Windows Analysis Report TNT Documents.exe

Overview

General Information

Sample Name: TNT Documents.exe
Analysis ID: 528770
MD5: 53213cdc9809c6debebe6400a4d1a891
SHA1: 2383fe2e296a1f28deb600cfeadb0a3fa18856f3
SHA256: f49a87b9fa0e2e84273ad690ffe6d7548d7ed13a595fd4addf7c6211b0eb5108
Tags: exeFormbookTNT
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.floridanratraining.com/how6/"], "decoy": ["wealthcabana.com", "fourfortyfourcreations.com", "cqqcsy.com", "bhwzjd.com", "niftyfashionrewards.com", "andersongiftemporium.com", "smarttradingcoin.com", "ilarealty.com", "sherrywine.net", "fsecg.info", "xoti.top", "pirosconsulting.com", "fundapie.com", "bbgm4egda.xyz", "legalfortmyers.com", "improvizy.com", "yxdyhs.com", "lucky2balls.com", "panelmall.com", "davenportkartway.com", "springfieldlottery.com", "pentagonpublishers.com", "icanmakeyoufamous.com", "40m2k.com", "projectcentered.com", "webfactory.agency", "metronixmedical.com", "dalingtao.xyz", "functionalsoft.com", "klopert77.com", "cortepuroiberico.com", "viavelleiloes.online", "bamedia.online", "skolicalunjo.com", "kayhardy.com", "excellentappraisers.com", "sademakale.com", "zbycsb.com", "empirejewelss.com", "coached.info", "20215414.online", "dazzlehide.com", "swickstyle.com", "specialtyplastics.online", "noordinarysenior.com", "bluinfo.digital", "chuxiaoxin.xyz", "adwin-estate.com", "girlwithaglow.com", "auctions.email", "topekasecurestorage.com", "mountain-chicken.com", "lhdtrj.com", "mhtqph.club", "solatopotato.com", "mecitiris.com", "hotrodathangtrungquoc.com", "gapteknews.com", "mantraexchange.online", "cinematiccarpenter.com", "wozka.xyz", "car-tech.tech", "jssatchell.media", "joyokanji-cheer.com"]}
Multi AV Scanner detection for submitted file
Source: TNT Documents.exe ReversingLabs: Detection: 48%
Yara detected FormBook
Source: Yara match File source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: TNT Documents.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.TNT Documents.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.TNT Documents.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.TNT Documents.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.TNT Documents.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: TNT Documents.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: TNT Documents.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msdt.pdbGCTL source: TNT Documents.exe, 00000004.00000002.800029853.0000000003300000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: TNT Documents.exe, 00000004.00000002.798924978.00000000012A0000.00000040.00000001.sdmp, TNT Documents.exe, 00000004.00000002.799089348.00000000013BF000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.963153362.0000000004B40000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.963364250.0000000004C5F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: TNT Documents.exe, TNT Documents.exe, 00000004.00000002.798924978.00000000012A0000.00000040.00000001.sdmp, TNT Documents.exe, 00000004.00000002.799089348.00000000013BF000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000B.00000002.963153362.0000000004B40000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.963364250.0000000004C5F000.00000040.00000001.sdmp
Source: Binary string: msdt.pdb source: TNT Documents.exe, 00000004.00000002.800029853.0000000003300000.00000040.00020000.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4x nop then pop edi 4_2_0040C3AE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4x nop then pop edi 4_2_00415681
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop edi 11_2_007AC3AE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 4x nop then pop edi 11_2_007B5681

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.floridanratraining.com/how6/
Source: explorer.exe, 00000016.00000003.917756477.0000000006088000.00000004.00000001.sdmp, explorer.exe, 00000016.00000002.953694318.0000000006088000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.919652524.0000000006088000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000016.00000002.949450560.0000000002AC2000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.897794439.0000000002AC2000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobp
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: TNT Documents.exe, 00000000.00000002.711284893.0000000007032000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: explorer.exe PID: 3424, type: MEMORYSTR Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: TNT Documents.exe
Executable has a suspicious name (potential lure to open the executable)
Source: TNT Documents.exe Static file information: Suspicious name
Uses 32bit PE files
Source: TNT Documents.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.TNT Documents.exe.3fd4e40.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.798434648.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.962732138.0000000004670000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.960597354.00000000007A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.962868450.0000000004800000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.698679096.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.756647993.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.799493056.00000000015D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.735741697.000000000E4CE000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.798798288.0000000000E30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.699262494.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: explorer.exe PID: 3424, type: MEMORYSTR Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Detected potential crypto function
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_014ED7BC 0_2_014ED7BC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_014EE210 0_2_014EE210
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_014EE220 0_2_014EE220
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_014EBD54 0_2_014EBD54
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_014EFC91 0_2_014EFC91
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F0F78 0_2_075F0F78
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F1700 0_2_075F1700
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F9F30 0_2_075F9F30
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075FCF80 0_2_075FCF80
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075FA5E8 0_2_075FA5E8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F2118 0_2_075F2118
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F0040 0_2_075F0040
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F3010 0_2_075F3010
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F5800 0_2_075F5800
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F57FA 0_2_075F57FA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F2FEA 0_2_075F2FEA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075FD650 0_2_075FD650
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F5608 0_2_075F5608
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F3ED8 0_2_075F3ED8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F3EC8 0_2_075F3EC8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F16F0 0_2_075F16F0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F9698 0_2_075F9698
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F55F8 0_2_075F55F8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F4D90 0_2_075F4D90
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F4D81 0_2_075F4D81
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F1C10 0_2_075F1C10
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F1C20 0_2_075F1C20
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075FCC80 0_2_075FCC80
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F6350 0_2_075F6350
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F634B 0_2_075F634B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075FA3C8 0_2_075FA3C8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F5399 0_2_075F5399
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F53A8 0_2_075F53A8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075FBAF0 0_2_075FBAF0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F4A90 0_2_075F4A90
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F4A81 0_2_075F4A81
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F2109 0_2_075F2109
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F5138 0_2_075F5138
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F5129 0_2_075F5129
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F0006 0_2_075F0006
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_00408C8B 4_2_00408C8B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_00408C90 4_2_00408C90
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_00402D87 4_2_00402D87
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_00402FB0 4_2_00402FB0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E4120 4_2_012E4120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CF900 4_2_012CF900
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0139E824 4_2_0139E824
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381002 4_2_01381002
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F20A0 4_2_012F20A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013920A8 4_2_013920A8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DB090 4_2_012DB090
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013928EC 4_2_013928EC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01392B28 4_2_01392B28
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EAB40 4_2_012EAB40
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FEBB0 4_2_012FEBB0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013803DA 4_2_013803DA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138DBD2 4_2_0138DBD2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0137FA2B 4_2_0137FA2B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013922AE 4_2_013922AE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C0D20 4_2_012C0D20
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01392D07 4_2_01392D07
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01391D55 4_2_01391D55
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F2581 4_2_012F2581
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DD5E0 4_2_012DD5E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013925DD 4_2_013925DD
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D841F 4_2_012D841F
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138D466 4_2_0138D466
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01391FF1 4_2_01391FF1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0139DFCE 4_2_0139DFCE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E6E30 4_2_012E6E30
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138D616 4_2_0138D616
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01392EF7 4_2_01392EF7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C2D466 11_2_04C2D466
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B7841F 11_2_04B7841F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B8B477 11_2_04B8B477
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C325DD 11_2_04C325DD
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B92581 11_2_04B92581
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C22D82 11_2_04C22D82
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B7D5E0 11_2_04B7D5E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B60D20 11_2_04B60D20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C31D55 11_2_04C31D55
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C32D07 11_2_04C32D07
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C32EF7 11_2_04C32EF7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B86E30 11_2_04B86E30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C2D616 11_2_04C2D616
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C3DFCE 11_2_04C3DFCE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C31FF1 11_2_04C31FF1
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B920A0 11_2_04B920A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B7B090 11_2_04B7B090
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C328EC 11_2_04C328EC
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C320A8 11_2_04C320A8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B8A830 11_2_04B8A830
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21002 11_2_04C21002
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C3E824 11_2_04C3E824
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B899BF 11_2_04B899BF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B84120 11_2_04B84120
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B6F900 11_2_04B6F900
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24AEF 11_2_04C24AEF
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C322AE 11_2_04C322AE
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B8B236 11_2_04B8B236
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C1FA2B 11_2_04C1FA2B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9EBB0 11_2_04B9EBB0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C2DBD2 11_2_04C2DBD2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C203DA 11_2_04C203DA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C123E3 11_2_04C123E3
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9138B 11_2_04B9138B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9ABD8 11_2_04B9ABD8
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C0CB4F 11_2_04C0CB4F
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B8A309 11_2_04B8A309
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C32B28 11_2_04C32B28
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B8AB40 11_2_04B8AB40
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007A8C90 11_2_007A8C90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007A8C8B 11_2_007A8C8B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007A2D90 11_2_007A2D90
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007A2D87 11_2_007A2D87
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007A2FB0 11_2_007A2FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msdt.exe Code function: String function: 04B6B150 appears 136 times
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: String function: 012CB150 appears 45 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_004185F0 NtCreateFile, 4_2_004185F0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_004186A0 NtReadFile, 4_2_004186A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_00418720 NtClose, 4_2_00418720
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_004187D0 NtAllocateVirtualMemory, 4_2_004187D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_004185EA NtCreateFile, 4_2_004185EA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_00418642 NtReadFile, 4_2_00418642
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0041869A NtReadFile, 4_2_0041869A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_004187CB NtAllocateVirtualMemory, 4_2_004187CB
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_01309910
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013099A0 NtCreateSection,LdrInitializeThunk, 4_2_013099A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_01309860
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309840 NtDelayExecution,LdrInitializeThunk, 4_2_01309840
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013098F0 NtReadVirtualMemory,LdrInitializeThunk, 4_2_013098F0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309A20 NtResumeThread,LdrInitializeThunk, 4_2_01309A20
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309A00 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_01309A00
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309A50 NtCreateFile,LdrInitializeThunk, 4_2_01309A50
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309540 NtReadFile,LdrInitializeThunk, 4_2_01309540
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013095D0 NtClose,LdrInitializeThunk, 4_2_013095D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309710 NtQueryInformationToken,LdrInitializeThunk, 4_2_01309710
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013097A0 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_013097A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309780 NtMapViewOfSection,LdrInitializeThunk, 4_2_01309780
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309FE0 NtCreateMutant,LdrInitializeThunk, 4_2_01309FE0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_01309660
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013096E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_013096E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309950 NtQueueApcThread, 4_2_01309950
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013099D0 NtCreateProcessEx, 4_2_013099D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309820 NtEnumerateKey, 4_2_01309820
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0130B040 NtSuspendThread, 4_2_0130B040
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013098A0 NtWriteVirtualMemory, 4_2_013098A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309B00 NtSetValueKey, 4_2_01309B00
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0130A3B0 NtGetContextThread, 4_2_0130A3B0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309A10 NtQuerySection, 4_2_01309A10
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309A80 NtOpenDirectoryObject, 4_2_01309A80
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0130AD30 NtSetContextThread, 4_2_0130AD30
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309520 NtWaitForSingleObject, 4_2_01309520
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309560 NtWriteFile, 4_2_01309560
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013095F0 NtQueryInformationFile, 4_2_013095F0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309730 NtQueryVirtualMemory, 4_2_01309730
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0130A710 NtOpenProcessToken, 4_2_0130A710
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0130A770 NtOpenThread, 4_2_0130A770
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309770 NtSetInformationFile, 4_2_01309770
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309760 NtOpenProcess, 4_2_01309760
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309610 NtEnumerateValueKey, 4_2_01309610
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309670 NtQueryInformationProcess, 4_2_01309670
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01309650 NtQueryValueKey, 4_2_01309650
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013096D0 NtCreateKey, 4_2_013096D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA95D0 NtClose,LdrInitializeThunk, 11_2_04BA95D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9540 NtReadFile,LdrInitializeThunk, 11_2_04BA9540
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA96E0 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_04BA96E0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA96D0 NtCreateKey,LdrInitializeThunk, 11_2_04BA96D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9660 NtAllocateVirtualMemory,LdrInitializeThunk, 11_2_04BA9660
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9650 NtQueryValueKey,LdrInitializeThunk, 11_2_04BA9650
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9780 NtMapViewOfSection,LdrInitializeThunk, 11_2_04BA9780
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9FE0 NtCreateMutant,LdrInitializeThunk, 11_2_04BA9FE0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9710 NtQueryInformationToken,LdrInitializeThunk, 11_2_04BA9710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9860 NtQuerySystemInformation,LdrInitializeThunk, 11_2_04BA9860
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9840 NtDelayExecution,LdrInitializeThunk, 11_2_04BA9840
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA99A0 NtCreateSection,LdrInitializeThunk, 11_2_04BA99A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_04BA9910
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9A50 NtCreateFile,LdrInitializeThunk, 11_2_04BA9A50
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA95F0 NtQueryInformationFile, 11_2_04BA95F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BAAD30 NtSetContextThread, 11_2_04BAAD30
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9520 NtWaitForSingleObject, 11_2_04BA9520
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9560 NtWriteFile, 11_2_04BA9560
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9610 NtEnumerateValueKey, 11_2_04BA9610
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9670 NtQueryInformationProcess, 11_2_04BA9670
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA97A0 NtUnmapViewOfSection, 11_2_04BA97A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9730 NtQueryVirtualMemory, 11_2_04BA9730
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BAA710 NtOpenProcessToken, 11_2_04BAA710
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BAA770 NtOpenThread, 11_2_04BAA770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9770 NtSetInformationFile, 11_2_04BA9770
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9760 NtOpenProcess, 11_2_04BA9760
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA98A0 NtWriteVirtualMemory, 11_2_04BA98A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA98F0 NtReadVirtualMemory, 11_2_04BA98F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9820 NtEnumerateKey, 11_2_04BA9820
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BAB040 NtSuspendThread, 11_2_04BAB040
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA99D0 NtCreateProcessEx, 11_2_04BA99D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9950 NtQueueApcThread, 11_2_04BA9950
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9A80 NtOpenDirectoryObject, 11_2_04BA9A80
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9A20 NtResumeThread, 11_2_04BA9A20
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9A10 NtQuerySection, 11_2_04BA9A10
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9A00 NtProtectVirtualMemory, 11_2_04BA9A00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BAA3B0 NtGetContextThread, 11_2_04BAA3B0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BA9B00 NtSetValueKey, 11_2_04BA9B00
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007B85F0 NtCreateFile, 11_2_007B85F0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007B86A0 NtReadFile, 11_2_007B86A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007B8720 NtClose, 11_2_007B8720
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007B87D0 NtAllocateVirtualMemory, 11_2_007B87D0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007B85EA NtCreateFile, 11_2_007B85EA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007B8642 NtReadFile, 11_2_007B8642
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007B869A NtReadFile, 11_2_007B869A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007B87CB NtAllocateVirtualMemory, 11_2_007B87CB
Sample file is different than original file name gathered from version info
Source: TNT Documents.exe, 00000000.00000000.672866618.0000000000BA2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameZpiiIoA.exe@ vs TNT Documents.exe
Source: TNT Documents.exe, 00000000.00000002.711592915.0000000007550000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
Source: TNT Documents.exe, 00000000.00000002.707439158.0000000003F39000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
Source: TNT Documents.exe, 00000004.00000002.798576124.00000000008F2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameZpiiIoA.exe@ vs TNT Documents.exe
Source: TNT Documents.exe, 00000004.00000002.799435118.000000000154F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TNT Documents.exe
Source: TNT Documents.exe, 00000004.00000002.800029853.0000000003300000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamemsdt.exej% vs TNT Documents.exe
Source: TNT Documents.exe, 00000004.00000002.799089348.00000000013BF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TNT Documents.exe
Source: TNT Documents.exe Binary or memory string: OriginalFilenameZpiiIoA.exe@ vs TNT Documents.exe
Source: TNT Documents.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TNT Documents.exe ReversingLabs: Detection: 48%
Source: TNT Documents.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TNT Documents.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TNT Documents.exe "C:\Users\user\Desktop\TNT Documents.exe"
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Users\user\Desktop\TNT Documents.exe {path}
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TNT Documents.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Users\user\Desktop\TNT Documents.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TNT Documents.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TNT Documents.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/1@0/1
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
Source: C:\Windows\SysWOW64\msdt.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\TNT Documents.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: TNT Documents.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TNT Documents.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msdt.pdbGCTL source: TNT Documents.exe, 00000004.00000002.800029853.0000000003300000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: TNT Documents.exe, 00000004.00000002.798924978.00000000012A0000.00000040.00000001.sdmp, TNT Documents.exe, 00000004.00000002.799089348.00000000013BF000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.963153362.0000000004B40000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.963364250.0000000004C5F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: TNT Documents.exe, TNT Documents.exe, 00000004.00000002.798924978.00000000012A0000.00000040.00000001.sdmp, TNT Documents.exe, 00000004.00000002.799089348.00000000013BF000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000B.00000002.963153362.0000000004B40000.00000040.00000001.sdmp, msdt.exe, 0000000B.00000002.963364250.0000000004C5F000.00000040.00000001.sdmp
Source: Binary string: msdt.pdb source: TNT Documents.exe, 00000004.00000002.800029853.0000000003300000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: TNT Documents.exe, u0006u2000.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.TNT Documents.exe.b40000.0.unpack, u0006u2000.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.TNT Documents.exe.b40000.0.unpack, u0006u2000.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.TNT Documents.exe.890000.9.unpack, u0006u2000.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.TNT Documents.exe.890000.1.unpack, u0006u2000.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.TNT Documents.exe.890000.1.unpack, u0006u2000.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.TNT Documents.exe.890000.7.unpack, u0006u2000.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.TNT Documents.exe.890000.5.unpack, u0006u2000.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.TNT Documents.exe.890000.0.unpack, u0006u2000.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.TNT Documents.exe.890000.3.unpack, u0006u2000.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.TNT Documents.exe.890000.2.unpack, u0006u2000.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F2D4A push ds; ret 0_2_075F2D4B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_075F61E6 push esi; iretd 0_2_075F61E7
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0041B832 push eax; ret 4_2_0041B838
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0041B83B push eax; ret 4_2_0041B8A2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0041B89C push eax; ret 4_2_0041B8A2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0040825A push ecx; retf 4_2_0040825B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0040C38A pushfd ; ret 4_2_0040C3A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_00415CC4 push FFFFFFDFh; iretd 4_2_00415CDA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0041B7E5 push eax; ret 4_2_0041B838
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0131D0D1 push ecx; ret 4_2_0131D0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BBD0D1 push ecx; ret 11_2_04BBD0E4
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007BB83B push eax; ret 11_2_007BB8A2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007BB832 push eax; ret 11_2_007BB838
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007BB89C push eax; ret 11_2_007BB8A2
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007A825A push ecx; retf 11_2_007A825B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007AC38A pushfd ; ret 11_2_007AC3A0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007B5CC4 push FFFFFFDFh; iretd 11_2_007B5CDA
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_007BB7E5 push eax; ret 11_2_007BB838
Source: initial sample Static PE information: section name: .text entropy: 7.96472261238

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\msdt.exe Process created: /c del "C:\Users\user\Desktop\TNT Documents.exe"
Source: C:\Windows\SysWOW64\msdt.exe Process created: /c del "C:\Users\user\Desktop\TNT Documents.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TNT Documents.exe PID: 6612, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\TNT Documents.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNT Documents.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 00000000007A8614 second address: 00000000007A861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe RDTSC instruction interceptor: First address: 00000000007A89AE second address: 00000000007A89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TNT Documents.exe TID: 6604 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\msdt.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_004088E0 rdtsc 4_2_004088E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\TNT Documents.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000016.00000003.896977047.0000000005E33000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000002.954468782.00000000062AF000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B/b
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.731842532.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.916170667.0000000005D10000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000016.00000003.917202739.0000000006211000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:z
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000016.00000000.919652524.0000000006088000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000016.00000000.916170667.0000000005D10000.00000004.00000001.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00WBX
Source: explorer.exe, 00000016.00000002.952762008.0000000005E33000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}57
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.706742776.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.732035177.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000016.00000003.927230518.00000000062CA000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}z
Source: explorer.exe, 00000005.00000000.732035177.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000016.00000002.954563148.00000000062C9000.00000004.00000001.sdmp Binary or memory string: ?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000016.00000000.917365906.0000000005E33000.00000004.00000001.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000016.00000003.917440283.000000000621D000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.919652524.0000000006088000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000016.00000002.952509808.0000000005D10000.00000004.00000001.sdmp Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000016.00000002.954468782.00000000062AF000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B0a
Source: explorer.exe, 00000016.00000002.953555804.0000000005FBE000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000016.00000002.952762008.0000000005E33000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ZR
Source: explorer.exe, 00000016.00000003.913114176.0000000006088000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}iFWO
Source: explorer.exe, 00000016.00000000.913874864.000000000490A000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Z
Source: explorer.exe, 00000016.00000003.937526972.00000000062CA000.00000004.00000001.sdmp Binary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000002.952762008.0000000005E33000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: explorer.exe, 00000005.00000000.732035177.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000016.00000002.954468782.00000000062AF000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BFb
Source: explorer.exe, 00000016.00000002.954468782.00000000062AF000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000016.00000002.952762008.0000000005E33000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000$a
Source: explorer.exe, 00000016.00000003.913065851.0000000006051000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000i@v
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: explorer.exe, 00000016.00000002.952762008.0000000005E33000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: explorer.exe, 00000016.00000002.953555804.0000000005FBE000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}exe
Source: explorer.exe, 00000005.00000000.732733430.000000000A9D4000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000002.953555804.0000000005FBE000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000003.927230518.00000000062CA000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000003.934085252.0000000006196000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0K
Source: explorer.exe, 00000016.00000002.954468782.00000000062AF000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BKa
Source: TNT Documents.exe, 00000000.00000002.703985087.0000000003206000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000005.00000000.751220813.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.716107547.000000000A83C000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}((
Source: explorer.exe, 00000016.00000002.948738356.00000000009A8000.00000004.00000020.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_004088E0 rdtsc 4_2_004088E0
Enables debug privileges
Source: C:\Users\user\Desktop\TNT Documents.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E4120 mov eax, dword ptr fs:[00000030h] 4_2_012E4120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E4120 mov eax, dword ptr fs:[00000030h] 4_2_012E4120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E4120 mov eax, dword ptr fs:[00000030h] 4_2_012E4120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E4120 mov eax, dword ptr fs:[00000030h] 4_2_012E4120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E4120 mov ecx, dword ptr fs:[00000030h] 4_2_012E4120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F513A mov eax, dword ptr fs:[00000030h] 4_2_012F513A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F513A mov eax, dword ptr fs:[00000030h] 4_2_012F513A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C9100 mov eax, dword ptr fs:[00000030h] 4_2_012C9100
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C9100 mov eax, dword ptr fs:[00000030h] 4_2_012C9100
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C9100 mov eax, dword ptr fs:[00000030h] 4_2_012C9100
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CC962 mov eax, dword ptr fs:[00000030h] 4_2_012CC962
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CB171 mov eax, dword ptr fs:[00000030h] 4_2_012CB171
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CB171 mov eax, dword ptr fs:[00000030h] 4_2_012CB171
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EB944 mov eax, dword ptr fs:[00000030h] 4_2_012EB944
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EB944 mov eax, dword ptr fs:[00000030h] 4_2_012EB944
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013451BE mov eax, dword ptr fs:[00000030h] 4_2_013451BE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013451BE mov eax, dword ptr fs:[00000030h] 4_2_013451BE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013451BE mov eax, dword ptr fs:[00000030h] 4_2_013451BE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013451BE mov eax, dword ptr fs:[00000030h] 4_2_013451BE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F61A0 mov eax, dword ptr fs:[00000030h] 4_2_012F61A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F61A0 mov eax, dword ptr fs:[00000030h] 4_2_012F61A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013469A6 mov eax, dword ptr fs:[00000030h] 4_2_013469A6
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013849A4 mov eax, dword ptr fs:[00000030h] 4_2_013849A4
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013849A4 mov eax, dword ptr fs:[00000030h] 4_2_013849A4
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013849A4 mov eax, dword ptr fs:[00000030h] 4_2_013849A4
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013849A4 mov eax, dword ptr fs:[00000030h] 4_2_013849A4
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FA185 mov eax, dword ptr fs:[00000030h] 4_2_012FA185
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EC182 mov eax, dword ptr fs:[00000030h] 4_2_012EC182
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F2990 mov eax, dword ptr fs:[00000030h] 4_2_012F2990
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CB1E1 mov eax, dword ptr fs:[00000030h] 4_2_012CB1E1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CB1E1 mov eax, dword ptr fs:[00000030h] 4_2_012CB1E1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CB1E1 mov eax, dword ptr fs:[00000030h] 4_2_012CB1E1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013541E8 mov eax, dword ptr fs:[00000030h] 4_2_013541E8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F002D mov eax, dword ptr fs:[00000030h] 4_2_012F002D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F002D mov eax, dword ptr fs:[00000030h] 4_2_012F002D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F002D mov eax, dword ptr fs:[00000030h] 4_2_012F002D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F002D mov eax, dword ptr fs:[00000030h] 4_2_012F002D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F002D mov eax, dword ptr fs:[00000030h] 4_2_012F002D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DB02A mov eax, dword ptr fs:[00000030h] 4_2_012DB02A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DB02A mov eax, dword ptr fs:[00000030h] 4_2_012DB02A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DB02A mov eax, dword ptr fs:[00000030h] 4_2_012DB02A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DB02A mov eax, dword ptr fs:[00000030h] 4_2_012DB02A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01347016 mov eax, dword ptr fs:[00000030h] 4_2_01347016
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01347016 mov eax, dword ptr fs:[00000030h] 4_2_01347016
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01347016 mov eax, dword ptr fs:[00000030h] 4_2_01347016
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01394015 mov eax, dword ptr fs:[00000030h] 4_2_01394015
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01394015 mov eax, dword ptr fs:[00000030h] 4_2_01394015
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01382073 mov eax, dword ptr fs:[00000030h] 4_2_01382073
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01391074 mov eax, dword ptr fs:[00000030h] 4_2_01391074
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E0050 mov eax, dword ptr fs:[00000030h] 4_2_012E0050
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E0050 mov eax, dword ptr fs:[00000030h] 4_2_012E0050
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F20A0 mov eax, dword ptr fs:[00000030h] 4_2_012F20A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F20A0 mov eax, dword ptr fs:[00000030h] 4_2_012F20A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F20A0 mov eax, dword ptr fs:[00000030h] 4_2_012F20A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F20A0 mov eax, dword ptr fs:[00000030h] 4_2_012F20A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F20A0 mov eax, dword ptr fs:[00000030h] 4_2_012F20A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F20A0 mov eax, dword ptr fs:[00000030h] 4_2_012F20A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FF0BF mov ecx, dword ptr fs:[00000030h] 4_2_012FF0BF
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FF0BF mov eax, dword ptr fs:[00000030h] 4_2_012FF0BF
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FF0BF mov eax, dword ptr fs:[00000030h] 4_2_012FF0BF
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013090AF mov eax, dword ptr fs:[00000030h] 4_2_013090AF
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C9080 mov eax, dword ptr fs:[00000030h] 4_2_012C9080
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01343884 mov eax, dword ptr fs:[00000030h] 4_2_01343884
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01343884 mov eax, dword ptr fs:[00000030h] 4_2_01343884
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C58EC mov eax, dword ptr fs:[00000030h] 4_2_012C58EC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C40E1 mov eax, dword ptr fs:[00000030h] 4_2_012C40E1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C40E1 mov eax, dword ptr fs:[00000030h] 4_2_012C40E1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C40E1 mov eax, dword ptr fs:[00000030h] 4_2_012C40E1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0135B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0135B8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0135B8D0 mov ecx, dword ptr fs:[00000030h] 4_2_0135B8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0135B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0135B8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0135B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0135B8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0135B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0135B8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0135B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0135B8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138131B mov eax, dword ptr fs:[00000030h] 4_2_0138131B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CDB60 mov ecx, dword ptr fs:[00000030h] 4_2_012CDB60
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F3B7A mov eax, dword ptr fs:[00000030h] 4_2_012F3B7A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F3B7A mov eax, dword ptr fs:[00000030h] 4_2_012F3B7A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01398B58 mov eax, dword ptr fs:[00000030h] 4_2_01398B58
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CDB40 mov eax, dword ptr fs:[00000030h] 4_2_012CDB40
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CF358 mov eax, dword ptr fs:[00000030h] 4_2_012CF358
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F4BAD mov eax, dword ptr fs:[00000030h] 4_2_012F4BAD
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F4BAD mov eax, dword ptr fs:[00000030h] 4_2_012F4BAD
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F4BAD mov eax, dword ptr fs:[00000030h] 4_2_012F4BAD
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01395BA5 mov eax, dword ptr fs:[00000030h] 4_2_01395BA5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D1B8F mov eax, dword ptr fs:[00000030h] 4_2_012D1B8F
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D1B8F mov eax, dword ptr fs:[00000030h] 4_2_012D1B8F
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138138A mov eax, dword ptr fs:[00000030h] 4_2_0138138A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0137D380 mov ecx, dword ptr fs:[00000030h] 4_2_0137D380
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F2397 mov eax, dword ptr fs:[00000030h] 4_2_012F2397
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FB390 mov eax, dword ptr fs:[00000030h] 4_2_012FB390
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EDBE9 mov eax, dword ptr fs:[00000030h] 4_2_012EDBE9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F03E2 mov eax, dword ptr fs:[00000030h] 4_2_012F03E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F03E2 mov eax, dword ptr fs:[00000030h] 4_2_012F03E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F03E2 mov eax, dword ptr fs:[00000030h] 4_2_012F03E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F03E2 mov eax, dword ptr fs:[00000030h] 4_2_012F03E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F03E2 mov eax, dword ptr fs:[00000030h] 4_2_012F03E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F03E2 mov eax, dword ptr fs:[00000030h] 4_2_012F03E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013453CA mov eax, dword ptr fs:[00000030h] 4_2_013453CA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013453CA mov eax, dword ptr fs:[00000030h] 4_2_013453CA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01304A2C mov eax, dword ptr fs:[00000030h] 4_2_01304A2C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01304A2C mov eax, dword ptr fs:[00000030h] 4_2_01304A2C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D8A0A mov eax, dword ptr fs:[00000030h] 4_2_012D8A0A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138AA16 mov eax, dword ptr fs:[00000030h] 4_2_0138AA16
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138AA16 mov eax, dword ptr fs:[00000030h] 4_2_0138AA16
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E3A1C mov eax, dword ptr fs:[00000030h] 4_2_012E3A1C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CAA16 mov eax, dword ptr fs:[00000030h] 4_2_012CAA16
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CAA16 mov eax, dword ptr fs:[00000030h] 4_2_012CAA16
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C5210 mov eax, dword ptr fs:[00000030h] 4_2_012C5210
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C5210 mov ecx, dword ptr fs:[00000030h] 4_2_012C5210
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C5210 mov eax, dword ptr fs:[00000030h] 4_2_012C5210
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C5210 mov eax, dword ptr fs:[00000030h] 4_2_012C5210
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0130927A mov eax, dword ptr fs:[00000030h] 4_2_0130927A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0137B260 mov eax, dword ptr fs:[00000030h] 4_2_0137B260
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0137B260 mov eax, dword ptr fs:[00000030h] 4_2_0137B260
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01398A62 mov eax, dword ptr fs:[00000030h] 4_2_01398A62
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01354257 mov eax, dword ptr fs:[00000030h] 4_2_01354257
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C9240 mov eax, dword ptr fs:[00000030h] 4_2_012C9240
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C9240 mov eax, dword ptr fs:[00000030h] 4_2_012C9240
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C9240 mov eax, dword ptr fs:[00000030h] 4_2_012C9240
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C9240 mov eax, dword ptr fs:[00000030h] 4_2_012C9240
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138EA55 mov eax, dword ptr fs:[00000030h] 4_2_0138EA55
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C52A5 mov eax, dword ptr fs:[00000030h] 4_2_012C52A5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C52A5 mov eax, dword ptr fs:[00000030h] 4_2_012C52A5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C52A5 mov eax, dword ptr fs:[00000030h] 4_2_012C52A5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C52A5 mov eax, dword ptr fs:[00000030h] 4_2_012C52A5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C52A5 mov eax, dword ptr fs:[00000030h] 4_2_012C52A5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DAAB0 mov eax, dword ptr fs:[00000030h] 4_2_012DAAB0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DAAB0 mov eax, dword ptr fs:[00000030h] 4_2_012DAAB0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FFAB0 mov eax, dword ptr fs:[00000030h] 4_2_012FFAB0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FD294 mov eax, dword ptr fs:[00000030h] 4_2_012FD294
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FD294 mov eax, dword ptr fs:[00000030h] 4_2_012FD294
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F2AE4 mov eax, dword ptr fs:[00000030h] 4_2_012F2AE4
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F2ACB mov eax, dword ptr fs:[00000030h] 4_2_012F2ACB
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138E539 mov eax, dword ptr fs:[00000030h] 4_2_0138E539
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0134A537 mov eax, dword ptr fs:[00000030h] 4_2_0134A537
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01398D34 mov eax, dword ptr fs:[00000030h] 4_2_01398D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F4D3B mov eax, dword ptr fs:[00000030h] 4_2_012F4D3B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F4D3B mov eax, dword ptr fs:[00000030h] 4_2_012F4D3B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F4D3B mov eax, dword ptr fs:[00000030h] 4_2_012F4D3B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D3D34 mov eax, dword ptr fs:[00000030h] 4_2_012D3D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CAD30 mov eax, dword ptr fs:[00000030h] 4_2_012CAD30
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EC577 mov eax, dword ptr fs:[00000030h] 4_2_012EC577
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EC577 mov eax, dword ptr fs:[00000030h] 4_2_012EC577
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01303D43 mov eax, dword ptr fs:[00000030h] 4_2_01303D43
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01343540 mov eax, dword ptr fs:[00000030h] 4_2_01343540
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01373D40 mov eax, dword ptr fs:[00000030h] 4_2_01373D40
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E7D50 mov eax, dword ptr fs:[00000030h] 4_2_012E7D50
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F35A1 mov eax, dword ptr fs:[00000030h] 4_2_012F35A1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013905AC mov eax, dword ptr fs:[00000030h] 4_2_013905AC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013905AC mov eax, dword ptr fs:[00000030h] 4_2_013905AC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F1DB5 mov eax, dword ptr fs:[00000030h] 4_2_012F1DB5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F1DB5 mov eax, dword ptr fs:[00000030h] 4_2_012F1DB5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F1DB5 mov eax, dword ptr fs:[00000030h] 4_2_012F1DB5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C2D8A mov eax, dword ptr fs:[00000030h] 4_2_012C2D8A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C2D8A mov eax, dword ptr fs:[00000030h] 4_2_012C2D8A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C2D8A mov eax, dword ptr fs:[00000030h] 4_2_012C2D8A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C2D8A mov eax, dword ptr fs:[00000030h] 4_2_012C2D8A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C2D8A mov eax, dword ptr fs:[00000030h] 4_2_012C2D8A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F2581 mov eax, dword ptr fs:[00000030h] 4_2_012F2581
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F2581 mov eax, dword ptr fs:[00000030h] 4_2_012F2581
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F2581 mov eax, dword ptr fs:[00000030h] 4_2_012F2581
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F2581 mov eax, dword ptr fs:[00000030h] 4_2_012F2581
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FFD9B mov eax, dword ptr fs:[00000030h] 4_2_012FFD9B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FFD9B mov eax, dword ptr fs:[00000030h] 4_2_012FFD9B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01378DF1 mov eax, dword ptr fs:[00000030h] 4_2_01378DF1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DD5E0 mov eax, dword ptr fs:[00000030h] 4_2_012DD5E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DD5E0 mov eax, dword ptr fs:[00000030h] 4_2_012DD5E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0138FDE2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0138FDE2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0138FDE2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0138FDE2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346DC9 mov eax, dword ptr fs:[00000030h] 4_2_01346DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346DC9 mov eax, dword ptr fs:[00000030h] 4_2_01346DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346DC9 mov eax, dword ptr fs:[00000030h] 4_2_01346DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346DC9 mov ecx, dword ptr fs:[00000030h] 4_2_01346DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346DC9 mov eax, dword ptr fs:[00000030h] 4_2_01346DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346DC9 mov eax, dword ptr fs:[00000030h] 4_2_01346DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FBC2C mov eax, dword ptr fs:[00000030h] 4_2_012FBC2C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0139740D mov eax, dword ptr fs:[00000030h] 4_2_0139740D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0139740D mov eax, dword ptr fs:[00000030h] 4_2_0139740D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0139740D mov eax, dword ptr fs:[00000030h] 4_2_0139740D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381C06 mov eax, dword ptr fs:[00000030h] 4_2_01381C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346C0A mov eax, dword ptr fs:[00000030h] 4_2_01346C0A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346C0A mov eax, dword ptr fs:[00000030h] 4_2_01346C0A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346C0A mov eax, dword ptr fs:[00000030h] 4_2_01346C0A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346C0A mov eax, dword ptr fs:[00000030h] 4_2_01346C0A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012E746D mov eax, dword ptr fs:[00000030h] 4_2_012E746D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FA44B mov eax, dword ptr fs:[00000030h] 4_2_012FA44B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0135C450 mov eax, dword ptr fs:[00000030h] 4_2_0135C450
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0135C450 mov eax, dword ptr fs:[00000030h] 4_2_0135C450
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D849B mov eax, dword ptr fs:[00000030h] 4_2_012D849B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013814FB mov eax, dword ptr fs:[00000030h] 4_2_013814FB
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346CF0 mov eax, dword ptr fs:[00000030h] 4_2_01346CF0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346CF0 mov eax, dword ptr fs:[00000030h] 4_2_01346CF0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01346CF0 mov eax, dword ptr fs:[00000030h] 4_2_01346CF0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01398CD6 mov eax, dword ptr fs:[00000030h] 4_2_01398CD6
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C4F2E mov eax, dword ptr fs:[00000030h] 4_2_012C4F2E
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012C4F2E mov eax, dword ptr fs:[00000030h] 4_2_012C4F2E
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FE730 mov eax, dword ptr fs:[00000030h] 4_2_012FE730
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FA70E mov eax, dword ptr fs:[00000030h] 4_2_012FA70E
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FA70E mov eax, dword ptr fs:[00000030h] 4_2_012FA70E
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0135FF10 mov eax, dword ptr fs:[00000030h] 4_2_0135FF10
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0135FF10 mov eax, dword ptr fs:[00000030h] 4_2_0135FF10
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0139070D mov eax, dword ptr fs:[00000030h] 4_2_0139070D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0139070D mov eax, dword ptr fs:[00000030h] 4_2_0139070D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EF716 mov eax, dword ptr fs:[00000030h] 4_2_012EF716
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DFF60 mov eax, dword ptr fs:[00000030h] 4_2_012DFF60
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01398F6A mov eax, dword ptr fs:[00000030h] 4_2_01398F6A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012DEF40 mov eax, dword ptr fs:[00000030h] 4_2_012DEF40
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01347794 mov eax, dword ptr fs:[00000030h] 4_2_01347794
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01347794 mov eax, dword ptr fs:[00000030h] 4_2_01347794
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01347794 mov eax, dword ptr fs:[00000030h] 4_2_01347794
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D8794 mov eax, dword ptr fs:[00000030h] 4_2_012D8794
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013037F5 mov eax, dword ptr fs:[00000030h] 4_2_013037F5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0137FE3F mov eax, dword ptr fs:[00000030h] 4_2_0137FE3F
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CE620 mov eax, dword ptr fs:[00000030h] 4_2_012CE620
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CC600 mov eax, dword ptr fs:[00000030h] 4_2_012CC600
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CC600 mov eax, dword ptr fs:[00000030h] 4_2_012CC600
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012CC600 mov eax, dword ptr fs:[00000030h] 4_2_012CC600
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F8E00 mov eax, dword ptr fs:[00000030h] 4_2_012F8E00
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01381608 mov eax, dword ptr fs:[00000030h] 4_2_01381608
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FA61C mov eax, dword ptr fs:[00000030h] 4_2_012FA61C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012FA61C mov eax, dword ptr fs:[00000030h] 4_2_012FA61C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D766D mov eax, dword ptr fs:[00000030h] 4_2_012D766D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EAE73 mov eax, dword ptr fs:[00000030h] 4_2_012EAE73
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EAE73 mov eax, dword ptr fs:[00000030h] 4_2_012EAE73
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EAE73 mov eax, dword ptr fs:[00000030h] 4_2_012EAE73
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EAE73 mov eax, dword ptr fs:[00000030h] 4_2_012EAE73
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012EAE73 mov eax, dword ptr fs:[00000030h] 4_2_012EAE73
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D7E41 mov eax, dword ptr fs:[00000030h] 4_2_012D7E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D7E41 mov eax, dword ptr fs:[00000030h] 4_2_012D7E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D7E41 mov eax, dword ptr fs:[00000030h] 4_2_012D7E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D7E41 mov eax, dword ptr fs:[00000030h] 4_2_012D7E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D7E41 mov eax, dword ptr fs:[00000030h] 4_2_012D7E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D7E41 mov eax, dword ptr fs:[00000030h] 4_2_012D7E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138AE44 mov eax, dword ptr fs:[00000030h] 4_2_0138AE44
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0138AE44 mov eax, dword ptr fs:[00000030h] 4_2_0138AE44
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_013446A7 mov eax, dword ptr fs:[00000030h] 4_2_013446A7
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01390EA5 mov eax, dword ptr fs:[00000030h] 4_2_01390EA5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01390EA5 mov eax, dword ptr fs:[00000030h] 4_2_01390EA5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01390EA5 mov eax, dword ptr fs:[00000030h] 4_2_01390EA5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0135FE87 mov eax, dword ptr fs:[00000030h] 4_2_0135FE87
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F16E0 mov ecx, dword ptr fs:[00000030h] 4_2_012F16E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012D76E2 mov eax, dword ptr fs:[00000030h] 4_2_012D76E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_012F36CC mov eax, dword ptr fs:[00000030h] 4_2_012F36CC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01398ED6 mov eax, dword ptr fs:[00000030h] 4_2_01398ED6
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_0137FEC0 mov eax, dword ptr fs:[00000030h] 4_2_0137FEC0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4_2_01308EC7 mov eax, dword ptr fs:[00000030h] 4_2_01308EC7
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C38CD6 mov eax, dword ptr fs:[00000030h] 11_2_04C38CD6
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B7849B mov eax, dword ptr fs:[00000030h] 11_2_04B7849B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C214FB mov eax, dword ptr fs:[00000030h] 11_2_04C214FB
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BE6CF0 mov eax, dword ptr fs:[00000030h] 11_2_04BE6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BE6CF0 mov eax, dword ptr fs:[00000030h] 11_2_04BE6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BE6CF0 mov eax, dword ptr fs:[00000030h] 11_2_04BE6CF0
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C24496 mov eax, dword ptr fs:[00000030h] 11_2_04C24496
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9BC2C mov eax, dword ptr fs:[00000030h] 11_2_04B9BC2C
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BE6C0A mov eax, dword ptr fs:[00000030h] 11_2_04BE6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BE6C0A mov eax, dword ptr fs:[00000030h] 11_2_04BE6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BE6C0A mov eax, dword ptr fs:[00000030h] 11_2_04BE6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04BE6C0A mov eax, dword ptr fs:[00000030h] 11_2_04BE6C0A
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9AC7B mov eax, dword ptr fs:[00000030h] 11_2_04B9AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9AC7B mov eax, dword ptr fs:[00000030h] 11_2_04B9AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9AC7B mov eax, dword ptr fs:[00000030h] 11_2_04B9AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9AC7B mov eax, dword ptr fs:[00000030h] 11_2_04B9AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9AC7B mov eax, dword ptr fs:[00000030h] 11_2_04B9AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9AC7B mov eax, dword ptr fs:[00000030h] 11_2_04B9AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9AC7B mov eax, dword ptr fs:[00000030h] 11_2_04B9AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9AC7B mov eax, dword ptr fs:[00000030h] 11_2_04B9AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9AC7B mov eax, dword ptr fs:[00000030h] 11_2_04B9AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9AC7B mov eax, dword ptr fs:[00000030h] 11_2_04B9AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04B9AC7B mov eax, dword ptr fs:[00000030h] 11_2_04B9AC7B
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C21C06 mov eax, dword ptr fs:[00000030h] 11_2_04C21C06
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C3740D mov eax, dword ptr fs:[00000030h] 11_2_04C3740D
Source: C:\Windows\SysWOW64\msdt.exe Code function: 11_2_04C3740D mov eax, dword ptr fs:[00000030h]