true
  • Avira URL Cloud: safe
 unknown
http://www.5xlsteve.com/bp3i/?2db=zbNXh78uhP7VzN8kPHFueaY47g6J6psPJhyFJvfKuCHih9LJaB8PnmAAQmuNnVgiv7yX&ApZx=O2MHiVr0W true
  • Avira URL Cloud: safe
 unknown
http://www.mutanterestaurante.com/bp3i/?2db=E7M2l69Gv0yeE4KBOXHGh6mx//FtP199Dh6qlRwE96ss/V1ksNZ+8ksSpGi6EwZCpyax&ApZx=O2MHiVr0W true
  • Avira URL Cloud: safe
 unknown
http://www.tori2020.com/bp3i/?2db=MlxGGjj2GILR3uc1yrCD+B+Qm9+cwVH8bO7hosl1JjKtZPf8ruvdLFpmglVOZIulzoDe&ApZx=O2MHiVr0W true
  • Avira URL Cloud: safe
 unknown
http://www.motivactivewear.com/bp3i/?2db=zzYPr0OAQH7TXWaM6HNOV25V/HRJbXLG3d0AEq0Xu0niOsubCwaCiuhJfb7NIA/TR+lf&ApZx=O2MHiVr0W false
  • Avira URL Cloud: safe
 unknown
www.oceancollaborative.com/bp3i/ true
  • Avira URL Cloud: safe
 low
http://www.fredrika-stahl.com/bp3i/?2db=cas+hsZJvZFo3GF+EdMNCMOiV1dGjFKaknimsFdRmzAJWDDXgl+w3pBTGW4WB38KsB49&ApZx=O2MHiVr0W true
  • Avira URL Cloud: safe
 unknown
http://www.purpleqube.com/bp3i/?2db=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8Etbmrh51eTDYYM&ApZx=O2MHiVr0W true
  • Avira URL Cloud: phishing
 unknown