Windows Analysis Report S9yf6BkjhTQUbHE.exe

Overview

General Information

Sample Name: S9yf6BkjhTQUbHE.exe
Analysis ID: 528622
MD5: 812861ad5cbb91bfa01a6a15c2cef128
SHA1: ca092e52319047d609cb6fcca1821a8f873416df
SHA256: a649d216b55b0f0597a16690b8469b6b44b9cdc73560d8237387b2df225ab20b
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.peptidepowder.com/czh8/"], "decoy": ["ekkyo-business.com", "anamentor.com", "criptodigital.online", "smart-device.tech", "piano-tomimoto.com", "sergiojuradomunera.com", "xn----pl8a630b0whm6t.com", "exploitslozdz.xyz", "peregorodki.store", "authenticationtd.net", "ichelbrousset.com", "amboyshops.com", "hengtaigyl.com", "iliubo.com", "overtimersanonymous.com", "crimsonrangellc.com", "otterburnelanding.com", "ping-ken.info", "belezaweb.digital", "elementkultury.com", "heireply.xyz", "membranbakar.xyz", "babygirlletsheal.com", "alpe.paris", "fuslonnd.com", "massaora.com", "geatarotista.com", "namethatsetup.com", "igdxir.com", "tokatyapimarket.com", "soundnox.com", "ase3baeb4p.com", "uniteddatavault.com", "savageequipment.biz", "cutos2.com", "thietketrangtrinhacua.store", "mways-vintage.com", "cloudscapephotos.com", "padelscuolaroma.store", "medeiros.store", "green-umbrella.academy", "kobaran.com", "ilmkibahar.com", "blueworldaquariums.com", "bigjohnblues.com", "e2adriasec.online", "pufaawareskincare.com", "sumerchemicals.com", "epubgame.net", "nuditecouverte.com", "tbpadvogados.website", "cryptoentering.com", "dahliahearing.com", "annellata.xyz", "barberking.online", "cpw882.com", "dock-weiler.com", "dianyuwang.com", "fitpromax.xyz", "deckingtoronto.com", "boundlessentgroup.com", "metricwombat.com", "emergencyhomerepairnetwork.com", "fullerhomeloans.com"]}
Multi AV Scanner detection for submitted file
Source: S9yf6BkjhTQUbHE.exe ReversingLabs: Detection: 22%
Yara detected FormBook
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: S9yf6BkjhTQUbHE.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: S9yf6BkjhTQUbHE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msdt.pdbGCTL source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: S9yf6BkjhTQUbHE.exe, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
Source: Binary string: msdt.pdb source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 4x nop then pop edi 1_2_004162EC
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 4x nop then pop edi 1_2_0040C41D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop edi 18_2_008E62EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop edi 18_2_008DC41D

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.xn----pl8a630b0whm6t.com
Source: C:\Windows\explorer.exe Domain query: www.epubgame.net
Source: C:\Windows\explorer.exe Network Connect: 23.106.123.249 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.67.178.31 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.anamentor.com
Source: C:\Windows\explorer.exe Domain query: www.fuslonnd.com
Source: C:\Windows\explorer.exe Domain query: www.annellata.xyz
Source: C:\Windows\explorer.exe Domain query: www.metricwombat.com
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.annellata.xyz
Source: DNS query: www.exploitslozdz.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.peptidepowder.com/czh8/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L HTTP/1.1Host: www.anamentor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.106.123.249 23.106.123.249
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msdt.exe, 00000012.00000002.519445044.000000000315F000.00000004.00000020.sdmp String found in binary or memory: http://www.xn----pl8a630b0whm6t.com/czh8/?7n=WfBFmY7eHt5QBShHhdd2jwwFQU0Qfs4ciJop7u3ZFFtbwI7iz04mk8i
Source: msdt.exe, 00000012.00000002.521258705.0000000005332000.00000004.00020000.sdmp String found in binary or memory: https://www.anamentor.com/czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG
Source: unknown DNS traffic detected: queries for: www.epubgame.net
Source: global traffic HTTP traffic detected: GET /czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L HTTP/1.1Host: www.anamentor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.253365121.00000000011E9000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: S9yf6BkjhTQUbHE.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 0_2_05525AB0 0_2_05525AB0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 0_2_05525AA0 0_2_05525AA0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0041BA22 1_2_0041BA22
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0041C42D 1_2_0041C42D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_00408C8D 1_2_00408C8D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_00408C90 1_2_00408C90
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_00402D87 1_2_00402D87
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0041CFB4 1_2_0041CFB4
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BF900 1_2_010BF900
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01182D07 1_2_01182D07
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B0D20 1_2_010B0D20
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D4120 1_2_010D4120
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01181D55 1_2_01181D55
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E2581 1_2_010E2581
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011825DD 1_2_011825DD
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CD5E0 1_2_010CD5E0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C841F 1_2_010C841F
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171002 1_2_01171002
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117D466 1_2_0117D466
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CB090 1_2_010CB090
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E20A0 1_2_010E20A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011820A8 1_2_011820A8
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011828EC 1_2_011828EC
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01182B28 1_2_01182B28
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EEBB0 1_2_010EEBB0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117DBD2 1_2_0117DBD2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01181FF1 1_2_01181FF1
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D6E30 1_2_010D6E30
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011822AE 1_2_011822AE
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01182EF7 1_2_01182EF7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6D466 18_2_04D6D466
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB841F 18_2_04CB841F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D725DD 18_2_04D725DD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBD5E0 18_2_04CBD5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD2581 18_2_04CD2581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D71D55 18_2_04D71D55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D72D07 18_2_04D72D07
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA0D20 18_2_04CA0D20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D72EF7 18_2_04D72EF7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6D616 18_2_04D6D616
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CC6E30 18_2_04CC6E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7DFCE 18_2_04D7DFCE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D71FF1 18_2_04D71FF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D728EC 18_2_04D728EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBB090 18_2_04CBB090
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD20A0 18_2_04CD20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D720A8 18_2_04D720A8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61002 18_2_04D61002
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7E824 18_2_04D7E824
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCA830 18_2_04CCA830
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAF900 18_2_04CAF900
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CC4120 18_2_04CC4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D722AE 18_2_04D722AE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5FA2B 18_2_04D5FA2B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6DBD2 18_2_04D6DBD2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D603DA 18_2_04D603DA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDEBB0 18_2_04CDEBB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCAB40 18_2_04CCAB40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D72B28 18_2_04D72B28
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008EBA22 18_2_008EBA22
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008D8C8D 18_2_008D8C8D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008D8C90 18_2_008D8C90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008EC41E 18_2_008EC41E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008D2D87 18_2_008D2D87
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008D2D90 18_2_008D2D90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008ECFB4 18_2_008ECFB4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008D2FB0 18_2_008D2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: String function: 010BB150 appears 35 times
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 04CAB150 appears 54 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_004185F0 NtCreateFile, 1_2_004185F0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_004186A0 NtReadFile, 1_2_004186A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_00418720 NtClose, 1_2_00418720
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_004187D0 NtAllocateVirtualMemory, 1_2_004187D0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0041869A NtReadFile, 1_2_0041869A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_004187CA NtAllocateVirtualMemory, 1_2_004187CA
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_010F9910
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9540 NtReadFile,LdrInitializeThunk, 1_2_010F9540
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F99A0 NtCreateSection,LdrInitializeThunk, 1_2_010F99A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F95D0 NtClose,LdrInitializeThunk, 1_2_010F95D0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9840 NtDelayExecution,LdrInitializeThunk, 1_2_010F9840
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_010F9860
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_010F98F0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_010F9710
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_010F9780
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_010F97A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9FE0 NtCreateMutant,LdrInitializeThunk, 1_2_010F9FE0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_010F9A00
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9A20 NtResumeThread,LdrInitializeThunk, 1_2_010F9A20
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9A50 NtCreateFile,LdrInitializeThunk, 1_2_010F9A50
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_010F9660
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_010F96E0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9520 NtWaitForSingleObject, 1_2_010F9520
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010FAD30 NtSetContextThread, 1_2_010FAD30
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9950 NtQueueApcThread, 1_2_010F9950
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9560 NtWriteFile, 1_2_010F9560
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F99D0 NtCreateProcessEx, 1_2_010F99D0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F95F0 NtQueryInformationFile, 1_2_010F95F0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9820 NtEnumerateKey, 1_2_010F9820
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010FB040 NtSuspendThread, 1_2_010FB040
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F98A0 NtWriteVirtualMemory, 1_2_010F98A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9B00 NtSetValueKey, 1_2_010F9B00
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010FA710 NtOpenProcessToken, 1_2_010FA710
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9730 NtQueryVirtualMemory, 1_2_010F9730
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9760 NtOpenProcess, 1_2_010F9760
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9770 NtSetInformationFile, 1_2_010F9770
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010FA770 NtOpenThread, 1_2_010FA770
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010FA3B0 NtGetContextThread, 1_2_010FA3B0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9610 NtEnumerateValueKey, 1_2_010F9610
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9A10 NtQuerySection, 1_2_010F9A10
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9650 NtQueryValueKey, 1_2_010F9650
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9670 NtQueryInformationProcess, 1_2_010F9670
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F9A80 NtOpenDirectoryObject, 1_2_010F9A80
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F96D0 NtCreateKey, 1_2_010F96D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE95D0 NtClose,LdrInitializeThunk, 18_2_04CE95D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9540 NtReadFile,LdrInitializeThunk, 18_2_04CE9540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE96D0 NtCreateKey,LdrInitializeThunk, 18_2_04CE96D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE96E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_04CE96E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9650 NtQueryValueKey,LdrInitializeThunk, 18_2_04CE9650
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9660 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_04CE9660
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9FE0 NtCreateMutant,LdrInitializeThunk, 18_2_04CE9FE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9780 NtMapViewOfSection,LdrInitializeThunk, 18_2_04CE9780
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9710 NtQueryInformationToken,LdrInitializeThunk, 18_2_04CE9710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9840 NtDelayExecution,LdrInitializeThunk, 18_2_04CE9840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_04CE9860
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE99A0 NtCreateSection,LdrInitializeThunk, 18_2_04CE99A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_04CE9910
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9A50 NtCreateFile,LdrInitializeThunk, 18_2_04CE9A50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE95F0 NtQueryInformationFile, 18_2_04CE95F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9560 NtWriteFile, 18_2_04CE9560
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9520 NtWaitForSingleObject, 18_2_04CE9520
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CEAD30 NtSetContextThread, 18_2_04CEAD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9670 NtQueryInformationProcess, 18_2_04CE9670
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9610 NtEnumerateValueKey, 18_2_04CE9610
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE97A0 NtUnmapViewOfSection, 18_2_04CE97A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9760 NtOpenProcess, 18_2_04CE9760
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CEA770 NtOpenThread, 18_2_04CEA770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9770 NtSetInformationFile, 18_2_04CE9770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CEA710 NtOpenProcessToken, 18_2_04CEA710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9730 NtQueryVirtualMemory, 18_2_04CE9730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE98F0 NtReadVirtualMemory, 18_2_04CE98F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE98A0 NtWriteVirtualMemory, 18_2_04CE98A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CEB040 NtSuspendThread, 18_2_04CEB040
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9820 NtEnumerateKey, 18_2_04CE9820
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE99D0 NtCreateProcessEx, 18_2_04CE99D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9950 NtQueueApcThread, 18_2_04CE9950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9A80 NtOpenDirectoryObject, 18_2_04CE9A80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9A00 NtProtectVirtualMemory, 18_2_04CE9A00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9A10 NtQuerySection, 18_2_04CE9A10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9A20 NtResumeThread, 18_2_04CE9A20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CEA3B0 NtGetContextThread, 18_2_04CEA3B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE9B00 NtSetValueKey, 18_2_04CE9B00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008E85F0 NtCreateFile, 18_2_008E85F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008E86A0 NtReadFile, 18_2_008E86A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008E87D0 NtAllocateVirtualMemory, 18_2_008E87D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008E8720 NtClose, 18_2_008E8720
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008E869A NtReadFile, 18_2_008E869A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008E87CA NtAllocateVirtualMemory, 18_2_008E87CA
Sample file is different than original file name gathered from version info
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.253365121.00000000011E9000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.257531563.00000000061E0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.257392561.0000000005CB0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000000.241151855.0000000000AF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameInAttribu.exe. vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe, 00000001.00000000.248672814.00000000004C0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameInAttribu.exe. vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316078938.000000000133F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe Binary or memory string: OriginalFilenameInAttribu.exe. vs S9yf6BkjhTQUbHE.exe
Source: S9yf6BkjhTQUbHE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: S9yf6BkjhTQUbHE.exe ReversingLabs: Detection: 22%
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe File read: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe:Zone.Identifier Jump to behavior
Source: S9yf6BkjhTQUbHE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process created: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process created: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S9yf6BkjhTQUbHE.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/1@13/2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_01
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: S9yf6BkjhTQUbHE.exe String found in binary or memory: /InAttribu;component/views/addbook.xaml
Source: S9yf6BkjhTQUbHE.exe String found in binary or memory: views/addbook.baml
Source: S9yf6BkjhTQUbHE.exe String found in binary or memory: views/addcustomer.baml
Source: S9yf6BkjhTQUbHE.exe String found in binary or memory: /InAttribu;component/views/addcustomer.xaml
Source: S9yf6BkjhTQUbHE.exe String found in binary or memory: /InAttribu;component/views/addbook.xaml
Source: S9yf6BkjhTQUbHE.exe String found in binary or memory: views/addcustomer.baml
Source: S9yf6BkjhTQUbHE.exe String found in binary or memory: views/addbook.baml
Source: S9yf6BkjhTQUbHE.exe String found in binary or memory: /InAttribu;component/views/addcustomer.xaml
Source: S9yf6BkjhTQUbHE.exe String found in binary or memory: O/InAttribu;component/views/addbook.xamle/InAttribu;component/views/borrowfrombookview.xaml[/InAttribu;component/views/borrowingview.xamlU/InAttribu;component/views/changebook.xaml]/InAttribu;component/views/changecustomer.xamlY/InAttribu;component/views/customerview.xaml]/InAttribu;component/views/deletecustomer.xamlS/InAttribu;component/views/errorview.xamlW/InAttribu;component/views/smallextras.xamlW/InAttribu;component/views/addcustomer.xaml
Source: S9yf6BkjhTQUbHE.exe String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: S9yf6BkjhTQUbHE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: S9yf6BkjhTQUbHE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msdt.pdbGCTL source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: S9yf6BkjhTQUbHE.exe, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
Source: Binary string: msdt.pdb source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: S9yf6BkjhTQUbHE.exe, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.S9yf6BkjhTQUbHE.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.S9yf6BkjhTQUbHE.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.S9yf6BkjhTQUbHE.exe.450000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.7.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.5.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.S9yf6BkjhTQUbHE.exe.450000.9.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 0_2_00A86F9A push 00000018h; retf 0_2_00A8715A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 0_2_00A892F5 push ds; ret 0_2_00A89340
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 0_2_00A89361 push ds; retf 0_2_00A89364
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 0_2_00A89347 push ds; ret 0_2_00A8934C
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 0_2_055256E0 push esp; iretd 0_2_055256E9
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0041B832 push eax; ret 1_2_0041B838
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0041B83B push eax; ret 1_2_0041B8A2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0041B89C push eax; ret 1_2_0041B8A2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0041533E push esp; ret 1_2_0041533F
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0041B7E5 push eax; ret 1_2_0041B838
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_004592F5 push ds; ret 1_2_00459340
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_00459347 push ds; ret 1_2_0045934C
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_00459361 push ds; retf 1_2_00459364
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_00456F9A push 00000018h; retf 1_2_0045715A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0110D0D1 push ecx; ret 1_2_0110D0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CFD0D1 push ecx; ret 18_2_04CFD0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008EB89C push eax; ret 18_2_008EB8A2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008EB83B push eax; ret 18_2_008EB8A2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008EB832 push eax; ret 18_2_008EB838
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008E533E push esp; ret 18_2_008E533F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_008EB7E5 push eax; ret 18_2_008EB838
Source: initial sample Static PE information: section name: .text entropy: 7.85954100497

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\msdt.exe Process created: /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
Source: C:\Windows\SysWOW64\msdt.exe Process created: /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe" Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.S9yf6BkjhTQUbHE.exe.2fe8e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.S9yf6BkjhTQUbHE.exe.307aecc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: S9yf6BkjhTQUbHE.exe PID: 6344, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 00000000008D8614 second address: 00000000008D861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 00000000008D89AE second address: 00000000008D89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -239859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6392 Thread sleep count: 1268 > 30 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6392 Thread sleep count: 928 > 30 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -239732s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6348 Thread sleep time: -30583s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -239623s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -239512s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -239405s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -239281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -239170s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -239046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -238903s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -238765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -238656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -238531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -238421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -238311s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -238203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -237906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -237312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -237109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -236546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6388 Thread sleep time: -236435s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe TID: 6376 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7104 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_004088E0 rdtsc 1_2_004088E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239859 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239732 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239623 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239512 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239405 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239281 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239170 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239046 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238903 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238765 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238656 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238531 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238421 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238311 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238203 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 237906 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 237312 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 237109 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 236546 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 236435 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Window / User API: threadDelayed 1268 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Window / User API: threadDelayed 928 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239859 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239732 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 30583 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239623 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239512 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239405 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239281 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239170 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 239046 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238903 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238765 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238656 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238531 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238421 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238311 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 238203 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 237906 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 237312 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 237109 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 236546 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 236435 Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000004.00000000.265082760.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.274001743.00000000011B3000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.296079980.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmp Binary or memory string: vmware
Source: msdt.exe, 00000012.00000002.519572932.000000000318D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW1mYI
Source: msdt.exe, 00000012.00000002.519548832.0000000003182000.00000004.00000020.sdmp, msdt.exe, 00000012.00000002.519325977.000000000313F000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000000.254354478.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000004.00000000.265145193.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.257571644.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.265145193.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_004088E0 rdtsc 1_2_004088E0
Enables debug privileges
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B9100 mov eax, dword ptr fs:[00000030h] 1_2_010B9100
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B9100 mov eax, dword ptr fs:[00000030h] 1_2_010B9100
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B9100 mov eax, dword ptr fs:[00000030h] 1_2_010B9100
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0113A537 mov eax, dword ptr fs:[00000030h] 1_2_0113A537
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01188D34 mov eax, dword ptr fs:[00000030h] 1_2_01188D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D4120 mov eax, dword ptr fs:[00000030h] 1_2_010D4120
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D4120 mov eax, dword ptr fs:[00000030h] 1_2_010D4120
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D4120 mov eax, dword ptr fs:[00000030h] 1_2_010D4120
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D4120 mov eax, dword ptr fs:[00000030h] 1_2_010D4120
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D4120 mov ecx, dword ptr fs:[00000030h] 1_2_010D4120
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117E539 mov eax, dword ptr fs:[00000030h] 1_2_0117E539
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E513A mov eax, dword ptr fs:[00000030h] 1_2_010E513A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E513A mov eax, dword ptr fs:[00000030h] 1_2_010E513A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E4D3B mov eax, dword ptr fs:[00000030h] 1_2_010E4D3B
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E4D3B mov eax, dword ptr fs:[00000030h] 1_2_010E4D3B
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E4D3B mov eax, dword ptr fs:[00000030h] 1_2_010E4D3B
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C3D34 mov eax, dword ptr fs:[00000030h] 1_2_010C3D34
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BAD30 mov eax, dword ptr fs:[00000030h] 1_2_010BAD30
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DB944 mov eax, dword ptr fs:[00000030h] 1_2_010DB944
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DB944 mov eax, dword ptr fs:[00000030h] 1_2_010DB944
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F3D43 mov eax, dword ptr fs:[00000030h] 1_2_010F3D43
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01133540 mov eax, dword ptr fs:[00000030h] 1_2_01133540
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D7D50 mov eax, dword ptr fs:[00000030h] 1_2_010D7D50
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BC962 mov eax, dword ptr fs:[00000030h] 1_2_010BC962
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BB171 mov eax, dword ptr fs:[00000030h] 1_2_010BB171
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BB171 mov eax, dword ptr fs:[00000030h] 1_2_010BB171
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DC577 mov eax, dword ptr fs:[00000030h] 1_2_010DC577
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DC577 mov eax, dword ptr fs:[00000030h] 1_2_010DC577
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B2D8A mov eax, dword ptr fs:[00000030h] 1_2_010B2D8A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B2D8A mov eax, dword ptr fs:[00000030h] 1_2_010B2D8A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B2D8A mov eax, dword ptr fs:[00000030h] 1_2_010B2D8A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B2D8A mov eax, dword ptr fs:[00000030h] 1_2_010B2D8A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B2D8A mov eax, dword ptr fs:[00000030h] 1_2_010B2D8A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EA185 mov eax, dword ptr fs:[00000030h] 1_2_010EA185
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DC182 mov eax, dword ptr fs:[00000030h] 1_2_010DC182
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E2581 mov eax, dword ptr fs:[00000030h] 1_2_010E2581
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E2581 mov eax, dword ptr fs:[00000030h] 1_2_010E2581
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E2581 mov eax, dword ptr fs:[00000030h] 1_2_010E2581
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E2581 mov eax, dword ptr fs:[00000030h] 1_2_010E2581
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EFD9B mov eax, dword ptr fs:[00000030h] 1_2_010EFD9B
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EFD9B mov eax, dword ptr fs:[00000030h] 1_2_010EFD9B
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E2990 mov eax, dword ptr fs:[00000030h] 1_2_010E2990
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011351BE mov eax, dword ptr fs:[00000030h] 1_2_011351BE
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011351BE mov eax, dword ptr fs:[00000030h] 1_2_011351BE
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011351BE mov eax, dword ptr fs:[00000030h] 1_2_011351BE
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011351BE mov eax, dword ptr fs:[00000030h] 1_2_011351BE
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E61A0 mov eax, dword ptr fs:[00000030h] 1_2_010E61A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E61A0 mov eax, dword ptr fs:[00000030h] 1_2_010E61A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E35A1 mov eax, dword ptr fs:[00000030h] 1_2_010E35A1
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011805AC mov eax, dword ptr fs:[00000030h] 1_2_011805AC
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011805AC mov eax, dword ptr fs:[00000030h] 1_2_011805AC
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011369A6 mov eax, dword ptr fs:[00000030h] 1_2_011369A6
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E1DB5 mov eax, dword ptr fs:[00000030h] 1_2_010E1DB5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E1DB5 mov eax, dword ptr fs:[00000030h] 1_2_010E1DB5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E1DB5 mov eax, dword ptr fs:[00000030h] 1_2_010E1DB5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136DC9 mov eax, dword ptr fs:[00000030h] 1_2_01136DC9
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136DC9 mov eax, dword ptr fs:[00000030h] 1_2_01136DC9
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136DC9 mov eax, dword ptr fs:[00000030h] 1_2_01136DC9
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136DC9 mov ecx, dword ptr fs:[00000030h] 1_2_01136DC9
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136DC9 mov eax, dword ptr fs:[00000030h] 1_2_01136DC9
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136DC9 mov eax, dword ptr fs:[00000030h] 1_2_01136DC9
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01168DF1 mov eax, dword ptr fs:[00000030h] 1_2_01168DF1
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BB1E1 mov eax, dword ptr fs:[00000030h] 1_2_010BB1E1
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BB1E1 mov eax, dword ptr fs:[00000030h] 1_2_010BB1E1
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BB1E1 mov eax, dword ptr fs:[00000030h] 1_2_010BB1E1
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CD5E0 mov eax, dword ptr fs:[00000030h] 1_2_010CD5E0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CD5E0 mov eax, dword ptr fs:[00000030h] 1_2_010CD5E0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0117FDE2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0117FDE2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0117FDE2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0117FDE2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011441E8 mov eax, dword ptr fs:[00000030h] 1_2_011441E8
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01137016 mov eax, dword ptr fs:[00000030h] 1_2_01137016
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01137016 mov eax, dword ptr fs:[00000030h] 1_2_01137016
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01137016 mov eax, dword ptr fs:[00000030h] 1_2_01137016
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01184015 mov eax, dword ptr fs:[00000030h] 1_2_01184015
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01184015 mov eax, dword ptr fs:[00000030h] 1_2_01184015
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171C06 mov eax, dword ptr fs:[00000030h] 1_2_01171C06
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0118740D mov eax, dword ptr fs:[00000030h] 1_2_0118740D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0118740D mov eax, dword ptr fs:[00000030h] 1_2_0118740D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0118740D mov eax, dword ptr fs:[00000030h] 1_2_0118740D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136C0A mov eax, dword ptr fs:[00000030h] 1_2_01136C0A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136C0A mov eax, dword ptr fs:[00000030h] 1_2_01136C0A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136C0A mov eax, dword ptr fs:[00000030h] 1_2_01136C0A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136C0A mov eax, dword ptr fs:[00000030h] 1_2_01136C0A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EBC2C mov eax, dword ptr fs:[00000030h] 1_2_010EBC2C
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E002D mov eax, dword ptr fs:[00000030h] 1_2_010E002D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E002D mov eax, dword ptr fs:[00000030h] 1_2_010E002D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E002D mov eax, dword ptr fs:[00000030h] 1_2_010E002D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E002D mov eax, dword ptr fs:[00000030h] 1_2_010E002D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E002D mov eax, dword ptr fs:[00000030h] 1_2_010E002D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CB02A mov eax, dword ptr fs:[00000030h] 1_2_010CB02A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CB02A mov eax, dword ptr fs:[00000030h] 1_2_010CB02A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CB02A mov eax, dword ptr fs:[00000030h] 1_2_010CB02A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CB02A mov eax, dword ptr fs:[00000030h] 1_2_010CB02A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0114C450 mov eax, dword ptr fs:[00000030h] 1_2_0114C450
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0114C450 mov eax, dword ptr fs:[00000030h] 1_2_0114C450
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EA44B mov eax, dword ptr fs:[00000030h] 1_2_010EA44B
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D0050 mov eax, dword ptr fs:[00000030h] 1_2_010D0050
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D0050 mov eax, dword ptr fs:[00000030h] 1_2_010D0050
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D746D mov eax, dword ptr fs:[00000030h] 1_2_010D746D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01172073 mov eax, dword ptr fs:[00000030h] 1_2_01172073
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01181074 mov eax, dword ptr fs:[00000030h] 1_2_01181074
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B9080 mov eax, dword ptr fs:[00000030h] 1_2_010B9080
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01133884 mov eax, dword ptr fs:[00000030h] 1_2_01133884
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01133884 mov eax, dword ptr fs:[00000030h] 1_2_01133884
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C849B mov eax, dword ptr fs:[00000030h] 1_2_010C849B
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F90AF mov eax, dword ptr fs:[00000030h] 1_2_010F90AF
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h] 1_2_010E20A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h] 1_2_010E20A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h] 1_2_010E20A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h] 1_2_010E20A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h] 1_2_010E20A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E20A0 mov eax, dword ptr fs:[00000030h] 1_2_010E20A0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EF0BF mov ecx, dword ptr fs:[00000030h] 1_2_010EF0BF
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EF0BF mov eax, dword ptr fs:[00000030h] 1_2_010EF0BF
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EF0BF mov eax, dword ptr fs:[00000030h] 1_2_010EF0BF
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0114B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0114B8D0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0114B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_0114B8D0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0114B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0114B8D0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0114B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0114B8D0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0114B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0114B8D0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0114B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0114B8D0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01188CD6 mov eax, dword ptr fs:[00000030h] 1_2_01188CD6
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136CF0 mov eax, dword ptr fs:[00000030h] 1_2_01136CF0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136CF0 mov eax, dword ptr fs:[00000030h] 1_2_01136CF0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01136CF0 mov eax, dword ptr fs:[00000030h] 1_2_01136CF0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B58EC mov eax, dword ptr fs:[00000030h] 1_2_010B58EC
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011714FB mov eax, dword ptr fs:[00000030h] 1_2_011714FB
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EA70E mov eax, dword ptr fs:[00000030h] 1_2_010EA70E
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EA70E mov eax, dword ptr fs:[00000030h] 1_2_010EA70E
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0114FF10 mov eax, dword ptr fs:[00000030h] 1_2_0114FF10
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0114FF10 mov eax, dword ptr fs:[00000030h] 1_2_0114FF10
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117131B mov eax, dword ptr fs:[00000030h] 1_2_0117131B
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0118070D mov eax, dword ptr fs:[00000030h] 1_2_0118070D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0118070D mov eax, dword ptr fs:[00000030h] 1_2_0118070D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DF716 mov eax, dword ptr fs:[00000030h] 1_2_010DF716
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B4F2E mov eax, dword ptr fs:[00000030h] 1_2_010B4F2E
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B4F2E mov eax, dword ptr fs:[00000030h] 1_2_010B4F2E
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EE730 mov eax, dword ptr fs:[00000030h] 1_2_010EE730
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01188B58 mov eax, dword ptr fs:[00000030h] 1_2_01188B58
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BDB40 mov eax, dword ptr fs:[00000030h] 1_2_010BDB40
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CEF40 mov eax, dword ptr fs:[00000030h] 1_2_010CEF40
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BF358 mov eax, dword ptr fs:[00000030h] 1_2_010BF358
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BDB60 mov ecx, dword ptr fs:[00000030h] 1_2_010BDB60
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CFF60 mov eax, dword ptr fs:[00000030h] 1_2_010CFF60
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01188F6A mov eax, dword ptr fs:[00000030h] 1_2_01188F6A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E3B7A mov eax, dword ptr fs:[00000030h] 1_2_010E3B7A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E3B7A mov eax, dword ptr fs:[00000030h] 1_2_010E3B7A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C1B8F mov eax, dword ptr fs:[00000030h] 1_2_010C1B8F
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C1B8F mov eax, dword ptr fs:[00000030h] 1_2_010C1B8F
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01137794 mov eax, dword ptr fs:[00000030h] 1_2_01137794
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01137794 mov eax, dword ptr fs:[00000030h] 1_2_01137794
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01137794 mov eax, dword ptr fs:[00000030h] 1_2_01137794
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0116D380 mov ecx, dword ptr fs:[00000030h] 1_2_0116D380
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C8794 mov eax, dword ptr fs:[00000030h] 1_2_010C8794
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E2397 mov eax, dword ptr fs:[00000030h] 1_2_010E2397
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117138A mov eax, dword ptr fs:[00000030h] 1_2_0117138A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EB390 mov eax, dword ptr fs:[00000030h] 1_2_010EB390
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E4BAD mov eax, dword ptr fs:[00000030h] 1_2_010E4BAD
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E4BAD mov eax, dword ptr fs:[00000030h] 1_2_010E4BAD
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E4BAD mov eax, dword ptr fs:[00000030h] 1_2_010E4BAD
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01185BA5 mov eax, dword ptr fs:[00000030h] 1_2_01185BA5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011353CA mov eax, dword ptr fs:[00000030h] 1_2_011353CA
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011353CA mov eax, dword ptr fs:[00000030h] 1_2_011353CA
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DDBE9 mov eax, dword ptr fs:[00000030h] 1_2_010DDBE9
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h] 1_2_010E03E2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h] 1_2_010E03E2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h] 1_2_010E03E2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h] 1_2_010E03E2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h] 1_2_010E03E2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E03E2 mov eax, dword ptr fs:[00000030h] 1_2_010E03E2
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F37F5 mov eax, dword ptr fs:[00000030h] 1_2_010F37F5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C8A0A mov eax, dword ptr fs:[00000030h] 1_2_010C8A0A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BC600 mov eax, dword ptr fs:[00000030h] 1_2_010BC600
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BC600 mov eax, dword ptr fs:[00000030h] 1_2_010BC600
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BC600 mov eax, dword ptr fs:[00000030h] 1_2_010BC600
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E8E00 mov eax, dword ptr fs:[00000030h] 1_2_010E8E00
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010D3A1C mov eax, dword ptr fs:[00000030h] 1_2_010D3A1C
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EA61C mov eax, dword ptr fs:[00000030h] 1_2_010EA61C
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EA61C mov eax, dword ptr fs:[00000030h] 1_2_010EA61C
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B5210 mov eax, dword ptr fs:[00000030h] 1_2_010B5210
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B5210 mov ecx, dword ptr fs:[00000030h] 1_2_010B5210
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B5210 mov eax, dword ptr fs:[00000030h] 1_2_010B5210
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B5210 mov eax, dword ptr fs:[00000030h] 1_2_010B5210
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BAA16 mov eax, dword ptr fs:[00000030h] 1_2_010BAA16
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BAA16 mov eax, dword ptr fs:[00000030h] 1_2_010BAA16
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01171608 mov eax, dword ptr fs:[00000030h] 1_2_01171608
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F4A2C mov eax, dword ptr fs:[00000030h] 1_2_010F4A2C
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F4A2C mov eax, dword ptr fs:[00000030h] 1_2_010F4A2C
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0116FE3F mov eax, dword ptr fs:[00000030h] 1_2_0116FE3F
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010BE620 mov eax, dword ptr fs:[00000030h] 1_2_010BE620
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117EA55 mov eax, dword ptr fs:[00000030h] 1_2_0117EA55
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01144257 mov eax, dword ptr fs:[00000030h] 1_2_01144257
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B9240 mov eax, dword ptr fs:[00000030h] 1_2_010B9240
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B9240 mov eax, dword ptr fs:[00000030h] 1_2_010B9240
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B9240 mov eax, dword ptr fs:[00000030h] 1_2_010B9240
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B9240 mov eax, dword ptr fs:[00000030h] 1_2_010B9240
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h] 1_2_010C7E41
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h] 1_2_010C7E41
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h] 1_2_010C7E41
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h] 1_2_010C7E41
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h] 1_2_010C7E41
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C7E41 mov eax, dword ptr fs:[00000030h] 1_2_010C7E41
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117AE44 mov eax, dword ptr fs:[00000030h] 1_2_0117AE44
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0117AE44 mov eax, dword ptr fs:[00000030h] 1_2_0117AE44
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C766D mov eax, dword ptr fs:[00000030h] 1_2_010C766D
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F927A mov eax, dword ptr fs:[00000030h] 1_2_010F927A
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0116B260 mov eax, dword ptr fs:[00000030h] 1_2_0116B260
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0116B260 mov eax, dword ptr fs:[00000030h] 1_2_0116B260
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01188A62 mov eax, dword ptr fs:[00000030h] 1_2_01188A62
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DAE73 mov eax, dword ptr fs:[00000030h] 1_2_010DAE73
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DAE73 mov eax, dword ptr fs:[00000030h] 1_2_010DAE73
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DAE73 mov eax, dword ptr fs:[00000030h] 1_2_010DAE73
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DAE73 mov eax, dword ptr fs:[00000030h] 1_2_010DAE73
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010DAE73 mov eax, dword ptr fs:[00000030h] 1_2_010DAE73
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0114FE87 mov eax, dword ptr fs:[00000030h] 1_2_0114FE87
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010ED294 mov eax, dword ptr fs:[00000030h] 1_2_010ED294
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010ED294 mov eax, dword ptr fs:[00000030h] 1_2_010ED294
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B52A5 mov eax, dword ptr fs:[00000030h] 1_2_010B52A5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B52A5 mov eax, dword ptr fs:[00000030h] 1_2_010B52A5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B52A5 mov eax, dword ptr fs:[00000030h] 1_2_010B52A5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B52A5 mov eax, dword ptr fs:[00000030h] 1_2_010B52A5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010B52A5 mov eax, dword ptr fs:[00000030h] 1_2_010B52A5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_011346A7 mov eax, dword ptr fs:[00000030h] 1_2_011346A7
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CAAB0 mov eax, dword ptr fs:[00000030h] 1_2_010CAAB0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010CAAB0 mov eax, dword ptr fs:[00000030h] 1_2_010CAAB0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01180EA5 mov eax, dword ptr fs:[00000030h] 1_2_01180EA5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01180EA5 mov eax, dword ptr fs:[00000030h] 1_2_01180EA5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01180EA5 mov eax, dword ptr fs:[00000030h] 1_2_01180EA5
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010EFAB0 mov eax, dword ptr fs:[00000030h] 1_2_010EFAB0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E36CC mov eax, dword ptr fs:[00000030h] 1_2_010E36CC
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E2ACB mov eax, dword ptr fs:[00000030h] 1_2_010E2ACB
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010F8EC7 mov eax, dword ptr fs:[00000030h] 1_2_010F8EC7
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_01188ED6 mov eax, dword ptr fs:[00000030h] 1_2_01188ED6
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_0116FEC0 mov eax, dword ptr fs:[00000030h] 1_2_0116FEC0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E2AE4 mov eax, dword ptr fs:[00000030h] 1_2_010E2AE4
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010E16E0 mov ecx, dword ptr fs:[00000030h] 1_2_010E16E0
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_010C76E2 mov eax, dword ptr fs:[00000030h] 1_2_010C76E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D78CD6 mov eax, dword ptr fs:[00000030h] 18_2_04D78CD6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26CF0 mov eax, dword ptr fs:[00000030h] 18_2_04D26CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26CF0 mov eax, dword ptr fs:[00000030h] 18_2_04D26CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26CF0 mov eax, dword ptr fs:[00000030h] 18_2_04D26CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D614FB mov eax, dword ptr fs:[00000030h] 18_2_04D614FB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB849B mov eax, dword ptr fs:[00000030h] 18_2_04CB849B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3C450 mov eax, dword ptr fs:[00000030h] 18_2_04D3C450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3C450 mov eax, dword ptr fs:[00000030h] 18_2_04D3C450
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDA44B mov eax, dword ptr fs:[00000030h] 18_2_04CDA44B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CC746D mov eax, dword ptr fs:[00000030h] 18_2_04CC746D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61C06 mov eax, dword ptr fs:[00000030h] 18_2_04D61C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26C0A mov eax, dword ptr fs:[00000030h] 18_2_04D26C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26C0A mov eax, dword ptr fs:[00000030h] 18_2_04D26C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26C0A mov eax, dword ptr fs:[00000030h] 18_2_04D26C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26C0A mov eax, dword ptr fs:[00000030h] 18_2_04D26C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7740D mov eax, dword ptr fs:[00000030h] 18_2_04D7740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7740D mov eax, dword ptr fs:[00000030h] 18_2_04D7740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7740D mov eax, dword ptr fs:[00000030h] 18_2_04D7740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDBC2C mov eax, dword ptr fs:[00000030h] 18_2_04CDBC2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26DC9 mov eax, dword ptr fs:[00000030h] 18_2_04D26DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26DC9 mov eax, dword ptr fs:[00000030h] 18_2_04D26DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26DC9 mov eax, dword ptr fs:[00000030h] 18_2_04D26DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26DC9 mov ecx, dword ptr fs:[00000030h] 18_2_04D26DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26DC9 mov eax, dword ptr fs:[00000030h] 18_2_04D26DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D26DC9 mov eax, dword ptr fs:[00000030h] 18_2_04D26DC9
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D58DF1 mov eax, dword ptr fs:[00000030h] 18_2_04D58DF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBD5E0 mov eax, dword ptr fs:[00000030h] 18_2_04CBD5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBD5E0 mov eax, dword ptr fs:[00000030h] 18_2_04CBD5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6FDE2 mov eax, dword ptr fs:[00000030h] 18_2_04D6FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6FDE2 mov eax, dword ptr fs:[00000030h] 18_2_04D6FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6FDE2 mov eax, dword ptr fs:[00000030h] 18_2_04D6FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6FDE2 mov eax, dword ptr fs:[00000030h] 18_2_04D6FDE2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA2D8A mov eax, dword ptr fs:[00000030h] 18_2_04CA2D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA2D8A mov eax, dword ptr fs:[00000030h] 18_2_04CA2D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA2D8A mov eax, dword ptr fs:[00000030h] 18_2_04CA2D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA2D8A mov eax, dword ptr fs:[00000030h] 18_2_04CA2D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA2D8A mov eax, dword ptr fs:[00000030h] 18_2_04CA2D8A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD2581 mov eax, dword ptr fs:[00000030h] 18_2_04CD2581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD2581 mov eax, dword ptr fs:[00000030h] 18_2_04CD2581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD2581 mov eax, dword ptr fs:[00000030h] 18_2_04CD2581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD2581 mov eax, dword ptr fs:[00000030h] 18_2_04CD2581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDFD9B mov eax, dword ptr fs:[00000030h] 18_2_04CDFD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDFD9B mov eax, dword ptr fs:[00000030h] 18_2_04CDFD9B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD35A1 mov eax, dword ptr fs:[00000030h] 18_2_04CD35A1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD1DB5 mov eax, dword ptr fs:[00000030h] 18_2_04CD1DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD1DB5 mov eax, dword ptr fs:[00000030h] 18_2_04CD1DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD1DB5 mov eax, dword ptr fs:[00000030h] 18_2_04CD1DB5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D705AC mov eax, dword ptr fs:[00000030h] 18_2_04D705AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D705AC mov eax, dword ptr fs:[00000030h] 18_2_04D705AC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE3D43 mov eax, dword ptr fs:[00000030h] 18_2_04CE3D43
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D23540 mov eax, dword ptr fs:[00000030h] 18_2_04D23540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D53D40 mov eax, dword ptr fs:[00000030h] 18_2_04D53D40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CC7D50 mov eax, dword ptr fs:[00000030h] 18_2_04CC7D50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCC577 mov eax, dword ptr fs:[00000030h] 18_2_04CCC577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCC577 mov eax, dword ptr fs:[00000030h] 18_2_04CCC577
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D78D34 mov eax, dword ptr fs:[00000030h] 18_2_04D78D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D2A537 mov eax, dword ptr fs:[00000030h] 18_2_04D2A537
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6E539 mov eax, dword ptr fs:[00000030h] 18_2_04D6E539
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD4D3B mov eax, dword ptr fs:[00000030h] 18_2_04CD4D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD4D3B mov eax, dword ptr fs:[00000030h] 18_2_04CD4D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD4D3B mov eax, dword ptr fs:[00000030h] 18_2_04CD4D3B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAAD30 mov eax, dword ptr fs:[00000030h] 18_2_04CAAD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 18_2_04CB3D34
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D78ED6 mov eax, dword ptr fs:[00000030h] 18_2_04D78ED6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD36CC mov eax, dword ptr fs:[00000030h] 18_2_04CD36CC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE8EC7 mov eax, dword ptr fs:[00000030h] 18_2_04CE8EC7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5FEC0 mov eax, dword ptr fs:[00000030h] 18_2_04D5FEC0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB76E2 mov eax, dword ptr fs:[00000030h] 18_2_04CB76E2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD16E0 mov ecx, dword ptr fs:[00000030h] 18_2_04CD16E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3FE87 mov eax, dword ptr fs:[00000030h] 18_2_04D3FE87
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D70EA5 mov eax, dword ptr fs:[00000030h] 18_2_04D70EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D70EA5 mov eax, dword ptr fs:[00000030h] 18_2_04D70EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D70EA5 mov eax, dword ptr fs:[00000030h] 18_2_04D70EA5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D246A7 mov eax, dword ptr fs:[00000030h] 18_2_04D246A7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 18_2_04CB7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 18_2_04CB7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 18_2_04CB7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 18_2_04CB7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 18_2_04CB7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 18_2_04CB7E41
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6AE44 mov eax, dword ptr fs:[00000030h] 18_2_04D6AE44
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6AE44 mov eax, dword ptr fs:[00000030h] 18_2_04D6AE44
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB766D mov eax, dword ptr fs:[00000030h] 18_2_04CB766D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCAE73 mov eax, dword ptr fs:[00000030h] 18_2_04CCAE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCAE73 mov eax, dword ptr fs:[00000030h] 18_2_04CCAE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCAE73 mov eax, dword ptr fs:[00000030h] 18_2_04CCAE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCAE73 mov eax, dword ptr fs:[00000030h] 18_2_04CCAE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCAE73 mov eax, dword ptr fs:[00000030h] 18_2_04CCAE73
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAC600 mov eax, dword ptr fs:[00000030h] 18_2_04CAC600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAC600 mov eax, dword ptr fs:[00000030h] 18_2_04CAC600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAC600 mov eax, dword ptr fs:[00000030h] 18_2_04CAC600
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD8E00 mov eax, dword ptr fs:[00000030h] 18_2_04CD8E00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDA61C mov eax, dword ptr fs:[00000030h] 18_2_04CDA61C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDA61C mov eax, dword ptr fs:[00000030h] 18_2_04CDA61C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D61608 mov eax, dword ptr fs:[00000030h] 18_2_04D61608
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D5FE3F mov eax, dword ptr fs:[00000030h] 18_2_04D5FE3F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAE620 mov eax, dword ptr fs:[00000030h] 18_2_04CAE620
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE37F5 mov eax, dword ptr fs:[00000030h] 18_2_04CE37F5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D27794 mov eax, dword ptr fs:[00000030h] 18_2_04D27794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D27794 mov eax, dword ptr fs:[00000030h] 18_2_04D27794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D27794 mov eax, dword ptr fs:[00000030h] 18_2_04D27794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CB8794 mov eax, dword ptr fs:[00000030h] 18_2_04CB8794
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBEF40 mov eax, dword ptr fs:[00000030h] 18_2_04CBEF40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBFF60 mov eax, dword ptr fs:[00000030h] 18_2_04CBFF60
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D78F6A mov eax, dword ptr fs:[00000030h] 18_2_04D78F6A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3FF10 mov eax, dword ptr fs:[00000030h] 18_2_04D3FF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3FF10 mov eax, dword ptr fs:[00000030h] 18_2_04D3FF10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDA70E mov eax, dword ptr fs:[00000030h] 18_2_04CDA70E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDA70E mov eax, dword ptr fs:[00000030h] 18_2_04CDA70E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7070D mov eax, dword ptr fs:[00000030h] 18_2_04D7070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D7070D mov eax, dword ptr fs:[00000030h] 18_2_04D7070D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCF716 mov eax, dword ptr fs:[00000030h] 18_2_04CCF716
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA4F2E mov eax, dword ptr fs:[00000030h] 18_2_04CA4F2E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA4F2E mov eax, dword ptr fs:[00000030h] 18_2_04CA4F2E
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDE730 mov eax, dword ptr fs:[00000030h] 18_2_04CDE730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3B8D0 mov eax, dword ptr fs:[00000030h] 18_2_04D3B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3B8D0 mov ecx, dword ptr fs:[00000030h] 18_2_04D3B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3B8D0 mov eax, dword ptr fs:[00000030h] 18_2_04D3B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3B8D0 mov eax, dword ptr fs:[00000030h] 18_2_04D3B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3B8D0 mov eax, dword ptr fs:[00000030h] 18_2_04D3B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D3B8D0 mov eax, dword ptr fs:[00000030h] 18_2_04D3B8D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA58EC mov eax, dword ptr fs:[00000030h] 18_2_04CA58EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA40E1 mov eax, dword ptr fs:[00000030h] 18_2_04CA40E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA40E1 mov eax, dword ptr fs:[00000030h] 18_2_04CA40E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA40E1 mov eax, dword ptr fs:[00000030h] 18_2_04CA40E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA9080 mov eax, dword ptr fs:[00000030h] 18_2_04CA9080
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D23884 mov eax, dword ptr fs:[00000030h] 18_2_04D23884
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D23884 mov eax, dword ptr fs:[00000030h] 18_2_04D23884
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CE90AF mov eax, dword ptr fs:[00000030h] 18_2_04CE90AF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 18_2_04CD20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 18_2_04CD20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 18_2_04CD20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 18_2_04CD20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 18_2_04CD20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 18_2_04CD20A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDF0BF mov ecx, dword ptr fs:[00000030h] 18_2_04CDF0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDF0BF mov eax, dword ptr fs:[00000030h] 18_2_04CDF0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDF0BF mov eax, dword ptr fs:[00000030h] 18_2_04CDF0BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CC0050 mov eax, dword ptr fs:[00000030h] 18_2_04CC0050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CC0050 mov eax, dword ptr fs:[00000030h] 18_2_04CC0050
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D71074 mov eax, dword ptr fs:[00000030h] 18_2_04D71074
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D62073 mov eax, dword ptr fs:[00000030h] 18_2_04D62073
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D74015 mov eax, dword ptr fs:[00000030h] 18_2_04D74015
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D74015 mov eax, dword ptr fs:[00000030h] 18_2_04D74015
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D27016 mov eax, dword ptr fs:[00000030h] 18_2_04D27016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D27016 mov eax, dword ptr fs:[00000030h] 18_2_04D27016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D27016 mov eax, dword ptr fs:[00000030h] 18_2_04D27016
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD002D mov eax, dword ptr fs:[00000030h] 18_2_04CD002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD002D mov eax, dword ptr fs:[00000030h] 18_2_04CD002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD002D mov eax, dword ptr fs:[00000030h] 18_2_04CD002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD002D mov eax, dword ptr fs:[00000030h] 18_2_04CD002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD002D mov eax, dword ptr fs:[00000030h] 18_2_04CD002D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBB02A mov eax, dword ptr fs:[00000030h] 18_2_04CBB02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBB02A mov eax, dword ptr fs:[00000030h] 18_2_04CBB02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBB02A mov eax, dword ptr fs:[00000030h] 18_2_04CBB02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBB02A mov eax, dword ptr fs:[00000030h] 18_2_04CBB02A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCA830 mov eax, dword ptr fs:[00000030h] 18_2_04CCA830
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCA830 mov eax, dword ptr fs:[00000030h] 18_2_04CCA830
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCA830 mov eax, dword ptr fs:[00000030h] 18_2_04CCA830
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCA830 mov eax, dword ptr fs:[00000030h] 18_2_04CCA830
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAB1E1 mov eax, dword ptr fs:[00000030h] 18_2_04CAB1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAB1E1 mov eax, dword ptr fs:[00000030h] 18_2_04CAB1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAB1E1 mov eax, dword ptr fs:[00000030h] 18_2_04CAB1E1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D341E8 mov eax, dword ptr fs:[00000030h] 18_2_04D341E8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDA185 mov eax, dword ptr fs:[00000030h] 18_2_04CDA185
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCC182 mov eax, dword ptr fs:[00000030h] 18_2_04CCC182
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD2990 mov eax, dword ptr fs:[00000030h] 18_2_04CD2990
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D251BE mov eax, dword ptr fs:[00000030h] 18_2_04D251BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D251BE mov eax, dword ptr fs:[00000030h] 18_2_04D251BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D251BE mov eax, dword ptr fs:[00000030h] 18_2_04D251BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D251BE mov eax, dword ptr fs:[00000030h] 18_2_04D251BE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD61A0 mov eax, dword ptr fs:[00000030h] 18_2_04CD61A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD61A0 mov eax, dword ptr fs:[00000030h] 18_2_04CD61A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D649A4 mov eax, dword ptr fs:[00000030h] 18_2_04D649A4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D649A4 mov eax, dword ptr fs:[00000030h] 18_2_04D649A4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D649A4 mov eax, dword ptr fs:[00000030h] 18_2_04D649A4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D649A4 mov eax, dword ptr fs:[00000030h] 18_2_04D649A4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D269A6 mov eax, dword ptr fs:[00000030h] 18_2_04D269A6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCB944 mov eax, dword ptr fs:[00000030h] 18_2_04CCB944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CCB944 mov eax, dword ptr fs:[00000030h] 18_2_04CCB944
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAC962 mov eax, dword ptr fs:[00000030h] 18_2_04CAC962
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAB171 mov eax, dword ptr fs:[00000030h] 18_2_04CAB171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CAB171 mov eax, dword ptr fs:[00000030h] 18_2_04CAB171
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA9100 mov eax, dword ptr fs:[00000030h] 18_2_04CA9100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA9100 mov eax, dword ptr fs:[00000030h] 18_2_04CA9100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA9100 mov eax, dword ptr fs:[00000030h] 18_2_04CA9100
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CC4120 mov eax, dword ptr fs:[00000030h] 18_2_04CC4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CC4120 mov eax, dword ptr fs:[00000030h] 18_2_04CC4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CC4120 mov eax, dword ptr fs:[00000030h] 18_2_04CC4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CC4120 mov eax, dword ptr fs:[00000030h] 18_2_04CC4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CC4120 mov ecx, dword ptr fs:[00000030h] 18_2_04CC4120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD513A mov eax, dword ptr fs:[00000030h] 18_2_04CD513A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD513A mov eax, dword ptr fs:[00000030h] 18_2_04CD513A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD2ACB mov eax, dword ptr fs:[00000030h] 18_2_04CD2ACB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CD2AE4 mov eax, dword ptr fs:[00000030h] 18_2_04CD2AE4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDD294 mov eax, dword ptr fs:[00000030h] 18_2_04CDD294
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDD294 mov eax, dword ptr fs:[00000030h] 18_2_04CDD294
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA52A5 mov eax, dword ptr fs:[00000030h] 18_2_04CA52A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA52A5 mov eax, dword ptr fs:[00000030h] 18_2_04CA52A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA52A5 mov eax, dword ptr fs:[00000030h] 18_2_04CA52A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA52A5 mov eax, dword ptr fs:[00000030h] 18_2_04CA52A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA52A5 mov eax, dword ptr fs:[00000030h] 18_2_04CA52A5
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBAAB0 mov eax, dword ptr fs:[00000030h] 18_2_04CBAAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CBAAB0 mov eax, dword ptr fs:[00000030h] 18_2_04CBAAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CDFAB0 mov eax, dword ptr fs:[00000030h] 18_2_04CDFAB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D6EA55 mov eax, dword ptr fs:[00000030h] 18_2_04D6EA55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04D34257 mov eax, dword ptr fs:[00000030h] 18_2_04D34257
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA9240 mov eax, dword ptr fs:[00000030h] 18_2_04CA9240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA9240 mov eax, dword ptr fs:[00000030h] 18_2_04CA9240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA9240 mov eax, dword ptr fs:[00000030h] 18_2_04CA9240
Source: C:\Windows\SysWOW64\msdt.exe Code function: 18_2_04CA9240 mov eax, dword ptr fs:[00000030h] 18_2_04CA9240
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Code function: 1_2_00409B50 LdrLoadDll, 1_2_00409B50
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.xn----pl8a630b0whm6t.com
Source: C:\Windows\explorer.exe Domain query: www.epubgame.net
Source: C:\Windows\explorer.exe Network Connect: 23.106.123.249 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.67.178.31 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.anamentor.com
Source: C:\Windows\explorer.exe Domain query: www.fuslonnd.com
Source: C:\Windows\explorer.exe Domain query: www.annellata.xyz
Source: C:\Windows\explorer.exe Domain query: www.metricwombat.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 9F0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Thread register set: target process: 3472 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Process created: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe" Jump to behavior
Source: explorer.exe, 00000004.00000000.254553864.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.280099499.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.265196730.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.303201524.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.274165242.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.294467030.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.284970506.00000000089FF000.00000004.00000001.sdmp, msdt.exe, 00000012.00000002.519708075.0000000003530000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.254553864.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.274165242.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.294467030.0000000001640000.00000002.00020000.sdmp, msdt.exe, 00000012.00000002.519708075.0000000003530000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.254553864.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.274165242.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.294467030.0000000001640000.00000002.00020000.sdmp, msdt.exe, 00000012.00000002.519708075.0000000003530000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.294037457.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000004.00000000.273892369.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000004.00000000.254192826.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000004.00000000.254553864.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.274165242.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.294467030.0000000001640000.00000002.00020000.sdmp, msdt.exe, 00000012.00000002.519708075.0000000003530000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.254553864.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.274165242.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000004.00000000.294467030.0000000001640000.00000002.00020000.sdmp, msdt.exe, 00000012.00000002.519708075.0000000003530000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Queries volume information: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs