Windows Analysis Report HkE0tD0g4NXKJfy.exe

Overview

General Information

Sample Name: HkE0tD0g4NXKJfy.exe
Analysis ID: 528615
MD5: fcc2d1cda8d3989feca9c5f5f900e164
SHA1: 075de723df172cc93c537d5472ad8025f192ddc8
SHA256: 77e1c24ecfa1d339f61b4b8011690425fa0038b3fe32761f5ce8b3126c28c5ad
Tags: exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.platinumcredit.net/sh5d/"], "decoy": ["officejava.store", "appletitan.info", "securebankofamericalog.site", "weprepareamerica-world.com", "suepersoldiers.com", "aproveiteagoras2.com", "harusan.website", "zqmm.net", "joinundergrad.com", "thefullfledged.com", "jadonzia.com", "maoshuochen.com", "tuntun-newmarket.com", "danijela-djordjevic.com", "usaonlinedocs.com", "penspanter.quest", "theclubhouse.tech", "jakital.com", "nj013.com", "foodpanda.digital", "arsels.info", "junkingcarslosangelescounty.com", "formaldressesforwomen.com", "xingruinet.ltd", "xcgtsret.com", "151motors.com", "realsteelsoftwaresending.com", "cutos2.com", "justifygomqbe.xyz", "ini91.com", "uniformfacilities.com", "bullochlifetimelegacy.com", "ddivfc.com", "tuvinoencamino.com", "nbtianzhou.com", "segmauth.com", "thelittlebookof52.com", "bellezamarket.store", "terrysboutique.store", "lightinghj.com", "malayray.com", "7routines.com", "costsma.net", "tapissier-uzes.com", "reparacion-termos-madrid.com", "combingtheratsnest.com", "bobcathntshop.com", "launchpalop.com", "gopheratms.com", "mydatingshop.com", "mosucoffee.club", "ebonyslivestockservice.online", "vupeliquid.com", "buzzsaw.club", "kg-zenith.com", "quimicosypapelesdelnte.com", "secure-mivote.com", "curatorsofkool.com", "quickipcheck.com", "ruggrunnerz.com", "magoro.com", "electricatrick.com", "coralload.com", "herhimalaya.com"]}
Multi AV Scanner detection for submitted file
Source: HkE0tD0g4NXKJfy.exe ReversingLabs: Detection: 26%
Yara detected FormBook
Source: Yara match File source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: HkE0tD0g4NXKJfy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: HkE0tD0g4NXKJfy.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msdt.pdbGCTL source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: HkE0tD0g4NXKJfy.exe, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
Source: Binary string: msdt.pdb source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 4x nop then pop ebx 7_2_00406AB4
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 4x nop then pop esi 7_2_00415760
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 4x nop then pop esi 7_2_004157C6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop ebx 13_2_02D06AB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop esi 13_2_02D157C6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop esi 13_2_02D15760

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.platinumcredit.net
Source: C:\Windows\explorer.exe Domain query: www.thefullfledged.com
Source: C:\Windows\explorer.exe Domain query: www.jakital.com
Source: C:\Windows\explorer.exe Network Connect: 142.250.203.115 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.xcgtsret.com
Source: C:\Windows\explorer.exe Domain query: www.suepersoldiers.com
Source: C:\Windows\explorer.exe Domain query: www.arsels.info
Source: C:\Windows\explorer.exe Domain query: www.electricatrick.com
Source: C:\Windows\explorer.exe Network Connect: 103.224.212.219 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 52.204.216.132 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.151motors.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.platinumcredit.net/sh5d/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1Host: www.platinumcredit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1Host: www.151motors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1Host: www.suepersoldiers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1Host: www.arsels.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1Host: www.electricatrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1Host: www.vupeliquid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.224.212.219 103.224.212.219
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:09 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be73d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:14 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:36 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:10:15 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msdt.exe, 0000000D.00000002.550615461.0000000000453000.00000004.00000020.sdmp String found in binary or memory: http://www.jakital.com/
Source: msdt.exe, 0000000D.00000002.550810990.0000000000475000.00000004.00000020.sdmp String found in binary or memory: http://www.jakital.com/sh5d/?Yv=deNwNK4CD/WMHHT4cYNp3s43CKigm652n7BnZRGAFJqHojdiJSlOhFJhA2qOeK3G
Source: unknown DNS traffic detected: queries for: www.platinumcredit.net
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1Host: www.platinumcredit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1Host: www.151motors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1Host: www.suepersoldiers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1Host: www.arsels.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1Host: www.electricatrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1Host: www.vupeliquid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: HkE0tD0g4NXKJfy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 0_2_00C15C24 0_2_00C15C24
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 0_2_013D8250 0_2_013D8250
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 0_2_013DD2F8 0_2_013DD2F8
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 0_2_013DD2E8 0_2_013DD2E8
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00401030 7_2_00401030
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0041BA02 7_2_0041BA02
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00408C7C 7_2_00408C7C
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0041CC38 7_2_0041CC38
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00408C80 7_2_00408C80
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0041C529 7_2_0041C529
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0041BD30 7_2_0041BD30
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00402D87 7_2_00402D87
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00402D90 7_2_00402D90
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00402FB0 7_2_00402FB0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00E65C24 7_2_00E65C24
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EF900 7_2_018EF900
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01904120 7_2_01904120
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FB090 7_2_018FB090
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019120A0 7_2_019120A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B20A8 7_2_019B20A8
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B28EC 7_2_019B28EC
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1002 7_2_019A1002
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191EBB0 7_2_0191EBB0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019ADBD2 7_2_019ADBD2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B2B28 7_2_019B2B28
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B22AE 7_2_019B22AE
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01912581 7_2_01912581
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B25DD 7_2_019B25DD
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FD5E0 7_2_018FD5E0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B2D07 7_2_019B2D07
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E0D20 7_2_018E0D20
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B1D55 7_2_019B1D55
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F841F 7_2_018F841F
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AD466 7_2_019AD466
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B1FF1 7_2_019B1FF1
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B2EF7 7_2_019B2EF7
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AD616 7_2_019AD616
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01906E30 7_2_01906E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047ED466 13_2_047ED466
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473841F 13_2_0473841F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F1D55 13_2_047F1D55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04720D20 13_2_04720D20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F2D07 13_2_047F2D07
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473D5E0 13_2_0473D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F25DD 13_2_047F25DD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04752581 13_2_04752581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04746E30 13_2_04746E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047ED616 13_2_047ED616
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F2EF7 13_2_047F2EF7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F1FF1 13_2_047F1FF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1002 13_2_047E1002
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F28EC 13_2_047F28EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047520A0 13_2_047520A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F20A8 13_2_047F20A8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473B090 13_2_0473B090
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04744120 13_2_04744120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472F900 13_2_0472F900
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F22AE 13_2_047F22AE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F2B28 13_2_047F2B28
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047EDBD2 13_2_047EDBD2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475EBB0 13_2_0475EBB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D02FB0 13_2_02D02FB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D08C80 13_2_02D08C80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D08C7C 13_2_02D08C7C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D1CC38 13_2_02D1CC38
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D02D90 13_2_02D02D90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D02D87 13_2_02D02D87
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: String function: 018EB150 appears 35 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 0472B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_004185E0 NtCreateFile, 7_2_004185E0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00418690 NtReadFile, 7_2_00418690
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00418710 NtClose, 7_2_00418710
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_004187C0 NtAllocateVirtualMemory, 7_2_004187C0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_004185DA NtCreateFile, 7_2_004185DA
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0041873A NtReadFile, 7_2_0041873A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_004187BC NtAllocateVirtualMemory, 7_2_004187BC
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019299A0 NtCreateSection,LdrInitializeThunk, 7_2_019299A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929910 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_01929910
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019298F0 NtReadVirtualMemory,LdrInitializeThunk, 7_2_019298F0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929840 NtDelayExecution,LdrInitializeThunk, 7_2_01929840
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929860 NtQuerySystemInformation,LdrInitializeThunk, 7_2_01929860
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929A00 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_01929A00
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929A20 NtResumeThread,LdrInitializeThunk, 7_2_01929A20
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929A50 NtCreateFile,LdrInitializeThunk, 7_2_01929A50
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019295D0 NtClose,LdrInitializeThunk, 7_2_019295D0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929540 NtReadFile,LdrInitializeThunk, 7_2_01929540
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929780 NtMapViewOfSection,LdrInitializeThunk, 7_2_01929780
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019297A0 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_019297A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929FE0 NtCreateMutant,LdrInitializeThunk, 7_2_01929FE0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929710 NtQueryInformationToken,LdrInitializeThunk, 7_2_01929710
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019296E0 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_019296E0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929660 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_01929660
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019299D0 NtCreateProcessEx, 7_2_019299D0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929950 NtQueueApcThread, 7_2_01929950
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019298A0 NtWriteVirtualMemory, 7_2_019298A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929820 NtEnumerateKey, 7_2_01929820
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0192B040 NtSuspendThread, 7_2_0192B040
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0192A3B0 NtGetContextThread, 7_2_0192A3B0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929B00 NtSetValueKey, 7_2_01929B00
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929A80 NtOpenDirectoryObject, 7_2_01929A80
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929A10 NtQuerySection, 7_2_01929A10
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019295F0 NtQueryInformationFile, 7_2_019295F0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0192AD30 NtSetContextThread, 7_2_0192AD30
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929520 NtWaitForSingleObject, 7_2_01929520
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929560 NtWriteFile, 7_2_01929560
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0192A710 NtOpenProcessToken, 7_2_0192A710
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929730 NtQueryVirtualMemory, 7_2_01929730
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0192A770 NtOpenThread, 7_2_0192A770
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929770 NtSetInformationFile, 7_2_01929770
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929760 NtOpenProcess, 7_2_01929760
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019296D0 NtCreateKey, 7_2_019296D0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929610 NtEnumerateValueKey, 7_2_01929610
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929650 NtQueryValueKey, 7_2_01929650
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01929670 NtQueryInformationProcess, 7_2_01929670
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769540 NtReadFile,LdrInitializeThunk, 13_2_04769540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047695D0 NtClose,LdrInitializeThunk, 13_2_047695D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769660 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_04769660
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769650 NtQueryValueKey,LdrInitializeThunk, 13_2_04769650
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047696E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_047696E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047696D0 NtCreateKey,LdrInitializeThunk, 13_2_047696D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769710 NtQueryInformationToken,LdrInitializeThunk, 13_2_04769710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769FE0 NtCreateMutant,LdrInitializeThunk, 13_2_04769FE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769780 NtMapViewOfSection,LdrInitializeThunk, 13_2_04769780
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_04769860
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769840 NtDelayExecution,LdrInitializeThunk, 13_2_04769840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_04769910
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047699A0 NtCreateSection,LdrInitializeThunk, 13_2_047699A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769A50 NtCreateFile,LdrInitializeThunk, 13_2_04769A50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769560 NtWriteFile, 13_2_04769560
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0476AD30 NtSetContextThread, 13_2_0476AD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769520 NtWaitForSingleObject, 13_2_04769520
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047695F0 NtQueryInformationFile, 13_2_047695F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769670 NtQueryInformationProcess, 13_2_04769670
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769610 NtEnumerateValueKey, 13_2_04769610
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0476A770 NtOpenThread, 13_2_0476A770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769770 NtSetInformationFile, 13_2_04769770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769760 NtOpenProcess, 13_2_04769760
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769730 NtQueryVirtualMemory, 13_2_04769730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0476A710 NtOpenProcessToken, 13_2_0476A710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047697A0 NtUnmapViewOfSection, 13_2_047697A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0476B040 NtSuspendThread, 13_2_0476B040
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769820 NtEnumerateKey, 13_2_04769820
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047698F0 NtReadVirtualMemory, 13_2_047698F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047698A0 NtWriteVirtualMemory, 13_2_047698A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769950 NtQueueApcThread, 13_2_04769950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047699D0 NtCreateProcessEx, 13_2_047699D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769A20 NtResumeThread, 13_2_04769A20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769A10 NtQuerySection, 13_2_04769A10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769A00 NtProtectVirtualMemory, 13_2_04769A00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769A80 NtOpenDirectoryObject, 13_2_04769A80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04769B00 NtSetValueKey, 13_2_04769B00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0476A3B0 NtGetContextThread, 13_2_0476A3B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D18690 NtReadFile, 13_2_02D18690
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D187C0 NtAllocateVirtualMemory, 13_2_02D187C0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D18710 NtClose, 13_2_02D18710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D185E0 NtCreateFile, 13_2_02D185E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D187BC NtAllocateVirtualMemory, 13_2_02D187BC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D1873A NtReadFile, 13_2_02D1873A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D185DA NtCreateFile, 13_2_02D185DA
Sample file is different than original file name gathered from version info
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291189120.0000000000C80000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs HkE0tD0g4NXKJfy.exe
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.294459774.0000000006490000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs HkE0tD0g4NXKJfy.exe
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.294190854.0000000006030000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs HkE0tD0g4NXKJfy.exe
Source: HkE0tD0g4NXKJfy.exe, 00000007.00000000.286959339.0000000000ED0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348145495.0000000001B6F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs HkE0tD0g4NXKJfy.exe
Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs HkE0tD0g4NXKJfy.exe
Source: HkE0tD0g4NXKJfy.exe Binary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
Source: HkE0tD0g4NXKJfy.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: HkE0tD0g4NXKJfy.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe File read: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe:Zone.Identifier Jump to behavior
Source: HkE0tD0g4NXKJfy.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HkE0tD0g4NXKJfy.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@13/4
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_01
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: HkE0tD0g4NXKJfy.exe String found in binary or memory: /ReturnValueNameAttribu;component/views/addbook.xaml
Source: HkE0tD0g4NXKJfy.exe String found in binary or memory: views/addbook.baml
Source: HkE0tD0g4NXKJfy.exe String found in binary or memory: /ReturnValueNameAttribu;component/views/addcustomer.xaml
Source: HkE0tD0g4NXKJfy.exe String found in binary or memory: views/addcustomer.baml
Source: HkE0tD0g4NXKJfy.exe String found in binary or memory: /ReturnValueNameAttribu;component/views/addbook.xaml
Source: HkE0tD0g4NXKJfy.exe String found in binary or memory: views/addbook.baml
Source: HkE0tD0g4NXKJfy.exe String found in binary or memory: /ReturnValueNameAttribu;component/views/addcustomer.xaml
Source: HkE0tD0g4NXKJfy.exe String found in binary or memory: views/addcustomer.baml
Source: HkE0tD0g4NXKJfy.exe String found in binary or memory: i/ReturnValueNameAttribu;component/views/addbook.xaml
Source: HkE0tD0g4NXKJfy.exe String found in binary or memory: /ReturnValueNameAttribu;component/views/borrowfrombookview.xamlu/ReturnValueNameAttribu;component/views/borrowingview.xamlo/ReturnValueNameAttribu;component/views/changebook.xamlw/ReturnValueNameAttribu;component/views/changecustomer.xamls/ReturnValueNameAttribu;component/views/customerview.xamlw/ReturnValueNameAttribu;component/views/deletecustomer.xamlm/ReturnValueNameAttribu;component/views/errorview.xamlq/ReturnValueNameAttribu;component/views/smallextras.xamlq/ReturnValueNameAttribu;component/views/addcustomer.xaml
Source: HkE0tD0g4NXKJfy.exe String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: HkE0tD0g4NXKJfy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: HkE0tD0g4NXKJfy.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msdt.pdbGCTL source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: HkE0tD0g4NXKJfy.exe, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
Source: Binary string: msdt.pdb source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: HkE0tD0g4NXKJfy.exe, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.HkE0tD0g4NXKJfy.exe.c10000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.HkE0tD0g4NXKJfy.exe.c10000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.9.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.HkE0tD0g4NXKJfy.exe.e60000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.5.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.7.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 0_2_00C192F5 push ds; ret 0_2_00C19340
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 0_2_00C19347 push ds; ret 0_2_00C1934C
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 0_2_00C19361 push ds; retf 0_2_00C19364
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0041B822 push eax; ret 7_2_0041B828
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0041B82B push eax; ret 7_2_0041B892
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0041B88C push eax; ret 7_2_0041B892
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0041C529 push esi; ret 7_2_0041C758
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0041B7D5 push eax; ret 7_2_0041B828
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00E692F5 push ds; ret 7_2_00E69340
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00E69361 push ds; retf 7_2_00E69364
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00E69347 push ds; ret 7_2_00E6934C
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0193D0D1 push ecx; ret 7_2_0193D0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0477D0D1 push ecx; ret 13_2_0477D0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D1B88C push eax; ret 13_2_02D1B892
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D1B822 push eax; ret 13_2_02D1B828
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D1B82B push eax; ret 13_2_02D1B892
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D1BE43 push esi; retf 13_2_02D1BE49
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_02D1B7D5 push eax; ret 13_2_02D1B828
Source: initial sample Static PE information: section name: .text entropy: 7.85414523612

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\msdt.exe Process created: /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
Source: C:\Windows\SysWOW64\msdt.exe Process created: /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe" Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.HkE0tD0g4NXKJfy.exe.317b220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.HkE0tD0g4NXKJfy.exe.30e8edc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: HkE0tD0g4NXKJfy.exe PID: 5624, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000002D08604 second address: 0000000002D0860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 0000000002D0899E second address: 0000000002D089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 6916 Thread sleep count: 576 > 30 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -239841s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 6916 Thread sleep count: 2157 > 30 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 6132 Thread sleep time: -30220s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -239718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -239610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -239499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -239391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -239266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -239094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -238968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -238844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -238733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -238609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -238500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -238390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -238157s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -237547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -237110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -236750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756 Thread sleep time: -236641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 4676 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6524 Thread sleep time: -40000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_004088D0 rdtsc 7_2_004088D0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239841 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239718 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239610 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239499 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239391 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239266 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239094 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238968 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238844 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238733 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238609 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238500 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238390 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238157 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 237547 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 237110 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 236750 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 236641 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Window / User API: threadDelayed 576 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Window / User API: threadDelayed 2157 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239841 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 30220 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239718 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239610 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239499 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239391 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239266 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 239094 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238968 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238844 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238733 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238609 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238500 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238390 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 238157 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 237547 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 237110 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 236750 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 236641 Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: msdt.exe, 0000000D.00000002.550902230.0000000000487000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWa Connection* 4
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000A.00000000.300728324.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000A.00000000.320269745.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000000A.00000000.300728324.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000A.00000000.297282271.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.297282271.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 0000000A.00000000.323358278.000000000EE50000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yb3d8bb
Source: msdt.exe, 0000000D.00000002.550902230.0000000000487000.00000004.00000020.sdmp, msdt.exe, 0000000D.00000002.550615461.0000000000453000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000000.300728324.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_004088D0 rdtsc 7_2_004088D0
Enables debug privileges
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01912990 mov eax, dword ptr fs:[00000030h] 7_2_01912990
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190C182 mov eax, dword ptr fs:[00000030h] 7_2_0190C182
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191A185 mov eax, dword ptr fs:[00000030h] 7_2_0191A185
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019651BE mov eax, dword ptr fs:[00000030h] 7_2_019651BE
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019651BE mov eax, dword ptr fs:[00000030h] 7_2_019651BE
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019651BE mov eax, dword ptr fs:[00000030h] 7_2_019651BE
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019651BE mov eax, dword ptr fs:[00000030h] 7_2_019651BE
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019669A6 mov eax, dword ptr fs:[00000030h] 7_2_019669A6
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019161A0 mov eax, dword ptr fs:[00000030h] 7_2_019161A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019161A0 mov eax, dword ptr fs:[00000030h] 7_2_019161A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EB1E1 mov eax, dword ptr fs:[00000030h] 7_2_018EB1E1
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EB1E1 mov eax, dword ptr fs:[00000030h] 7_2_018EB1E1
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EB1E1 mov eax, dword ptr fs:[00000030h] 7_2_018EB1E1
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019741E8 mov eax, dword ptr fs:[00000030h] 7_2_019741E8
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E9100 mov eax, dword ptr fs:[00000030h] 7_2_018E9100
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E9100 mov eax, dword ptr fs:[00000030h] 7_2_018E9100
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E9100 mov eax, dword ptr fs:[00000030h] 7_2_018E9100
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191513A mov eax, dword ptr fs:[00000030h] 7_2_0191513A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191513A mov eax, dword ptr fs:[00000030h] 7_2_0191513A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01904120 mov eax, dword ptr fs:[00000030h] 7_2_01904120
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01904120 mov eax, dword ptr fs:[00000030h] 7_2_01904120
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01904120 mov eax, dword ptr fs:[00000030h] 7_2_01904120
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01904120 mov eax, dword ptr fs:[00000030h] 7_2_01904120
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01904120 mov ecx, dword ptr fs:[00000030h] 7_2_01904120
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190B944 mov eax, dword ptr fs:[00000030h] 7_2_0190B944
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190B944 mov eax, dword ptr fs:[00000030h] 7_2_0190B944
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EC962 mov eax, dword ptr fs:[00000030h] 7_2_018EC962
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EB171 mov eax, dword ptr fs:[00000030h] 7_2_018EB171
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EB171 mov eax, dword ptr fs:[00000030h] 7_2_018EB171
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E9080 mov eax, dword ptr fs:[00000030h] 7_2_018E9080
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01963884 mov eax, dword ptr fs:[00000030h] 7_2_01963884
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01963884 mov eax, dword ptr fs:[00000030h] 7_2_01963884
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191F0BF mov ecx, dword ptr fs:[00000030h] 7_2_0191F0BF
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191F0BF mov eax, dword ptr fs:[00000030h] 7_2_0191F0BF
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191F0BF mov eax, dword ptr fs:[00000030h] 7_2_0191F0BF
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h] 7_2_019120A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h] 7_2_019120A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h] 7_2_019120A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h] 7_2_019120A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h] 7_2_019120A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h] 7_2_019120A0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019290AF mov eax, dword ptr fs:[00000030h] 7_2_019290AF
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0197B8D0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0197B8D0 mov ecx, dword ptr fs:[00000030h] 7_2_0197B8D0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0197B8D0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0197B8D0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0197B8D0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0197B8D0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E58EC mov eax, dword ptr fs:[00000030h] 7_2_018E58EC
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01967016 mov eax, dword ptr fs:[00000030h] 7_2_01967016
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01967016 mov eax, dword ptr fs:[00000030h] 7_2_01967016
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01967016 mov eax, dword ptr fs:[00000030h] 7_2_01967016
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B4015 mov eax, dword ptr fs:[00000030h] 7_2_019B4015
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B4015 mov eax, dword ptr fs:[00000030h] 7_2_019B4015
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h] 7_2_018FB02A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h] 7_2_018FB02A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h] 7_2_018FB02A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h] 7_2_018FB02A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191002D mov eax, dword ptr fs:[00000030h] 7_2_0191002D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191002D mov eax, dword ptr fs:[00000030h] 7_2_0191002D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191002D mov eax, dword ptr fs:[00000030h] 7_2_0191002D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191002D mov eax, dword ptr fs:[00000030h] 7_2_0191002D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191002D mov eax, dword ptr fs:[00000030h] 7_2_0191002D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01900050 mov eax, dword ptr fs:[00000030h] 7_2_01900050
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01900050 mov eax, dword ptr fs:[00000030h] 7_2_01900050
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A2073 mov eax, dword ptr fs:[00000030h] 7_2_019A2073
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B1074 mov eax, dword ptr fs:[00000030h] 7_2_019B1074
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F1B8F mov eax, dword ptr fs:[00000030h] 7_2_018F1B8F
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F1B8F mov eax, dword ptr fs:[00000030h] 7_2_018F1B8F
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191B390 mov eax, dword ptr fs:[00000030h] 7_2_0191B390
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01912397 mov eax, dword ptr fs:[00000030h] 7_2_01912397
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A138A mov eax, dword ptr fs:[00000030h] 7_2_019A138A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0199D380 mov ecx, dword ptr fs:[00000030h] 7_2_0199D380
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01914BAD mov eax, dword ptr fs:[00000030h] 7_2_01914BAD
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01914BAD mov eax, dword ptr fs:[00000030h] 7_2_01914BAD
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01914BAD mov eax, dword ptr fs:[00000030h] 7_2_01914BAD
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B5BA5 mov eax, dword ptr fs:[00000030h] 7_2_019B5BA5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019653CA mov eax, dword ptr fs:[00000030h] 7_2_019653CA
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019653CA mov eax, dword ptr fs:[00000030h] 7_2_019653CA
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h] 7_2_019103E2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h] 7_2_019103E2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h] 7_2_019103E2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h] 7_2_019103E2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h] 7_2_019103E2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h] 7_2_019103E2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190DBE9 mov eax, dword ptr fs:[00000030h] 7_2_0190DBE9
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A131B mov eax, dword ptr fs:[00000030h] 7_2_019A131B
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B8B58 mov eax, dword ptr fs:[00000030h] 7_2_019B8B58
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EDB40 mov eax, dword ptr fs:[00000030h] 7_2_018EDB40
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EF358 mov eax, dword ptr fs:[00000030h] 7_2_018EF358
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01913B7A mov eax, dword ptr fs:[00000030h] 7_2_01913B7A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01913B7A mov eax, dword ptr fs:[00000030h] 7_2_01913B7A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EDB60 mov ecx, dword ptr fs:[00000030h] 7_2_018EDB60
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191D294 mov eax, dword ptr fs:[00000030h] 7_2_0191D294
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191D294 mov eax, dword ptr fs:[00000030h] 7_2_0191D294
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191FAB0 mov eax, dword ptr fs:[00000030h] 7_2_0191FAB0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h] 7_2_018E52A5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h] 7_2_018E52A5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h] 7_2_018E52A5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h] 7_2_018E52A5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h] 7_2_018E52A5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FAAB0 mov eax, dword ptr fs:[00000030h] 7_2_018FAAB0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FAAB0 mov eax, dword ptr fs:[00000030h] 7_2_018FAAB0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01912ACB mov eax, dword ptr fs:[00000030h] 7_2_01912ACB
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01912AE4 mov eax, dword ptr fs:[00000030h] 7_2_01912AE4
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F8A0A mov eax, dword ptr fs:[00000030h] 7_2_018F8A0A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01903A1C mov eax, dword ptr fs:[00000030h] 7_2_01903A1C
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AAA16 mov eax, dword ptr fs:[00000030h] 7_2_019AAA16
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AAA16 mov eax, dword ptr fs:[00000030h] 7_2_019AAA16
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EAA16 mov eax, dword ptr fs:[00000030h] 7_2_018EAA16
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EAA16 mov eax, dword ptr fs:[00000030h] 7_2_018EAA16
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E5210 mov eax, dword ptr fs:[00000030h] 7_2_018E5210
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E5210 mov ecx, dword ptr fs:[00000030h] 7_2_018E5210
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E5210 mov eax, dword ptr fs:[00000030h] 7_2_018E5210
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E5210 mov eax, dword ptr fs:[00000030h] 7_2_018E5210
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01924A2C mov eax, dword ptr fs:[00000030h] 7_2_01924A2C
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01924A2C mov eax, dword ptr fs:[00000030h] 7_2_01924A2C
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01974257 mov eax, dword ptr fs:[00000030h] 7_2_01974257
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h] 7_2_018E9240
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h] 7_2_018E9240
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h] 7_2_018E9240
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h] 7_2_018E9240
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AEA55 mov eax, dword ptr fs:[00000030h] 7_2_019AEA55
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0192927A mov eax, dword ptr fs:[00000030h] 7_2_0192927A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0199B260 mov eax, dword ptr fs:[00000030h] 7_2_0199B260
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0199B260 mov eax, dword ptr fs:[00000030h] 7_2_0199B260
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B8A62 mov eax, dword ptr fs:[00000030h] 7_2_019B8A62
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h] 7_2_018E2D8A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h] 7_2_018E2D8A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h] 7_2_018E2D8A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h] 7_2_018E2D8A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h] 7_2_018E2D8A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191FD9B mov eax, dword ptr fs:[00000030h] 7_2_0191FD9B
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191FD9B mov eax, dword ptr fs:[00000030h] 7_2_0191FD9B
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01912581 mov eax, dword ptr fs:[00000030h] 7_2_01912581
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01912581 mov eax, dword ptr fs:[00000030h] 7_2_01912581
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01912581 mov eax, dword ptr fs:[00000030h] 7_2_01912581
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01912581 mov eax, dword ptr fs:[00000030h] 7_2_01912581
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01911DB5 mov eax, dword ptr fs:[00000030h] 7_2_01911DB5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01911DB5 mov eax, dword ptr fs:[00000030h] 7_2_01911DB5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01911DB5 mov eax, dword ptr fs:[00000030h] 7_2_01911DB5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019135A1 mov eax, dword ptr fs:[00000030h] 7_2_019135A1
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B05AC mov eax, dword ptr fs:[00000030h] 7_2_019B05AC
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B05AC mov eax, dword ptr fs:[00000030h] 7_2_019B05AC
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h] 7_2_01966DC9
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h] 7_2_01966DC9
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h] 7_2_01966DC9
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966DC9 mov ecx, dword ptr fs:[00000030h] 7_2_01966DC9
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h] 7_2_01966DC9
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h] 7_2_01966DC9
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01998DF1 mov eax, dword ptr fs:[00000030h] 7_2_01998DF1
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FD5E0 mov eax, dword ptr fs:[00000030h] 7_2_018FD5E0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FD5E0 mov eax, dword ptr fs:[00000030h] 7_2_018FD5E0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h] 7_2_019AFDE2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h] 7_2_019AFDE2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h] 7_2_019AFDE2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h] 7_2_019AFDE2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0196A537 mov eax, dword ptr fs:[00000030h] 7_2_0196A537
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AE539 mov eax, dword ptr fs:[00000030h] 7_2_019AE539
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01914D3B mov eax, dword ptr fs:[00000030h] 7_2_01914D3B
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01914D3B mov eax, dword ptr fs:[00000030h] 7_2_01914D3B
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01914D3B mov eax, dword ptr fs:[00000030h] 7_2_01914D3B
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B8D34 mov eax, dword ptr fs:[00000030h] 7_2_019B8D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h] 7_2_018F3D34
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EAD30 mov eax, dword ptr fs:[00000030h] 7_2_018EAD30
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01907D50 mov eax, dword ptr fs:[00000030h] 7_2_01907D50
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01923D43 mov eax, dword ptr fs:[00000030h] 7_2_01923D43
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01963540 mov eax, dword ptr fs:[00000030h] 7_2_01963540
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190C577 mov eax, dword ptr fs:[00000030h] 7_2_0190C577
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190C577 mov eax, dword ptr fs:[00000030h] 7_2_0190C577
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F849B mov eax, dword ptr fs:[00000030h] 7_2_018F849B
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B8CD6 mov eax, dword ptr fs:[00000030h] 7_2_019B8CD6
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A14FB mov eax, dword ptr fs:[00000030h] 7_2_019A14FB
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966CF0 mov eax, dword ptr fs:[00000030h] 7_2_01966CF0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966CF0 mov eax, dword ptr fs:[00000030h] 7_2_01966CF0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966CF0 mov eax, dword ptr fs:[00000030h] 7_2_01966CF0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B740D mov eax, dword ptr fs:[00000030h] 7_2_019B740D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B740D mov eax, dword ptr fs:[00000030h] 7_2_019B740D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B740D mov eax, dword ptr fs:[00000030h] 7_2_019B740D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h] 7_2_019A1C06
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h] 7_2_01966C0A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h] 7_2_01966C0A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h] 7_2_01966C0A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h] 7_2_01966C0A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191BC2C mov eax, dword ptr fs:[00000030h] 7_2_0191BC2C
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0197C450 mov eax, dword ptr fs:[00000030h] 7_2_0197C450
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0197C450 mov eax, dword ptr fs:[00000030h] 7_2_0197C450
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191A44B mov eax, dword ptr fs:[00000030h] 7_2_0191A44B
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190746D mov eax, dword ptr fs:[00000030h] 7_2_0190746D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01967794 mov eax, dword ptr fs:[00000030h] 7_2_01967794
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01967794 mov eax, dword ptr fs:[00000030h] 7_2_01967794
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01967794 mov eax, dword ptr fs:[00000030h] 7_2_01967794
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F8794 mov eax, dword ptr fs:[00000030h] 7_2_018F8794
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019237F5 mov eax, dword ptr fs:[00000030h] 7_2_019237F5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190F716 mov eax, dword ptr fs:[00000030h] 7_2_0190F716
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0197FF10 mov eax, dword ptr fs:[00000030h] 7_2_0197FF10
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0197FF10 mov eax, dword ptr fs:[00000030h] 7_2_0197FF10
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B070D mov eax, dword ptr fs:[00000030h] 7_2_019B070D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B070D mov eax, dword ptr fs:[00000030h] 7_2_019B070D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191A70E mov eax, dword ptr fs:[00000030h] 7_2_0191A70E
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191A70E mov eax, dword ptr fs:[00000030h] 7_2_0191A70E
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E4F2E mov eax, dword ptr fs:[00000030h] 7_2_018E4F2E
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018E4F2E mov eax, dword ptr fs:[00000030h] 7_2_018E4F2E
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191E730 mov eax, dword ptr fs:[00000030h] 7_2_0191E730
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FEF40 mov eax, dword ptr fs:[00000030h] 7_2_018FEF40
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018FFF60 mov eax, dword ptr fs:[00000030h] 7_2_018FFF60
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B8F6A mov eax, dword ptr fs:[00000030h] 7_2_019B8F6A
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0197FE87 mov eax, dword ptr fs:[00000030h] 7_2_0197FE87
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019646A7 mov eax, dword ptr fs:[00000030h] 7_2_019646A7
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B0EA5 mov eax, dword ptr fs:[00000030h] 7_2_019B0EA5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B0EA5 mov eax, dword ptr fs:[00000030h] 7_2_019B0EA5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B0EA5 mov eax, dword ptr fs:[00000030h] 7_2_019B0EA5
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019B8ED6 mov eax, dword ptr fs:[00000030h] 7_2_019B8ED6
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01928EC7 mov eax, dword ptr fs:[00000030h] 7_2_01928EC7
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0199FEC0 mov eax, dword ptr fs:[00000030h] 7_2_0199FEC0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019136CC mov eax, dword ptr fs:[00000030h] 7_2_019136CC
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F76E2 mov eax, dword ptr fs:[00000030h] 7_2_018F76E2
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019116E0 mov ecx, dword ptr fs:[00000030h] 7_2_019116E0
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191A61C mov eax, dword ptr fs:[00000030h] 7_2_0191A61C
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0191A61C mov eax, dword ptr fs:[00000030h] 7_2_0191A61C
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EC600 mov eax, dword ptr fs:[00000030h] 7_2_018EC600
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EC600 mov eax, dword ptr fs:[00000030h] 7_2_018EC600
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EC600 mov eax, dword ptr fs:[00000030h] 7_2_018EC600
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_01918E00 mov eax, dword ptr fs:[00000030h] 7_2_01918E00
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019A1608 mov eax, dword ptr fs:[00000030h] 7_2_019A1608
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0199FE3F mov eax, dword ptr fs:[00000030h] 7_2_0199FE3F
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018EE620 mov eax, dword ptr fs:[00000030h] 7_2_018EE620
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h] 7_2_018F7E41
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h] 7_2_018F7E41
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h] 7_2_018F7E41
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h] 7_2_018F7E41
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h] 7_2_018F7E41
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h] 7_2_018F7E41
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AAE44 mov eax, dword ptr fs:[00000030h] 7_2_019AAE44
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_019AAE44 mov eax, dword ptr fs:[00000030h] 7_2_019AAE44
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_018F766D mov eax, dword ptr fs:[00000030h] 7_2_018F766D
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h] 7_2_0190AE73
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h] 7_2_0190AE73
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h] 7_2_0190AE73
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h] 7_2_0190AE73
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h] 7_2_0190AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474746D mov eax, dword ptr fs:[00000030h] 13_2_0474746D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047BC450 mov eax, dword ptr fs:[00000030h] 13_2_047BC450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047BC450 mov eax, dword ptr fs:[00000030h] 13_2_047BC450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475A44B mov eax, dword ptr fs:[00000030h] 13_2_0475A44B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475BC2C mov eax, dword ptr fs:[00000030h] 13_2_0475BC2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h] 13_2_047A6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h] 13_2_047A6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h] 13_2_047A6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h] 13_2_047A6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F740D mov eax, dword ptr fs:[00000030h] 13_2_047F740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F740D mov eax, dword ptr fs:[00000030h] 13_2_047F740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F740D mov eax, dword ptr fs:[00000030h] 13_2_047F740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h] 13_2_047E1C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E14FB mov eax, dword ptr fs:[00000030h] 13_2_047E14FB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6CF0 mov eax, dword ptr fs:[00000030h] 13_2_047A6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6CF0 mov eax, dword ptr fs:[00000030h] 13_2_047A6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6CF0 mov eax, dword ptr fs:[00000030h] 13_2_047A6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F8CD6 mov eax, dword ptr fs:[00000030h] 13_2_047F8CD6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473849B mov eax, dword ptr fs:[00000030h] 13_2_0473849B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474C577 mov eax, dword ptr fs:[00000030h] 13_2_0474C577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474C577 mov eax, dword ptr fs:[00000030h] 13_2_0474C577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04747D50 mov eax, dword ptr fs:[00000030h] 13_2_04747D50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04763D43 mov eax, dword ptr fs:[00000030h] 13_2_04763D43
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A3540 mov eax, dword ptr fs:[00000030h] 13_2_047A3540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472AD30 mov eax, dword ptr fs:[00000030h] 13_2_0472AD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h] 13_2_04733D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047EE539 mov eax, dword ptr fs:[00000030h] 13_2_047EE539
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F8D34 mov eax, dword ptr fs:[00000030h] 13_2_047F8D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047AA537 mov eax, dword ptr fs:[00000030h] 13_2_047AA537
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04754D3B mov eax, dword ptr fs:[00000030h] 13_2_04754D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04754D3B mov eax, dword ptr fs:[00000030h] 13_2_04754D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04754D3B mov eax, dword ptr fs:[00000030h] 13_2_04754D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047D8DF1 mov eax, dword ptr fs:[00000030h] 13_2_047D8DF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0473D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0473D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h] 13_2_047EFDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h] 13_2_047EFDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h] 13_2_047EFDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h] 13_2_047EFDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h] 13_2_047A6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h] 13_2_047A6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h] 13_2_047A6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6DC9 mov ecx, dword ptr fs:[00000030h] 13_2_047A6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h] 13_2_047A6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h] 13_2_047A6DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04751DB5 mov eax, dword ptr fs:[00000030h] 13_2_04751DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04751DB5 mov eax, dword ptr fs:[00000030h] 13_2_04751DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04751DB5 mov eax, dword ptr fs:[00000030h] 13_2_04751DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F05AC mov eax, dword ptr fs:[00000030h] 13_2_047F05AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F05AC mov eax, dword ptr fs:[00000030h] 13_2_047F05AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047535A1 mov eax, dword ptr fs:[00000030h] 13_2_047535A1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475FD9B mov eax, dword ptr fs:[00000030h] 13_2_0475FD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475FD9B mov eax, dword ptr fs:[00000030h] 13_2_0475FD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04752581 mov eax, dword ptr fs:[00000030h] 13_2_04752581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04752581 mov eax, dword ptr fs:[00000030h] 13_2_04752581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04752581 mov eax, dword ptr fs:[00000030h] 13_2_04752581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04752581 mov eax, dword ptr fs:[00000030h] 13_2_04752581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h] 13_2_04722D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h] 13_2_04722D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h] 13_2_04722D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h] 13_2_04722D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h] 13_2_04722D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h] 13_2_0474AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h] 13_2_0474AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h] 13_2_0474AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h] 13_2_0474AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h] 13_2_0474AE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473766D mov eax, dword ptr fs:[00000030h] 13_2_0473766D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h] 13_2_04737E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h] 13_2_04737E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h] 13_2_04737E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h] 13_2_04737E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h] 13_2_04737E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h] 13_2_04737E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047EAE44 mov eax, dword ptr fs:[00000030h] 13_2_047EAE44
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047EAE44 mov eax, dword ptr fs:[00000030h] 13_2_047EAE44
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047DFE3F mov eax, dword ptr fs:[00000030h] 13_2_047DFE3F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472E620 mov eax, dword ptr fs:[00000030h] 13_2_0472E620
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475A61C mov eax, dword ptr fs:[00000030h] 13_2_0475A61C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475A61C mov eax, dword ptr fs:[00000030h] 13_2_0475A61C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472C600 mov eax, dword ptr fs:[00000030h] 13_2_0472C600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472C600 mov eax, dword ptr fs:[00000030h] 13_2_0472C600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472C600 mov eax, dword ptr fs:[00000030h] 13_2_0472C600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04758E00 mov eax, dword ptr fs:[00000030h] 13_2_04758E00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E1608 mov eax, dword ptr fs:[00000030h] 13_2_047E1608
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047376E2 mov eax, dword ptr fs:[00000030h] 13_2_047376E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047516E0 mov ecx, dword ptr fs:[00000030h] 13_2_047516E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F8ED6 mov eax, dword ptr fs:[00000030h] 13_2_047F8ED6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04768EC7 mov eax, dword ptr fs:[00000030h] 13_2_04768EC7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047536CC mov eax, dword ptr fs:[00000030h] 13_2_047536CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047DFEC0 mov eax, dword ptr fs:[00000030h] 13_2_047DFEC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F0EA5 mov eax, dword ptr fs:[00000030h] 13_2_047F0EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F0EA5 mov eax, dword ptr fs:[00000030h] 13_2_047F0EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F0EA5 mov eax, dword ptr fs:[00000030h] 13_2_047F0EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A46A7 mov eax, dword ptr fs:[00000030h] 13_2_047A46A7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047BFE87 mov eax, dword ptr fs:[00000030h] 13_2_047BFE87
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473FF60 mov eax, dword ptr fs:[00000030h] 13_2_0473FF60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F8F6A mov eax, dword ptr fs:[00000030h] 13_2_047F8F6A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473EF40 mov eax, dword ptr fs:[00000030h] 13_2_0473EF40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475E730 mov eax, dword ptr fs:[00000030h] 13_2_0475E730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04724F2E mov eax, dword ptr fs:[00000030h] 13_2_04724F2E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04724F2E mov eax, dword ptr fs:[00000030h] 13_2_04724F2E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474F716 mov eax, dword ptr fs:[00000030h] 13_2_0474F716
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047BFF10 mov eax, dword ptr fs:[00000030h] 13_2_047BFF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047BFF10 mov eax, dword ptr fs:[00000030h] 13_2_047BFF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F070D mov eax, dword ptr fs:[00000030h] 13_2_047F070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F070D mov eax, dword ptr fs:[00000030h] 13_2_047F070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475A70E mov eax, dword ptr fs:[00000030h] 13_2_0475A70E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475A70E mov eax, dword ptr fs:[00000030h] 13_2_0475A70E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047637F5 mov eax, dword ptr fs:[00000030h] 13_2_047637F5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04738794 mov eax, dword ptr fs:[00000030h] 13_2_04738794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A7794 mov eax, dword ptr fs:[00000030h] 13_2_047A7794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A7794 mov eax, dword ptr fs:[00000030h] 13_2_047A7794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A7794 mov eax, dword ptr fs:[00000030h] 13_2_047A7794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F1074 mov eax, dword ptr fs:[00000030h] 13_2_047F1074
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047E2073 mov eax, dword ptr fs:[00000030h] 13_2_047E2073
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04740050 mov eax, dword ptr fs:[00000030h] 13_2_04740050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04740050 mov eax, dword ptr fs:[00000030h] 13_2_04740050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475002D mov eax, dword ptr fs:[00000030h] 13_2_0475002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475002D mov eax, dword ptr fs:[00000030h] 13_2_0475002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475002D mov eax, dword ptr fs:[00000030h] 13_2_0475002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475002D mov eax, dword ptr fs:[00000030h] 13_2_0475002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475002D mov eax, dword ptr fs:[00000030h] 13_2_0475002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h] 13_2_0473B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h] 13_2_0473B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h] 13_2_0473B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h] 13_2_0473B02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F4015 mov eax, dword ptr fs:[00000030h] 13_2_047F4015
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F4015 mov eax, dword ptr fs:[00000030h] 13_2_047F4015
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A7016 mov eax, dword ptr fs:[00000030h] 13_2_047A7016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A7016 mov eax, dword ptr fs:[00000030h] 13_2_047A7016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A7016 mov eax, dword ptr fs:[00000030h] 13_2_047A7016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047258EC mov eax, dword ptr fs:[00000030h] 13_2_047258EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h] 13_2_047BB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047BB8D0 mov ecx, dword ptr fs:[00000030h] 13_2_047BB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h] 13_2_047BB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h] 13_2_047BB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h] 13_2_047BB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h] 13_2_047BB8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475F0BF mov ecx, dword ptr fs:[00000030h] 13_2_0475F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475F0BF mov eax, dword ptr fs:[00000030h] 13_2_0475F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475F0BF mov eax, dword ptr fs:[00000030h] 13_2_0475F0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h] 13_2_047520A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h] 13_2_047520A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h] 13_2_047520A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h] 13_2_047520A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h] 13_2_047520A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h] 13_2_047520A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047690AF mov eax, dword ptr fs:[00000030h] 13_2_047690AF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04729080 mov eax, dword ptr fs:[00000030h] 13_2_04729080
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A3884 mov eax, dword ptr fs:[00000030h] 13_2_047A3884
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A3884 mov eax, dword ptr fs:[00000030h] 13_2_047A3884
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472B171 mov eax, dword ptr fs:[00000030h] 13_2_0472B171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472B171 mov eax, dword ptr fs:[00000030h] 13_2_0472B171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472C962 mov eax, dword ptr fs:[00000030h] 13_2_0472C962
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474B944 mov eax, dword ptr fs:[00000030h] 13_2_0474B944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474B944 mov eax, dword ptr fs:[00000030h] 13_2_0474B944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475513A mov eax, dword ptr fs:[00000030h] 13_2_0475513A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475513A mov eax, dword ptr fs:[00000030h] 13_2_0475513A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04744120 mov eax, dword ptr fs:[00000030h] 13_2_04744120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04744120 mov eax, dword ptr fs:[00000030h] 13_2_04744120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04744120 mov eax, dword ptr fs:[00000030h] 13_2_04744120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04744120 mov eax, dword ptr fs:[00000030h] 13_2_04744120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04744120 mov ecx, dword ptr fs:[00000030h] 13_2_04744120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04729100 mov eax, dword ptr fs:[00000030h] 13_2_04729100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04729100 mov eax, dword ptr fs:[00000030h] 13_2_04729100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04729100 mov eax, dword ptr fs:[00000030h] 13_2_04729100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047B41E8 mov eax, dword ptr fs:[00000030h] 13_2_047B41E8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0472B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0472B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0472B1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h] 13_2_047A51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h] 13_2_047A51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h] 13_2_047A51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h] 13_2_047A51BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047561A0 mov eax, dword ptr fs:[00000030h] 13_2_047561A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047561A0 mov eax, dword ptr fs:[00000030h] 13_2_047561A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047A69A6 mov eax, dword ptr fs:[00000030h] 13_2_047A69A6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04752990 mov eax, dword ptr fs:[00000030h] 13_2_04752990
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475A185 mov eax, dword ptr fs:[00000030h] 13_2_0475A185
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0474C182 mov eax, dword ptr fs:[00000030h] 13_2_0474C182
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0476927A mov eax, dword ptr fs:[00000030h] 13_2_0476927A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047DB260 mov eax, dword ptr fs:[00000030h] 13_2_047DB260
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047DB260 mov eax, dword ptr fs:[00000030h] 13_2_047DB260
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047F8A62 mov eax, dword ptr fs:[00000030h] 13_2_047F8A62
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047EEA55 mov eax, dword ptr fs:[00000030h] 13_2_047EEA55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047B4257 mov eax, dword ptr fs:[00000030h] 13_2_047B4257
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04729240 mov eax, dword ptr fs:[00000030h] 13_2_04729240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04729240 mov eax, dword ptr fs:[00000030h] 13_2_04729240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04729240 mov eax, dword ptr fs:[00000030h] 13_2_04729240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04729240 mov eax, dword ptr fs:[00000030h] 13_2_04729240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04764A2C mov eax, dword ptr fs:[00000030h] 13_2_04764A2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04764A2C mov eax, dword ptr fs:[00000030h] 13_2_04764A2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04725210 mov eax, dword ptr fs:[00000030h] 13_2_04725210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04725210 mov ecx, dword ptr fs:[00000030h] 13_2_04725210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04725210 mov eax, dword ptr fs:[00000030h] 13_2_04725210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04725210 mov eax, dword ptr fs:[00000030h] 13_2_04725210
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472AA16 mov eax, dword ptr fs:[00000030h] 13_2_0472AA16
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0472AA16 mov eax, dword ptr fs:[00000030h] 13_2_0472AA16
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04743A1C mov eax, dword ptr fs:[00000030h] 13_2_04743A1C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047EAA16 mov eax, dword ptr fs:[00000030h] 13_2_047EAA16
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047EAA16 mov eax, dword ptr fs:[00000030h] 13_2_047EAA16
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04738A0A mov eax, dword ptr fs:[00000030h] 13_2_04738A0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04752AE4 mov eax, dword ptr fs:[00000030h] 13_2_04752AE4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_04752ACB mov eax, dword ptr fs:[00000030h] 13_2_04752ACB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473AAB0 mov eax, dword ptr fs:[00000030h] 13_2_0473AAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0473AAB0 mov eax, dword ptr fs:[00000030h] 13_2_0473AAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_0475FAB0 mov eax, dword ptr fs:[00000030h] 13_2_0475FAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 13_2_047252A5 mov eax, dword ptr fs:[00000030h] 13_2_047252A5
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Code function: 7_2_00409B40 LdrLoadDll, 7_2_00409B40
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.platinumcredit.net
Source: C:\Windows\explorer.exe Domain query: www.thefullfledged.com
Source: C:\Windows\explorer.exe Domain query: www.jakital.com
Source: C:\Windows\explorer.exe Network Connect: 142.250.203.115 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.xcgtsret.com
Source: C:\Windows\explorer.exe Domain query: www.suepersoldiers.com
Source: C:\Windows\explorer.exe Domain query: www.arsels.info
Source: C:\Windows\explorer.exe Domain query: www.electricatrick.com
Source: C:\Windows\explorer.exe Network Connect: 103.224.212.219 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 52.204.216.132 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.151motors.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 1B0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Thread register set: target process: 3352 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Process created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe" Jump to behavior
Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.327891256.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.293464513.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.310106636.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.331243108.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.335912866.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.300895373.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.320269745.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Queries volume information: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs