Windows Analysis Report arrival notice.exe

Overview

General Information

Sample Name: arrival notice.exe
Analysis ID: 483532
MD5: 4196c697fa8a52ecddad63bf5ac9e8f9
SHA1: 1179a7916f59fa2d88829a56f3f045e1cf32c418
SHA256: cfdb27a9ff39bd1aa5a0a43fe6e272c269a311f5748d8a13b2e705f7d66f16bd
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.nordicbatterybelt.net/n58i/"], "decoy": ["southerncircumstance.com", "mcsasco.com", "ifbrick.com", "societe-anonyme.net", "bantank.xyz", "dogecoin.beauty", "aboutacoffee.com", "babalandlordrealestate.com", "tintgta.com", "integrity.directory", "parwnr.icu", "poltishof.online", "stayandstyle.com", "ickjeame.xyz", "currentmotors.ca", "pond.fund", "petrosterzis.com", "deadbydaylightpoints.com", "hotel-balzac.paris", "focusmaintainance.com", "odeonmarket.com", "voeran.net", "lookailpop.xyz", "sashaignatenko.com", "royalgreenvillage.com", "airbhouse.com", "zl-dz.com", "fuwuxz.com", "wugupihuhepop.xyz", "zmdhysm.com", "luchin.site", "rnchaincvkbip.xyz", "fffddfrfqffrtgthhhbhffgfr.com", "goabbasoon.info", "booyahbucks.com", "ilovecoventry.com", "components-electronics.com", "advindustry.com", "browandline.com", "hotnspicy.site", "marlonj26.com", "holidays24.net", "starworks.online", "mbchaindogbbc.xyz", "3wouqg.com", "evnfreesx.com", "baureihe51.com", "hycelassetmanagement.space", "photostickomni-trendyfinds.com", "singisa4letterword.com", "thklw.online", "menramen.com", "highspeedinternetinc.com", "beerenhunger.info", "hisensor.world", "lassurancevalence.com", "clementchanlab.com", "customia.xyz", "alysvera-centroestetico.com", "cx-xiezuo.com", "index-mp3.com", "mybenefits51.com", "vyhozoi.site", "lingerista.net"]}
Multi AV Scanner detection for submitted file
Source: arrival notice.exe Virustotal: Detection: 29% Perma Link
Source: arrival notice.exe ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: arrival notice.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.arrival notice.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: arrival notice.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: arrival notice.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmstp.pdbGCTL source: arrival notice.exe, 00000005.00000003.750476475.0000000001341000.00000004.00000001.sdmp
Source: Binary string: \Registry\Machine\Software\Classes\SystemFileAssociations\.pdbsqrstuvwxyz{|}~ source: explorer.exe, 00000017.00000003.920395188.0000000007E54000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: arrival notice.exe, 00000005.00000002.753977107.00000000015D0000.00000040.00000001.sdmp, cmstp.exe, 0000000E.00000002.988607183.0000000004A6F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: arrival notice.exe, cmstp.exe
Source: Binary string: cmstp.pdb source: arrival notice.exe, 00000005.00000003.750476475.0000000001341000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 4x nop then pop edi 5_2_0041625A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 4x nop then pop edi 5_2_0040C3D2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4x nop then pop edi 14_2_007C625A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4x nop then pop edi 14_2_007BC3D2

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.nordicbatterybelt.net/n58i/
Source: explorer.exe, 00000017.00000002.964094196.0000000007301000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000017.00000000.937508363.0000000007EE6000.00000004.00000001.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 00000017.00000002.958150774.000000000348F000.00000004.00000001.sdmp String found in binary or memory: http://ns.adoqw

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: arrival notice.exe, 00000000.00000002.671468135.0000000000A00000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: arrival notice.exe
.NET source code contains very large strings
Source: arrival notice.exe, Forms/mainForm.cs Long String: Length: 38272
Source: 0.0.arrival notice.exe.250000.0.unpack, Forms/mainForm.cs Long String: Length: 38272
Source: 0.2.arrival notice.exe.250000.0.unpack, Forms/mainForm.cs Long String: Length: 38272
Source: 4.2.arrival notice.exe.330000.0.unpack, Forms/mainForm.cs Long String: Length: 38272
Source: 4.0.arrival notice.exe.330000.0.unpack, Forms/mainForm.cs Long String: Length: 38272
Source: 5.2.arrival notice.exe.b50000.1.unpack, Forms/mainForm.cs Long String: Length: 38272
Source: 5.0.arrival notice.exe.b50000.0.unpack, Forms/mainForm.cs Long String: Length: 38272
Uses 32bit PE files
Source: arrival notice.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses a Windows Living Off The Land Binaries (LOL bins)
Source: C:\Users\user\Desktop\arrival notice.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Users\user\Desktop\arrival notice.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe Jump to behavior
Yara signature match
Source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02442FC4 0_2_02442FC4
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02442BF8 0_2_02442BF8
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02443949 0_2_02443949
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02446918 0_2_02446918
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02443763 0_2_02443763
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02443768 0_2_02443768
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02442BED 0_2_02442BED
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02440040 0_2_02440040
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02443460 0_2_02443460
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02443470 0_2_02443470
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02440033 0_2_02440033
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02440C93 0_2_02440C93
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02440C98 0_2_02440C98
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_0244017C 0_2_0244017C
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02440135 0_2_02440135
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_024439F1 0_2_024439F1
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_024DC124 0_2_024DC124
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_024DE562 0_2_024DE562
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_024DE570 0_2_024DE570
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0041B8DB 5_2_0041B8DB
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0041C136 5_2_0041C136
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0041D229 5_2_0041D229
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00408C6B 5_2_00408C6B
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00408C70 5_2_00408C70
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00402D87 5_2_00402D87
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01614120 5_2_01614120
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FF900 5_2_015FF900
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1002 5_2_016B1002
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C28EC 5_2_016C28EC
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016220A0 5_2_016220A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C20A8 5_2_016C20A8
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160B090 5_2_0160B090
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C2B28 5_2_016C2B28
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016BDBD2 5_2_016BDBD2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162EBB0 5_2_0162EBB0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C22AE 5_2_016C22AE
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C1D55 5_2_016C1D55
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C2D07 5_2_016C2D07
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F0D20 5_2_015F0D20
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160D5E0 5_2_0160D5E0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C25DD 5_2_016C25DD
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01622581 5_2_01622581
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016BD466 5_2_016BD466
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160841F 5_2_0160841F
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C1FF1 5_2_016C1FF1
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01616E30 5_2_01616E30
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C2EF7 5_2_016C2EF7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498841F 14_2_0498841F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3D466 14_2_04A3D466
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A2581 14_2_049A2581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498D5E0 14_2_0498D5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A425DD 14_2_04A425DD
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A42D07 14_2_04A42D07
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04970D20 14_2_04970D20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A41D55 14_2_04A41D55
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A42EF7 14_2_04A42EF7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04996E30 14_2_04996E30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3D616 14_2_04A3D616
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A41FF1 14_2_04A41FF1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498B090 14_2_0498B090
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A420A8 14_2_04A420A8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A20A0 14_2_049A20A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A428EC 14_2_04A428EC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31002 14_2_04A31002
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497F900 14_2_0497F900
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04994120 14_2_04994120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A422AE 14_2_04A422AE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AEBB0 14_2_049AEBB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3DBD2 14_2_04A3DBD2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A42B28 14_2_04A42B28
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007CB8DB 14_2_007CB8DB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007CC136 14_2_007CC136
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007CD229 14_2_007CD229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007B8C70 14_2_007B8C70
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007B8C6B 14_2_007B8C6B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007B2D90 14_2_007B2D90
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007B2D87 14_2_007B2D87
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007B2FB0 14_2_007B2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\arrival notice.exe Code function: String function: 015FB150 appears 35 times
Source: C:\Windows\SysWOW64\cmstp.exe Code function: String function: 0497B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_004185D0 NtCreateFile, 5_2_004185D0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00418680 NtReadFile, 5_2_00418680
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00418700 NtClose, 5_2_00418700
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_004187B0 NtAllocateVirtualMemory, 5_2_004187B0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_004185CA NtCreateFile, 5_2_004185CA
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0041867C NtReadFile, 5_2_0041867C
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_004186FB NtClose, 5_2_004186FB
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_004187AC NtAllocateVirtualMemory, 5_2_004187AC
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_01639910
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016399A0 NtCreateSection,LdrInitializeThunk, 5_2_016399A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_01639860
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639840 NtDelayExecution,LdrInitializeThunk, 5_2_01639840
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016398F0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_016398F0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639A50 NtCreateFile,LdrInitializeThunk, 5_2_01639A50
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639A20 NtResumeThread,LdrInitializeThunk, 5_2_01639A20
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639A00 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_01639A00
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639540 NtReadFile,LdrInitializeThunk, 5_2_01639540
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016395D0 NtClose,LdrInitializeThunk, 5_2_016395D0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639710 NtQueryInformationToken,LdrInitializeThunk, 5_2_01639710
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639FE0 NtCreateMutant,LdrInitializeThunk, 5_2_01639FE0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016397A0 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_016397A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639780 NtMapViewOfSection,LdrInitializeThunk, 5_2_01639780
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_01639660
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016396E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_016396E0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639950 NtQueueApcThread, 5_2_01639950
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016399D0 NtCreateProcessEx, 5_2_016399D0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0163B040 NtSuspendThread, 5_2_0163B040
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639820 NtEnumerateKey, 5_2_01639820
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016398A0 NtWriteVirtualMemory, 5_2_016398A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639B00 NtSetValueKey, 5_2_01639B00
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0163A3B0 NtGetContextThread, 5_2_0163A3B0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639A10 NtQuerySection, 5_2_01639A10
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639A80 NtOpenDirectoryObject, 5_2_01639A80
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639560 NtWriteFile, 5_2_01639560
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639520 NtWaitForSingleObject, 5_2_01639520
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0163AD30 NtSetContextThread, 5_2_0163AD30
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016395F0 NtQueryInformationFile, 5_2_016395F0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639760 NtOpenProcess, 5_2_01639760
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0163A770 NtOpenThread, 5_2_0163A770
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639770 NtSetInformationFile, 5_2_01639770
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639730 NtQueryVirtualMemory, 5_2_01639730
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0163A710 NtOpenProcessToken, 5_2_0163A710
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639670 NtQueryInformationProcess, 5_2_01639670
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639650 NtQueryValueKey, 5_2_01639650
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01639610 NtEnumerateValueKey, 5_2_01639610
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016396D0 NtCreateKey, 5_2_016396D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B95D0 NtClose,LdrInitializeThunk, 14_2_049B95D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9540 NtReadFile,LdrInitializeThunk, 14_2_049B9540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B96D0 NtCreateKey,LdrInitializeThunk, 14_2_049B96D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_049B96E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9650 NtQueryValueKey,LdrInitializeThunk, 14_2_049B9650
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_049B9660
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9780 NtMapViewOfSection,LdrInitializeThunk, 14_2_049B9780
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9FE0 NtCreateMutant,LdrInitializeThunk, 14_2_049B9FE0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9710 NtQueryInformationToken,LdrInitializeThunk, 14_2_049B9710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9840 NtDelayExecution,LdrInitializeThunk, 14_2_049B9840
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_049B9860
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B99A0 NtCreateSection,LdrInitializeThunk, 14_2_049B99A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_049B9910
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9A50 NtCreateFile,LdrInitializeThunk, 14_2_049B9A50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B95F0 NtQueryInformationFile, 14_2_049B95F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049BAD30 NtSetContextThread, 14_2_049BAD30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9520 NtWaitForSingleObject, 14_2_049B9520
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9560 NtWriteFile, 14_2_049B9560
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9610 NtEnumerateValueKey, 14_2_049B9610
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9670 NtQueryInformationProcess, 14_2_049B9670
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B97A0 NtUnmapViewOfSection, 14_2_049B97A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049BA710 NtOpenProcessToken, 14_2_049BA710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9730 NtQueryVirtualMemory, 14_2_049B9730
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049BA770 NtOpenThread, 14_2_049BA770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9770 NtSetInformationFile, 14_2_049B9770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9760 NtOpenProcess, 14_2_049B9760
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B98A0 NtWriteVirtualMemory, 14_2_049B98A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B98F0 NtReadVirtualMemory, 14_2_049B98F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9820 NtEnumerateKey, 14_2_049B9820
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049BB040 NtSuspendThread, 14_2_049BB040
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B99D0 NtCreateProcessEx, 14_2_049B99D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9950 NtQueueApcThread, 14_2_049B9950
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9A80 NtOpenDirectoryObject, 14_2_049B9A80
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9A10 NtQuerySection, 14_2_049B9A10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9A00 NtProtectVirtualMemory, 14_2_049B9A00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9A20 NtResumeThread, 14_2_049B9A20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049BA3B0 NtGetContextThread, 14_2_049BA3B0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B9B00 NtSetValueKey, 14_2_049B9B00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C85D0 NtCreateFile, 14_2_007C85D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C8680 NtReadFile, 14_2_007C8680
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C8700 NtClose, 14_2_007C8700
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C87B0 NtAllocateVirtualMemory, 14_2_007C87B0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C85CA NtCreateFile, 14_2_007C85CA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C867C NtReadFile, 14_2_007C867C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C86FB NtClose, 14_2_007C86FB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C87AC NtAllocateVirtualMemory, 14_2_007C87AC
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: arrival notice.exe, 00000000.00000002.671032767.0000000000311000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFileSystemAccessRu.exe4 vs arrival notice.exe
Source: arrival notice.exe, 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs arrival notice.exe
Source: arrival notice.exe, 00000000.00000002.671468135.0000000000A00000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs arrival notice.exe
Source: arrival notice.exe, 00000004.00000002.669288896.00000000003F1000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFileSystemAccessRu.exe4 vs arrival notice.exe
Source: arrival notice.exe, 00000005.00000002.753082192.0000000000C11000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFileSystemAccessRu.exe4 vs arrival notice.exe
Source: arrival notice.exe, 00000005.00000003.750476475.0000000001341000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMSTP.EXE` vs arrival notice.exe
Source: arrival notice.exe, 00000005.00000002.754621837.000000000187F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs arrival notice.exe
Source: arrival notice.exe Binary or memory string: OriginalFilenameFileSystemAccessRu.exe4 vs arrival notice.exe
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: arrival notice.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: arrival notice.exe Virustotal: Detection: 29%
Source: arrival notice.exe ReversingLabs: Detection: 25%
Source: arrival notice.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\arrival notice.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\arrival notice.exe 'C:\Users\user\Desktop\arrival notice.exe'
Source: C:\Users\user\Desktop\arrival notice.exe Process created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exe
Source: C:\Users\user\Desktop\arrival notice.exe Process created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exe
Source: C:\Users\user\Desktop\arrival notice.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\arrival notice.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\arrival notice.exe Process created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exe Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exe Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\arrival notice.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\arrival notice.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/1@0/0
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01
Source: C:\Users\user\Desktop\arrival notice.exe Mutant created: \Sessions\1\BaseNamedObjects\RmVhorZfszBwlBtnIDjIbw
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe
Source: arrival notice.exe, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.arrival notice.exe.250000.0.unpack, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.arrival notice.exe.250000.0.unpack, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.arrival notice.exe.330000.0.unpack, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.arrival notice.exe.330000.0.unpack, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.arrival notice.exe.b50000.1.unpack, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\arrival notice.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: arrival notice.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: arrival notice.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: arrival notice.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: cmstp.pdbGCTL source: arrival notice.exe, 00000005.00000003.750476475.0000000001341000.00000004.00000001.sdmp
Source: Binary string: \Registry\Machine\Software\Classes\SystemFileAssociations\.pdbsqrstuvwxyz{|}~ source: explorer.exe, 00000017.00000003.920395188.0000000007E54000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: arrival notice.exe, 00000005.00000002.753977107.00000000015D0000.00000040.00000001.sdmp, cmstp.exe, 0000000E.00000002.988607183.0000000004A6F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: arrival notice.exe, cmstp.exe
Source: Binary string: cmstp.pdb source: arrival notice.exe, 00000005.00000003.750476475.0000000001341000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: arrival notice.exe, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.arrival notice.exe.250000.0.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.arrival notice.exe.250000.0.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.arrival notice.exe.330000.0.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.arrival notice.exe.330000.0.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.arrival notice.exe.b50000.1.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.arrival notice.exe.b50000.0.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_02440BCE push eax; ret 0_2_02440BCF
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_0244095D push cs; ret 0_2_0244095F
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 0_2_024DF932 push esp; iretd 0_2_024DF939
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0041B87C push eax; ret 5_2_0041B882
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0041B812 push eax; ret 5_2_0041B818
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0041B81B push eax; ret 5_2_0041B882
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00412A95 pushfd ; retf 5_2_00412A96
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00415BB5 push eax; retf 5_2_00415BBB
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_004186CA push edx; retn 0076h 5_2_004186CB
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0040169B push es; iretd 5_2_0040169D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00414EA9 push es; ret 5_2_00414EAB
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0041B7C5 push eax; ret 5_2_0041B818
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0164D0D1 push ecx; ret 5_2_0164D0E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049CD0D1 push ecx; ret 14_2_049CD0E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007CB87C push eax; ret 14_2_007CB882
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007CB81B push eax; ret 14_2_007CB882
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007CB812 push eax; ret 14_2_007CB818
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C2A95 pushfd ; retf 14_2_007C2A96
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C5BB5 push eax; retf 14_2_007C5BBB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C86CA push edx; retn 0076h 14_2_007C86CB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007C4EA9 push es; ret 14_2_007C4EAB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007B169B push es; iretd 14_2_007B169D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_007CB7C5 push eax; ret 14_2_007CB818
Binary contains a suspicious time stamp
Source: arrival notice.exe Static PE information: 0xD983B25D [Wed Aug 22 02:45:49 2085 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.21116196113

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\cmstp.exe Process created: /c del 'C:\Users\user\Desktop\arrival notice.exe'
Source: C:\Windows\SysWOW64\cmstp.exe Process created: /c del 'C:\Users\user\Desktop\arrival notice.exe' Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.672048372.00000000025F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: arrival notice.exe PID: 6556, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: arrival notice.exe, 00000000.00000002.672048372.00000000025F1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: arrival notice.exe, 00000000.00000002.672048372.00000000025F1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\arrival notice.exe RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\arrival notice.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 00000000007B85F4 second address: 00000000007B85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 00000000007B898E second address: 00000000007B8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\arrival notice.exe TID: 408 Thread sleep time: -34495s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe TID: 6048 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_004088C0 rdtsc 5_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\arrival notice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Thread delayed: delay time: 34495 Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000017.00000000.936563895.0000000007DC6000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000017.00000000.935429236.0000000007C8C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000017.00000002.978731366.0000000010C80000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B&y
Source: arrival notice.exe, 00000000.00000002.672048372.00000000025F1000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.697420081.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: arrival notice.exe, 00000000.00000002.672048372.00000000025F1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000017.00000002.971257205.0000000007E9A000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: arrival notice.exe, 00000000.00000002.672048372.00000000025F1000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.691216251.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000006.00000000.681755458.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000017.00000003.920395188.0000000007E54000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\WindI)
Source: explorer.exe, 00000006.00000000.681755458.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000017.00000003.922155884.000000000802B000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\5
Source: explorer.exe, 00000017.00000000.936869351.0000000007E11000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b})$
Source: arrival notice.exe, 00000000.00000002.672048372.00000000025F1000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000017.00000000.946541212.0000000010A12000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00g-
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: 806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000017.00000002.971185699.0000000007E54000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+,-.B
Source: arrival notice.exe, 00000000.00000002.672048372.00000000025F1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000017.00000000.926519337.0000000007250000.00000004.00000001.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000017.00000000.926519337.0000000007250000.00000004.00000001.sdmp Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000017.00000002.971185699.0000000007E54000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BO
Source: explorer.exe, 00000006.00000000.700139481.000000000FD4C000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}**
Source: explorer.exe, 00000017.00000003.920395188.0000000007E54000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BD
Source: explorer.exe, 00000006.00000000.705062273.0000000004791000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA~
Source: explorer.exe, 00000017.00000002.971185699.0000000007E54000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B=
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: }#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BWwu
Source: explorer.exe, 00000017.00000003.920700975.0000000007F6A000.00000004.00000001.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 00000017.00000002.971185699.0000000007E54000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8
Source: explorer.exe, 00000006.00000000.681755458.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bq-
Source: explorer.exe, 00000017.00000003.879265675.00000000072B9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000017.00000000.936869351.0000000007E11000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}%f
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&
Source: explorer.exe, 00000017.00000002.971185699.0000000007E54000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Be
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001vy
Source: arrival notice.exe, 00000000.00000002.672048372.00000000025F1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: arrival notice.exe, 00000000.00000002.672048372.00000000025F1000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: 0cd0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c98b}
Source: explorer.exe, 00000017.00000000.937315762.0000000007E91000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_ 6
Source: explorer.exe, 00000006.00000000.705062273.0000000004791000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000002.972528039.000000000802D000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: arrival notice.exe, 00000000.00000002.672048372.00000000025F1000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.695643302.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: ?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000017.00000002.972528039.000000000802D000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}A
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000017.00000000.936869351.0000000007E11000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}|$e
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000017.00000000.947587812.0000000010C46000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}es'
Source: explorer.exe, 00000017.00000003.922155884.000000000802B000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}b8b}
Source: explorer.exe, 00000017.00000002.956628054.00000000013D9000.00000004.00000020.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_004088C0 rdtsc 5_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\arrival notice.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161B944 mov eax, dword ptr fs:[00000030h] 5_2_0161B944
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161B944 mov eax, dword ptr fs:[00000030h] 5_2_0161B944
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FB171 mov eax, dword ptr fs:[00000030h] 5_2_015FB171
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FB171 mov eax, dword ptr fs:[00000030h] 5_2_015FB171
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FC962 mov eax, dword ptr fs:[00000030h] 5_2_015FC962
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01614120 mov eax, dword ptr fs:[00000030h] 5_2_01614120
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01614120 mov eax, dword ptr fs:[00000030h] 5_2_01614120
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01614120 mov eax, dword ptr fs:[00000030h] 5_2_01614120
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01614120 mov eax, dword ptr fs:[00000030h] 5_2_01614120
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01614120 mov ecx, dword ptr fs:[00000030h] 5_2_01614120
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162513A mov eax, dword ptr fs:[00000030h] 5_2_0162513A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162513A mov eax, dword ptr fs:[00000030h] 5_2_0162513A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F9100 mov eax, dword ptr fs:[00000030h] 5_2_015F9100
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F9100 mov eax, dword ptr fs:[00000030h] 5_2_015F9100
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F9100 mov eax, dword ptr fs:[00000030h] 5_2_015F9100
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016841E8 mov eax, dword ptr fs:[00000030h] 5_2_016841E8
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FB1E1 mov eax, dword ptr fs:[00000030h] 5_2_015FB1E1
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FB1E1 mov eax, dword ptr fs:[00000030h] 5_2_015FB1E1
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FB1E1 mov eax, dword ptr fs:[00000030h] 5_2_015FB1E1
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016769A6 mov eax, dword ptr fs:[00000030h] 5_2_016769A6
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016261A0 mov eax, dword ptr fs:[00000030h] 5_2_016261A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016261A0 mov eax, dword ptr fs:[00000030h] 5_2_016261A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016751BE mov eax, dword ptr fs:[00000030h] 5_2_016751BE
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016751BE mov eax, dword ptr fs:[00000030h] 5_2_016751BE
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016751BE mov eax, dword ptr fs:[00000030h] 5_2_016751BE
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016751BE mov eax, dword ptr fs:[00000030h] 5_2_016751BE
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161C182 mov eax, dword ptr fs:[00000030h] 5_2_0161C182
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162A185 mov eax, dword ptr fs:[00000030h] 5_2_0162A185
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01622990 mov eax, dword ptr fs:[00000030h] 5_2_01622990
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B2073 mov eax, dword ptr fs:[00000030h] 5_2_016B2073
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C1074 mov eax, dword ptr fs:[00000030h] 5_2_016C1074
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01610050 mov eax, dword ptr fs:[00000030h] 5_2_01610050
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01610050 mov eax, dword ptr fs:[00000030h] 5_2_01610050
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160B02A mov eax, dword ptr fs:[00000030h] 5_2_0160B02A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160B02A mov eax, dword ptr fs:[00000030h] 5_2_0160B02A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160B02A mov eax, dword ptr fs:[00000030h] 5_2_0160B02A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160B02A mov eax, dword ptr fs:[00000030h] 5_2_0160B02A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162002D mov eax, dword ptr fs:[00000030h] 5_2_0162002D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162002D mov eax, dword ptr fs:[00000030h] 5_2_0162002D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162002D mov eax, dword ptr fs:[00000030h] 5_2_0162002D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162002D mov eax, dword ptr fs:[00000030h] 5_2_0162002D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162002D mov eax, dword ptr fs:[00000030h] 5_2_0162002D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01677016 mov eax, dword ptr fs:[00000030h] 5_2_01677016
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01677016 mov eax, dword ptr fs:[00000030h] 5_2_01677016
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01677016 mov eax, dword ptr fs:[00000030h] 5_2_01677016
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C4015 mov eax, dword ptr fs:[00000030h] 5_2_016C4015
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C4015 mov eax, dword ptr fs:[00000030h] 5_2_016C4015
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F58EC mov eax, dword ptr fs:[00000030h] 5_2_015F58EC
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0168B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0168B8D0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0168B8D0 mov ecx, dword ptr fs:[00000030h] 5_2_0168B8D0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0168B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0168B8D0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0168B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0168B8D0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0168B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0168B8D0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0168B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0168B8D0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016220A0 mov eax, dword ptr fs:[00000030h] 5_2_016220A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016220A0 mov eax, dword ptr fs:[00000030h] 5_2_016220A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016220A0 mov eax, dword ptr fs:[00000030h] 5_2_016220A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016220A0 mov eax, dword ptr fs:[00000030h] 5_2_016220A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016220A0 mov eax, dword ptr fs:[00000030h] 5_2_016220A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016220A0 mov eax, dword ptr fs:[00000030h] 5_2_016220A0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016390AF mov eax, dword ptr fs:[00000030h] 5_2_016390AF
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162F0BF mov ecx, dword ptr fs:[00000030h] 5_2_0162F0BF
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162F0BF mov eax, dword ptr fs:[00000030h] 5_2_0162F0BF
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162F0BF mov eax, dword ptr fs:[00000030h] 5_2_0162F0BF
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F9080 mov eax, dword ptr fs:[00000030h] 5_2_015F9080
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01673884 mov eax, dword ptr fs:[00000030h] 5_2_01673884
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01673884 mov eax, dword ptr fs:[00000030h] 5_2_01673884
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FF358 mov eax, dword ptr fs:[00000030h] 5_2_015FF358
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01623B7A mov eax, dword ptr fs:[00000030h] 5_2_01623B7A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01623B7A mov eax, dword ptr fs:[00000030h] 5_2_01623B7A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FDB40 mov eax, dword ptr fs:[00000030h] 5_2_015FDB40
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C8B58 mov eax, dword ptr fs:[00000030h] 5_2_016C8B58
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FDB60 mov ecx, dword ptr fs:[00000030h] 5_2_015FDB60
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B131B mov eax, dword ptr fs:[00000030h] 5_2_016B131B
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016203E2 mov eax, dword ptr fs:[00000030h] 5_2_016203E2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016203E2 mov eax, dword ptr fs:[00000030h] 5_2_016203E2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016203E2 mov eax, dword ptr fs:[00000030h] 5_2_016203E2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016203E2 mov eax, dword ptr fs:[00000030h] 5_2_016203E2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016203E2 mov eax, dword ptr fs:[00000030h] 5_2_016203E2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016203E2 mov eax, dword ptr fs:[00000030h] 5_2_016203E2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161DBE9 mov eax, dword ptr fs:[00000030h] 5_2_0161DBE9
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016753CA mov eax, dword ptr fs:[00000030h] 5_2_016753CA
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016753CA mov eax, dword ptr fs:[00000030h] 5_2_016753CA
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C5BA5 mov eax, dword ptr fs:[00000030h] 5_2_016C5BA5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01624BAD mov eax, dword ptr fs:[00000030h] 5_2_01624BAD
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01624BAD mov eax, dword ptr fs:[00000030h] 5_2_01624BAD
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01624BAD mov eax, dword ptr fs:[00000030h] 5_2_01624BAD
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B138A mov eax, dword ptr fs:[00000030h] 5_2_016B138A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016AD380 mov ecx, dword ptr fs:[00000030h] 5_2_016AD380
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01601B8F mov eax, dword ptr fs:[00000030h] 5_2_01601B8F
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01601B8F mov eax, dword ptr fs:[00000030h] 5_2_01601B8F
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162B390 mov eax, dword ptr fs:[00000030h] 5_2_0162B390
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01622397 mov eax, dword ptr fs:[00000030h] 5_2_01622397
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016AB260 mov eax, dword ptr fs:[00000030h] 5_2_016AB260
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016AB260 mov eax, dword ptr fs:[00000030h] 5_2_016AB260
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C8A62 mov eax, dword ptr fs:[00000030h] 5_2_016C8A62
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0163927A mov eax, dword ptr fs:[00000030h] 5_2_0163927A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F9240 mov eax, dword ptr fs:[00000030h] 5_2_015F9240
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F9240 mov eax, dword ptr fs:[00000030h] 5_2_015F9240
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F9240 mov eax, dword ptr fs:[00000030h] 5_2_015F9240
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F9240 mov eax, dword ptr fs:[00000030h] 5_2_015F9240
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016BEA55 mov eax, dword ptr fs:[00000030h] 5_2_016BEA55
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01684257 mov eax, dword ptr fs:[00000030h] 5_2_01684257
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FAA16 mov eax, dword ptr fs:[00000030h] 5_2_015FAA16
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FAA16 mov eax, dword ptr fs:[00000030h] 5_2_015FAA16
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01634A2C mov eax, dword ptr fs:[00000030h] 5_2_01634A2C
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01634A2C mov eax, dword ptr fs:[00000030h] 5_2_01634A2C
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F5210 mov eax, dword ptr fs:[00000030h] 5_2_015F5210
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F5210 mov ecx, dword ptr fs:[00000030h] 5_2_015F5210
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F5210 mov eax, dword ptr fs:[00000030h] 5_2_015F5210
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F5210 mov eax, dword ptr fs:[00000030h] 5_2_015F5210
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01608A0A mov eax, dword ptr fs:[00000030h] 5_2_01608A0A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01613A1C mov eax, dword ptr fs:[00000030h] 5_2_01613A1C
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01622AE4 mov eax, dword ptr fs:[00000030h] 5_2_01622AE4
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01622ACB mov eax, dword ptr fs:[00000030h] 5_2_01622ACB
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0160AAB0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0160AAB0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162FAB0 mov eax, dword ptr fs:[00000030h] 5_2_0162FAB0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162D294 mov eax, dword ptr fs:[00000030h] 5_2_0162D294
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162D294 mov eax, dword ptr fs:[00000030h] 5_2_0162D294
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F52A5 mov eax, dword ptr fs:[00000030h] 5_2_015F52A5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F52A5 mov eax, dword ptr fs:[00000030h] 5_2_015F52A5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F52A5 mov eax, dword ptr fs:[00000030h] 5_2_015F52A5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F52A5 mov eax, dword ptr fs:[00000030h] 5_2_015F52A5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F52A5 mov eax, dword ptr fs:[00000030h] 5_2_015F52A5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161C577 mov eax, dword ptr fs:[00000030h] 5_2_0161C577
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161C577 mov eax, dword ptr fs:[00000030h] 5_2_0161C577
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01633D43 mov eax, dword ptr fs:[00000030h] 5_2_01633D43
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01673540 mov eax, dword ptr fs:[00000030h] 5_2_01673540
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01617D50 mov eax, dword ptr fs:[00000030h] 5_2_01617D50
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0167A537 mov eax, dword ptr fs:[00000030h] 5_2_0167A537
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016BE539 mov eax, dword ptr fs:[00000030h] 5_2_016BE539
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01603D34 mov eax, dword ptr fs:[00000030h] 5_2_01603D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C8D34 mov eax, dword ptr fs:[00000030h] 5_2_016C8D34
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01624D3B mov eax, dword ptr fs:[00000030h] 5_2_01624D3B
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01624D3B mov eax, dword ptr fs:[00000030h] 5_2_01624D3B
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01624D3B mov eax, dword ptr fs:[00000030h] 5_2_01624D3B
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FAD30 mov eax, dword ptr fs:[00000030h] 5_2_015FAD30
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0160D5E0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0160D5E0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016BFDE2 mov eax, dword ptr fs:[00000030h] 5_2_016BFDE2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016BFDE2 mov eax, dword ptr fs:[00000030h] 5_2_016BFDE2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016BFDE2 mov eax, dword ptr fs:[00000030h] 5_2_016BFDE2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016BFDE2 mov eax, dword ptr fs:[00000030h] 5_2_016BFDE2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016A8DF1 mov eax, dword ptr fs:[00000030h] 5_2_016A8DF1
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676DC9 mov eax, dword ptr fs:[00000030h] 5_2_01676DC9
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676DC9 mov eax, dword ptr fs:[00000030h] 5_2_01676DC9
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676DC9 mov eax, dword ptr fs:[00000030h] 5_2_01676DC9
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676DC9 mov ecx, dword ptr fs:[00000030h] 5_2_01676DC9
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676DC9 mov eax, dword ptr fs:[00000030h] 5_2_01676DC9
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676DC9 mov eax, dword ptr fs:[00000030h] 5_2_01676DC9
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C05AC mov eax, dword ptr fs:[00000030h] 5_2_016C05AC
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C05AC mov eax, dword ptr fs:[00000030h] 5_2_016C05AC
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016235A1 mov eax, dword ptr fs:[00000030h] 5_2_016235A1
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F2D8A mov eax, dword ptr fs:[00000030h] 5_2_015F2D8A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F2D8A mov eax, dword ptr fs:[00000030h] 5_2_015F2D8A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F2D8A mov eax, dword ptr fs:[00000030h] 5_2_015F2D8A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F2D8A mov eax, dword ptr fs:[00000030h] 5_2_015F2D8A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F2D8A mov eax, dword ptr fs:[00000030h] 5_2_015F2D8A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01621DB5 mov eax, dword ptr fs:[00000030h] 5_2_01621DB5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01621DB5 mov eax, dword ptr fs:[00000030h] 5_2_01621DB5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01621DB5 mov eax, dword ptr fs:[00000030h] 5_2_01621DB5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01622581 mov eax, dword ptr fs:[00000030h] 5_2_01622581
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01622581 mov eax, dword ptr fs:[00000030h] 5_2_01622581
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01622581 mov eax, dword ptr fs:[00000030h] 5_2_01622581
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01622581 mov eax, dword ptr fs:[00000030h] 5_2_01622581
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162FD9B mov eax, dword ptr fs:[00000030h] 5_2_0162FD9B
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162FD9B mov eax, dword ptr fs:[00000030h] 5_2_0162FD9B
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161746D mov eax, dword ptr fs:[00000030h] 5_2_0161746D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162A44B mov eax, dword ptr fs:[00000030h] 5_2_0162A44B
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0168C450 mov eax, dword ptr fs:[00000030h] 5_2_0168C450
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0168C450 mov eax, dword ptr fs:[00000030h] 5_2_0168C450
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162BC2C mov eax, dword ptr fs:[00000030h] 5_2_0162BC2C
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C740D mov eax, dword ptr fs:[00000030h] 5_2_016C740D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C740D mov eax, dword ptr fs:[00000030h] 5_2_016C740D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C740D mov eax, dword ptr fs:[00000030h] 5_2_016C740D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1C06 mov eax, dword ptr fs:[00000030h] 5_2_016B1C06
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676C0A mov eax, dword ptr fs:[00000030h] 5_2_01676C0A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676C0A mov eax, dword ptr fs:[00000030h] 5_2_01676C0A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676C0A mov eax, dword ptr fs:[00000030h] 5_2_01676C0A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676C0A mov eax, dword ptr fs:[00000030h] 5_2_01676C0A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B14FB mov eax, dword ptr fs:[00000030h] 5_2_016B14FB
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676CF0 mov eax, dword ptr fs:[00000030h] 5_2_01676CF0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676CF0 mov eax, dword ptr fs:[00000030h] 5_2_01676CF0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01676CF0 mov eax, dword ptr fs:[00000030h] 5_2_01676CF0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C8CD6 mov eax, dword ptr fs:[00000030h] 5_2_016C8CD6
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160849B mov eax, dword ptr fs:[00000030h] 5_2_0160849B
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160FF60 mov eax, dword ptr fs:[00000030h] 5_2_0160FF60
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C8F6A mov eax, dword ptr fs:[00000030h] 5_2_016C8F6A
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160EF40 mov eax, dword ptr fs:[00000030h] 5_2_0160EF40
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162E730 mov eax, dword ptr fs:[00000030h] 5_2_0162E730
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C070D mov eax, dword ptr fs:[00000030h] 5_2_016C070D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C070D mov eax, dword ptr fs:[00000030h] 5_2_016C070D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162A70E mov eax, dword ptr fs:[00000030h] 5_2_0162A70E
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162A70E mov eax, dword ptr fs:[00000030h] 5_2_0162A70E
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F4F2E mov eax, dword ptr fs:[00000030h] 5_2_015F4F2E
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015F4F2E mov eax, dword ptr fs:[00000030h] 5_2_015F4F2E
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161F716 mov eax, dword ptr fs:[00000030h] 5_2_0161F716
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0168FF10 mov eax, dword ptr fs:[00000030h] 5_2_0168FF10
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0168FF10 mov eax, dword ptr fs:[00000030h] 5_2_0168FF10
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016337F5 mov eax, dword ptr fs:[00000030h] 5_2_016337F5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01677794 mov eax, dword ptr fs:[00000030h] 5_2_01677794
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01677794 mov eax, dword ptr fs:[00000030h] 5_2_01677794
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01677794 mov eax, dword ptr fs:[00000030h] 5_2_01677794
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01608794 mov eax, dword ptr fs:[00000030h] 5_2_01608794
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0160766D mov eax, dword ptr fs:[00000030h] 5_2_0160766D
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161AE73 mov eax, dword ptr fs:[00000030h] 5_2_0161AE73
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161AE73 mov eax, dword ptr fs:[00000030h] 5_2_0161AE73
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161AE73 mov eax, dword ptr fs:[00000030h] 5_2_0161AE73
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161AE73 mov eax, dword ptr fs:[00000030h] 5_2_0161AE73
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0161AE73 mov eax, dword ptr fs:[00000030h] 5_2_0161AE73
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01607E41 mov eax, dword ptr fs:[00000030h] 5_2_01607E41
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01607E41 mov eax, dword ptr fs:[00000030h] 5_2_01607E41
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01607E41 mov eax, dword ptr fs:[00000030h] 5_2_01607E41
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01607E41 mov eax, dword ptr fs:[00000030h] 5_2_01607E41
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01607E41 mov eax, dword ptr fs:[00000030h] 5_2_01607E41
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01607E41 mov eax, dword ptr fs:[00000030h] 5_2_01607E41
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016BAE44 mov eax, dword ptr fs:[00000030h] 5_2_016BAE44
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016BAE44 mov eax, dword ptr fs:[00000030h] 5_2_016BAE44
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016AFE3F mov eax, dword ptr fs:[00000030h] 5_2_016AFE3F
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FC600 mov eax, dword ptr fs:[00000030h] 5_2_015FC600
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FC600 mov eax, dword ptr fs:[00000030h] 5_2_015FC600
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FC600 mov eax, dword ptr fs:[00000030h] 5_2_015FC600
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01628E00 mov eax, dword ptr fs:[00000030h] 5_2_01628E00
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016B1608 mov eax, dword ptr fs:[00000030h] 5_2_016B1608
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162A61C mov eax, dword ptr fs:[00000030h] 5_2_0162A61C
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0162A61C mov eax, dword ptr fs:[00000030h] 5_2_0162A61C
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_015FE620 mov eax, dword ptr fs:[00000030h] 5_2_015FE620
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016216E0 mov ecx, dword ptr fs:[00000030h] 5_2_016216E0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016076E2 mov eax, dword ptr fs:[00000030h] 5_2_016076E2
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_01638EC7 mov eax, dword ptr fs:[00000030h] 5_2_01638EC7
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016AFEC0 mov eax, dword ptr fs:[00000030h] 5_2_016AFEC0
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016236CC mov eax, dword ptr fs:[00000030h] 5_2_016236CC
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C8ED6 mov eax, dword ptr fs:[00000030h] 5_2_016C8ED6
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016746A7 mov eax, dword ptr fs:[00000030h] 5_2_016746A7
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C0EA5 mov eax, dword ptr fs:[00000030h] 5_2_016C0EA5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C0EA5 mov eax, dword ptr fs:[00000030h] 5_2_016C0EA5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_016C0EA5 mov eax, dword ptr fs:[00000030h] 5_2_016C0EA5
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_0168FE87 mov eax, dword ptr fs:[00000030h] 5_2_0168FE87
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498849B mov eax, dword ptr fs:[00000030h] 14_2_0498849B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A314FB mov eax, dword ptr fs:[00000030h] 14_2_04A314FB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6CF0 mov eax, dword ptr fs:[00000030h] 14_2_049F6CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6CF0 mov eax, dword ptr fs:[00000030h] 14_2_049F6CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6CF0 mov eax, dword ptr fs:[00000030h] 14_2_049F6CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A48CD6 mov eax, dword ptr fs:[00000030h] 14_2_04A48CD6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6C0A mov eax, dword ptr fs:[00000030h] 14_2_049F6C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6C0A mov eax, dword ptr fs:[00000030h] 14_2_049F6C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6C0A mov eax, dword ptr fs:[00000030h] 14_2_049F6C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6C0A mov eax, dword ptr fs:[00000030h] 14_2_049F6C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31C06 mov eax, dword ptr fs:[00000030h] 14_2_04A31C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A4740D mov eax, dword ptr fs:[00000030h] 14_2_04A4740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A4740D mov eax, dword ptr fs:[00000030h] 14_2_04A4740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A4740D mov eax, dword ptr fs:[00000030h] 14_2_04A4740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049ABC2C mov eax, dword ptr fs:[00000030h] 14_2_049ABC2C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AA44B mov eax, dword ptr fs:[00000030h] 14_2_049AA44B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A0C450 mov eax, dword ptr fs:[00000030h] 14_2_04A0C450
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A0C450 mov eax, dword ptr fs:[00000030h] 14_2_04A0C450
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499746D mov eax, dword ptr fs:[00000030h] 14_2_0499746D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AFD9B mov eax, dword ptr fs:[00000030h] 14_2_049AFD9B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AFD9B mov eax, dword ptr fs:[00000030h] 14_2_049AFD9B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A405AC mov eax, dword ptr fs:[00000030h] 14_2_04A405AC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A405AC mov eax, dword ptr fs:[00000030h] 14_2_04A405AC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A2581 mov eax, dword ptr fs:[00000030h] 14_2_049A2581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A2581 mov eax, dword ptr fs:[00000030h] 14_2_049A2581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A2581 mov eax, dword ptr fs:[00000030h] 14_2_049A2581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A2581 mov eax, dword ptr fs:[00000030h] 14_2_049A2581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04972D8A mov eax, dword ptr fs:[00000030h] 14_2_04972D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04972D8A mov eax, dword ptr fs:[00000030h] 14_2_04972D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04972D8A mov eax, dword ptr fs:[00000030h] 14_2_04972D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04972D8A mov eax, dword ptr fs:[00000030h] 14_2_04972D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04972D8A mov eax, dword ptr fs:[00000030h] 14_2_04972D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A1DB5 mov eax, dword ptr fs:[00000030h] 14_2_049A1DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A1DB5 mov eax, dword ptr fs:[00000030h] 14_2_049A1DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A1DB5 mov eax, dword ptr fs:[00000030h] 14_2_049A1DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A35A1 mov eax, dword ptr fs:[00000030h] 14_2_049A35A1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3FDE2 mov eax, dword ptr fs:[00000030h] 14_2_04A3FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3FDE2 mov eax, dword ptr fs:[00000030h] 14_2_04A3FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3FDE2 mov eax, dword ptr fs:[00000030h] 14_2_04A3FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3FDE2 mov eax, dword ptr fs:[00000030h] 14_2_04A3FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A28DF1 mov eax, dword ptr fs:[00000030h] 14_2_04A28DF1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6DC9 mov eax, dword ptr fs:[00000030h] 14_2_049F6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6DC9 mov eax, dword ptr fs:[00000030h] 14_2_049F6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6DC9 mov eax, dword ptr fs:[00000030h] 14_2_049F6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6DC9 mov ecx, dword ptr fs:[00000030h] 14_2_049F6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6DC9 mov eax, dword ptr fs:[00000030h] 14_2_049F6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F6DC9 mov eax, dword ptr fs:[00000030h] 14_2_049F6DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0498D5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0498D5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A48D34 mov eax, dword ptr fs:[00000030h] 14_2_04A48D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3E539 mov eax, dword ptr fs:[00000030h] 14_2_04A3E539
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A4D3B mov eax, dword ptr fs:[00000030h] 14_2_049A4D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A4D3B mov eax, dword ptr fs:[00000030h] 14_2_049A4D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A4D3B mov eax, dword ptr fs:[00000030h] 14_2_049A4D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497AD30 mov eax, dword ptr fs:[00000030h] 14_2_0497AD30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049FA537 mov eax, dword ptr fs:[00000030h] 14_2_049FA537
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04983D34 mov eax, dword ptr fs:[00000030h] 14_2_04983D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04997D50 mov eax, dword ptr fs:[00000030h] 14_2_04997D50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B3D43 mov eax, dword ptr fs:[00000030h] 14_2_049B3D43
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F3540 mov eax, dword ptr fs:[00000030h] 14_2_049F3540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499C577 mov eax, dword ptr fs:[00000030h] 14_2_0499C577
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499C577 mov eax, dword ptr fs:[00000030h] 14_2_0499C577
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A40EA5 mov eax, dword ptr fs:[00000030h] 14_2_04A40EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A40EA5 mov eax, dword ptr fs:[00000030h] 14_2_04A40EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A40EA5 mov eax, dword ptr fs:[00000030h] 14_2_04A40EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A0FE87 mov eax, dword ptr fs:[00000030h] 14_2_04A0FE87
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F46A7 mov eax, dword ptr fs:[00000030h] 14_2_049F46A7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A36CC mov eax, dword ptr fs:[00000030h] 14_2_049A36CC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B8EC7 mov eax, dword ptr fs:[00000030h] 14_2_049B8EC7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A2FEC0 mov eax, dword ptr fs:[00000030h] 14_2_04A2FEC0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A48ED6 mov eax, dword ptr fs:[00000030h] 14_2_04A48ED6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A16E0 mov ecx, dword ptr fs:[00000030h] 14_2_049A16E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049876E2 mov eax, dword ptr fs:[00000030h] 14_2_049876E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AA61C mov eax, dword ptr fs:[00000030h] 14_2_049AA61C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AA61C mov eax, dword ptr fs:[00000030h] 14_2_049AA61C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497C600 mov eax, dword ptr fs:[00000030h] 14_2_0497C600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497C600 mov eax, dword ptr fs:[00000030h] 14_2_0497C600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497C600 mov eax, dword ptr fs:[00000030h] 14_2_0497C600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A8E00 mov eax, dword ptr fs:[00000030h] 14_2_049A8E00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A2FE3F mov eax, dword ptr fs:[00000030h] 14_2_04A2FE3F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A31608 mov eax, dword ptr fs:[00000030h] 14_2_04A31608
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497E620 mov eax, dword ptr fs:[00000030h] 14_2_0497E620
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04987E41 mov eax, dword ptr fs:[00000030h] 14_2_04987E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04987E41 mov eax, dword ptr fs:[00000030h] 14_2_04987E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04987E41 mov eax, dword ptr fs:[00000030h] 14_2_04987E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04987E41 mov eax, dword ptr fs:[00000030h] 14_2_04987E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04987E41 mov eax, dword ptr fs:[00000030h] 14_2_04987E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04987E41 mov eax, dword ptr fs:[00000030h] 14_2_04987E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3AE44 mov eax, dword ptr fs:[00000030h] 14_2_04A3AE44
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3AE44 mov eax, dword ptr fs:[00000030h] 14_2_04A3AE44
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499AE73 mov eax, dword ptr fs:[00000030h] 14_2_0499AE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499AE73 mov eax, dword ptr fs:[00000030h] 14_2_0499AE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499AE73 mov eax, dword ptr fs:[00000030h] 14_2_0499AE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499AE73 mov eax, dword ptr fs:[00000030h] 14_2_0499AE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499AE73 mov eax, dword ptr fs:[00000030h] 14_2_0499AE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498766D mov eax, dword ptr fs:[00000030h] 14_2_0498766D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F7794 mov eax, dword ptr fs:[00000030h] 14_2_049F7794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F7794 mov eax, dword ptr fs:[00000030h] 14_2_049F7794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F7794 mov eax, dword ptr fs:[00000030h] 14_2_049F7794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04988794 mov eax, dword ptr fs:[00000030h] 14_2_04988794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B37F5 mov eax, dword ptr fs:[00000030h] 14_2_049B37F5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499F716 mov eax, dword ptr fs:[00000030h] 14_2_0499F716
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AA70E mov eax, dword ptr fs:[00000030h] 14_2_049AA70E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AA70E mov eax, dword ptr fs:[00000030h] 14_2_049AA70E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A4070D mov eax, dword ptr fs:[00000030h] 14_2_04A4070D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A4070D mov eax, dword ptr fs:[00000030h] 14_2_04A4070D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AE730 mov eax, dword ptr fs:[00000030h] 14_2_049AE730
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A0FF10 mov eax, dword ptr fs:[00000030h] 14_2_04A0FF10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A0FF10 mov eax, dword ptr fs:[00000030h] 14_2_04A0FF10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04974F2E mov eax, dword ptr fs:[00000030h] 14_2_04974F2E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04974F2E mov eax, dword ptr fs:[00000030h] 14_2_04974F2E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A48F6A mov eax, dword ptr fs:[00000030h] 14_2_04A48F6A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498EF40 mov eax, dword ptr fs:[00000030h] 14_2_0498EF40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498FF60 mov eax, dword ptr fs:[00000030h] 14_2_0498FF60
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04979080 mov eax, dword ptr fs:[00000030h] 14_2_04979080
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F3884 mov eax, dword ptr fs:[00000030h] 14_2_049F3884
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F3884 mov eax, dword ptr fs:[00000030h] 14_2_049F3884
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AF0BF mov ecx, dword ptr fs:[00000030h] 14_2_049AF0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AF0BF mov eax, dword ptr fs:[00000030h] 14_2_049AF0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AF0BF mov eax, dword ptr fs:[00000030h] 14_2_049AF0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B90AF mov eax, dword ptr fs:[00000030h] 14_2_049B90AF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A20A0 mov eax, dword ptr fs:[00000030h] 14_2_049A20A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A20A0 mov eax, dword ptr fs:[00000030h] 14_2_049A20A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A20A0 mov eax, dword ptr fs:[00000030h] 14_2_049A20A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A20A0 mov eax, dword ptr fs:[00000030h] 14_2_049A20A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A20A0 mov eax, dword ptr fs:[00000030h] 14_2_049A20A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A20A0 mov eax, dword ptr fs:[00000030h] 14_2_049A20A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A0B8D0 mov eax, dword ptr fs:[00000030h] 14_2_04A0B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A0B8D0 mov ecx, dword ptr fs:[00000030h] 14_2_04A0B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A0B8D0 mov eax, dword ptr fs:[00000030h] 14_2_04A0B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A0B8D0 mov eax, dword ptr fs:[00000030h] 14_2_04A0B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A0B8D0 mov eax, dword ptr fs:[00000030h] 14_2_04A0B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A0B8D0 mov eax, dword ptr fs:[00000030h] 14_2_04A0B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049758EC mov eax, dword ptr fs:[00000030h] 14_2_049758EC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F7016 mov eax, dword ptr fs:[00000030h] 14_2_049F7016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F7016 mov eax, dword ptr fs:[00000030h] 14_2_049F7016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F7016 mov eax, dword ptr fs:[00000030h] 14_2_049F7016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A44015 mov eax, dword ptr fs:[00000030h] 14_2_04A44015
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A44015 mov eax, dword ptr fs:[00000030h] 14_2_04A44015
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498B02A mov eax, dword ptr fs:[00000030h] 14_2_0498B02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498B02A mov eax, dword ptr fs:[00000030h] 14_2_0498B02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498B02A mov eax, dword ptr fs:[00000030h] 14_2_0498B02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498B02A mov eax, dword ptr fs:[00000030h] 14_2_0498B02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A002D mov eax, dword ptr fs:[00000030h] 14_2_049A002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A002D mov eax, dword ptr fs:[00000030h] 14_2_049A002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A002D mov eax, dword ptr fs:[00000030h] 14_2_049A002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A002D mov eax, dword ptr fs:[00000030h] 14_2_049A002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A002D mov eax, dword ptr fs:[00000030h] 14_2_049A002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04990050 mov eax, dword ptr fs:[00000030h] 14_2_04990050
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04990050 mov eax, dword ptr fs:[00000030h] 14_2_04990050
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A32073 mov eax, dword ptr fs:[00000030h] 14_2_04A32073
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A41074 mov eax, dword ptr fs:[00000030h] 14_2_04A41074
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A2990 mov eax, dword ptr fs:[00000030h] 14_2_049A2990
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499C182 mov eax, dword ptr fs:[00000030h] 14_2_0499C182
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AA185 mov eax, dword ptr fs:[00000030h] 14_2_049AA185
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F51BE mov eax, dword ptr fs:[00000030h] 14_2_049F51BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F51BE mov eax, dword ptr fs:[00000030h] 14_2_049F51BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F51BE mov eax, dword ptr fs:[00000030h] 14_2_049F51BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F51BE mov eax, dword ptr fs:[00000030h] 14_2_049F51BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049F69A6 mov eax, dword ptr fs:[00000030h] 14_2_049F69A6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A61A0 mov eax, dword ptr fs:[00000030h] 14_2_049A61A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A61A0 mov eax, dword ptr fs:[00000030h] 14_2_049A61A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A041E8 mov eax, dword ptr fs:[00000030h] 14_2_04A041E8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0497B1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0497B1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0497B1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04979100 mov eax, dword ptr fs:[00000030h] 14_2_04979100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04979100 mov eax, dword ptr fs:[00000030h] 14_2_04979100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04979100 mov eax, dword ptr fs:[00000030h] 14_2_04979100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A513A mov eax, dword ptr fs:[00000030h] 14_2_049A513A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A513A mov eax, dword ptr fs:[00000030h] 14_2_049A513A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04994120 mov eax, dword ptr fs:[00000030h] 14_2_04994120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04994120 mov eax, dword ptr fs:[00000030h] 14_2_04994120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04994120 mov eax, dword ptr fs:[00000030h] 14_2_04994120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04994120 mov eax, dword ptr fs:[00000030h] 14_2_04994120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04994120 mov ecx, dword ptr fs:[00000030h] 14_2_04994120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499B944 mov eax, dword ptr fs:[00000030h] 14_2_0499B944
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0499B944 mov eax, dword ptr fs:[00000030h] 14_2_0499B944
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497B171 mov eax, dword ptr fs:[00000030h] 14_2_0497B171
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497B171 mov eax, dword ptr fs:[00000030h] 14_2_0497B171
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497C962 mov eax, dword ptr fs:[00000030h] 14_2_0497C962
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AD294 mov eax, dword ptr fs:[00000030h] 14_2_049AD294
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AD294 mov eax, dword ptr fs:[00000030h] 14_2_049AD294
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0498AAB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0498AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0498AAB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049AFAB0 mov eax, dword ptr fs:[00000030h] 14_2_049AFAB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049752A5 mov eax, dword ptr fs:[00000030h] 14_2_049752A5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049752A5 mov eax, dword ptr fs:[00000030h] 14_2_049752A5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049752A5 mov eax, dword ptr fs:[00000030h] 14_2_049752A5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049752A5 mov eax, dword ptr fs:[00000030h] 14_2_049752A5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049752A5 mov eax, dword ptr fs:[00000030h] 14_2_049752A5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A2ACB mov eax, dword ptr fs:[00000030h] 14_2_049A2ACB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049A2AE4 mov eax, dword ptr fs:[00000030h] 14_2_049A2AE4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497AA16 mov eax, dword ptr fs:[00000030h] 14_2_0497AA16
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_0497AA16 mov eax, dword ptr fs:[00000030h] 14_2_0497AA16
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04993A1C mov eax, dword ptr fs:[00000030h] 14_2_04993A1C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04975210 mov eax, dword ptr fs:[00000030h] 14_2_04975210
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04975210 mov ecx, dword ptr fs:[00000030h] 14_2_04975210
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04975210 mov eax, dword ptr fs:[00000030h] 14_2_04975210
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04975210 mov eax, dword ptr fs:[00000030h] 14_2_04975210
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04988A0A mov eax, dword ptr fs:[00000030h] 14_2_04988A0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3AA16 mov eax, dword ptr fs:[00000030h] 14_2_04A3AA16
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A3AA16 mov eax, dword ptr fs:[00000030h] 14_2_04A3AA16
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B4A2C mov eax, dword ptr fs:[00000030h] 14_2_049B4A2C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_049B4A2C mov eax, dword ptr fs:[00000030h] 14_2_049B4A2C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A2B260 mov eax, dword ptr fs:[00000030h] 14_2_04A2B260
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A2B260 mov eax, dword ptr fs:[00000030h] 14_2_04A2B260
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04A48A62 mov eax, dword ptr fs:[00000030h] 14_2_04A48A62
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04979240 mov eax, dword ptr fs:[00000030h] 14_2_04979240
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04979240 mov eax, dword ptr fs:[00000030h] 14_2_04979240
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 14_2_04979240 mov eax, dword ptr fs:[00000030h] 14_2_04979240
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\arrival notice.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\arrival notice.exe Code function: 5_2_00409B30 LdrLoadDll, 5_2_00409B30
Source: C:\Users\user\Desktop\arrival notice.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\arrival notice.exe Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 990000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\arrival notice.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\arrival notice.exe Memory written: C:\Users\user\Desktop\arrival notice.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\arrival notice.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\arrival notice.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Thread register set: target process: 3424 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\arrival notice.exe Process created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exe Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exe Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\arrival notice.exe' Jump to behavior
Source: cmstp.exe, 0000000E.00000002.987454284.0000000003200000.00000002.00020000.sdmp, explorer.exe, 00000017.00000002.957503713.00000000019C0000.00000002.00020000.sdmp Binary or memory string: Program Manager{`
Source: explorer.exe, 00000006.00000000.731035953.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000006.00000000.704269802.0000000001080000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.678978874.0000000005E50000.00000004.00000001.sdmp, cmstp.exe, 0000000E.00000002.987454284.0000000003200000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.921285178.00000000056C0000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.704269802.0000000001080000.00000002.00020000.sdmp, cmstp.exe, 0000000E.00000002.987454284.0000000003200000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.921285178.00000000056C0000.00000004.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.704269802.0000000001080000.00000002.00020000.sdmp, cmstp.exe, 0000000E.00000002.987454284.0000000003200000.00000002.00020000.sdmp, explorer.exe, 00000017.00000002.957503713.00000000019C0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000017.00000002.956628054.00000000013D9000.00000004.00000020.sdmp Binary or memory string: Progmanw
Source: explorer.exe, 00000006.00000000.681755458.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D
Source: explorer.exe, 00000017.00000002.961116396.00000000054E0000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd3

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\arrival notice.exe Queries volume information: C:\Users\user\Desktop\arrival notice.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\arrival notice.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483532 Sample: arrival notice.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 10 other signatures 2->37 9 arrival notice.exe 3 2->9         started        process3 file4 29 C:\Users\user\...\arrival notice.exe.log, ASCII 9->29 dropped 47 Injects a PE file into a foreign processes 9->47 13 arrival notice.exe 9->13         started        16 arrival notice.exe 9->16         started        signatures5 process6 signatures7 49 Modifies the context of a thread in another process (thread injection) 13->49 51 Maps a DLL or memory area into another process 13->51 53 Sample uses process hollowing technique 13->53 55 Queues an APC in another process (thread injection) 13->55 18 cmstp.exe 13->18         started        21 explorer.exe 13->21 injected process8 signatures9 39 Self deletion via cmd delete 18->39 41 Modifies the context of a thread in another process (thread injection) 18->41 43 Maps a DLL or memory area into another process 18->43 45 Tries to detect virtualization through RDTSC time measurements 18->45 23 cmd.exe 1 18->23         started        25 explorer.exe 1 147 18->25         started        process10 process11 27 conhost.exe 23->27         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.nordicbatterybelt.net/n58i/ true
  • Avira URL Cloud: safe
 low