Windows Analysis Report
TNS71092E68UI0.vbe

Overview

General Information

Sample name: TNS71092E68UI0.vbe
Analysis ID: 1482976
MD5: 83ef588dc92a85ef93d055290393a07d
SHA1: c7fa54bb9f8d5467137197b8e344b95d2e1f4430
SHA256: 02500b9058612028c5667bfd9302d81184689fcb88eb5500902d39baec246fa0
Tags: FormbookTNTvbe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Avira: detection malicious, Label: HEUR/AGEN.1357443
Found malware configuration
Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.happygreenfarm.com/de94/"], "decoy": ["way2future.net", "worldnewsdailys.online", "rendamaisbr.com", "s485.icu", "vcxwpo.xyz", "imagivilleartists.com", "herbatyorganics.com", "xn--80ado1abokv5d.xn--p1acf", "invigoratewell.com", "especialistaleitura.online", "pkrstg.com", "performacaretechnical.com", "dreamgame55.net", "hkitgugx.xyz", "istanlikbilgiler.click", "slotter99j.vip", "exploringtheoutdoors.net", "triberoots.com", "energiaslotsbet.com", "dkforcm.com", "rtp1kijangwin.top", "monkeytranslate.com", "21stcut.shop", "hgty866.xyz", "shaktitest.site", "monrocasino-508.com", "level4d1.bet", "nbcze.com", "rtproketslotcsn.art", "xjps.ltd", "yoanamod.com", "gv031.net", "mceliteroofing.com", "1wtrh.com", "online-dating-24966.bond", "dentalbrasstacks.com", "kf7wzmuzv0w.xyz", "gyosei-arimura.com", "shopyzones.shop", "bradleyboy.xyz", "bradleyboy.xyz", "nownzen.store", "buysellrepresent.com", "tateshades.xyz", "club1stclass.com", "2309238042.com", "ashleymorgan.live", "xn--pdr89n.vip", "princecl.xyz", "mindfulmanifest.net", "c4ads.net", "exlith.com", "jiogskeojg.xyz", "lxrtl.com", "cshark-sguser.com", "h021b.rest", "alfiethorhalls.com", "librosinfantiles.top", "alazamexports.com", "mehalhouse.com", "slvtapeworld.com", "mybest.engineer", "legalix.xyz", "kuuichi.xyz"]}
Multi AV Scanner detection for submitted file
Source: TNS71092E68UI0.vbe Virustotal: Detection: 16% Perma Link
Yara detected FormBook
Source: Yara match File source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Joe Sandbox ML: detected
Source: Binary string: wntdll.pdb source: HHhHh.exe, wscript.exe
Source: Binary string: wscript.pdb source: wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009C23CE GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose, 6_2_009C23CE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4x nop then pop ebx 4_2_00407B20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop ebx 6_2_00907B20

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 103.169.142.0 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.242 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.happygreenfarm.com/de94/
Performs DNS queries to domains with low reputation
Source: DNS query: www.tateshades.xyz
Source: DNS query: www.legalix.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=KxdOA0Mo1WZhrruLdWg4BGjiUazPRKkva+c6BVUkR9pg9lvbFJGOvuIlGrqlewJrvTBn HTTP/1.1Host: www.tateshades.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de94/?jBZ=DixB1qykAeF3P3PXJeHdSknPWO1HgPnInxoSQIfAm9wP6zKJEe36YOPFRPwN1ZbEVsUi&iH=L48pdJnx HTTP/1.1Host: www.gyosei-arimura.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=5tT0wx6F9dDlvd0I7/Gf0Z876YhP5UCSCTQNI7gCLgEp6gs1sNLPrbs4iKZbSyW3sHh4 HTTP/1.1Host: www.ashleymorgan.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de94/?jBZ=oGEpRlg+OmPq0B7KIcYot+ASNw6YPmukejZMyF938WrRMvUmELkE1jbD5t8azbvrsm6P&iH=L48pdJnx HTTP/1.1Host: www.rendamaisbr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=2R5LA04AgrrHOF4dber2AYa+4EXsdsXp9ugXIfcwTjx7QxDViEac/VVT3dt/yVkMwVF8 HTTP/1.1Host: www.especialistaleitura.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.169.142.0 103.169.142.0
Source: Joe Sandbox View IP Address: 198.54.117.242 198.54.117.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MTSRU MTSRU
Source: Joe Sandbox View ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 5_2_11269F82 getaddrinfo,setsockopt,recv, 5_2_11269F82
Source: global traffic HTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=KxdOA0Mo1WZhrruLdWg4BGjiUazPRKkva+c6BVUkR9pg9lvbFJGOvuIlGrqlewJrvTBn HTTP/1.1Host: www.tateshades.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de94/?jBZ=DixB1qykAeF3P3PXJeHdSknPWO1HgPnInxoSQIfAm9wP6zKJEe36YOPFRPwN1ZbEVsUi&iH=L48pdJnx HTTP/1.1Host: www.gyosei-arimura.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=5tT0wx6F9dDlvd0I7/Gf0Z876YhP5UCSCTQNI7gCLgEp6gs1sNLPrbs4iKZbSyW3sHh4 HTTP/1.1Host: www.ashleymorgan.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de94/?jBZ=oGEpRlg+OmPq0B7KIcYot+ASNw6YPmukejZMyF938WrRMvUmELkE1jbD5t8azbvrsm6P&iH=L48pdJnx HTTP/1.1Host: www.rendamaisbr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=2R5LA04AgrrHOF4dber2AYa+4EXsdsXp9ugXIfcwTjx7QxDViEac/VVT3dt/yVkMwVF8 HTTP/1.1Host: www.especialistaleitura.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: www.tateshades.xyz
Source: global traffic DNS traffic detected: DNS query: www.gyosei-arimura.com
Source: global traffic DNS traffic detected: DNS query: www.ashleymorgan.live
Source: global traffic DNS traffic detected: DNS query: www.gv031.net
Source: global traffic DNS traffic detected: DNS query: www.rendamaisbr.com
Source: global traffic DNS traffic detected: DNS query: www.especialistaleitura.online
Source: global traffic DNS traffic detected: DNS query: www.rtproketslotcsn.art
Source: global traffic DNS traffic detected: DNS query: www.exploringtheoutdoors.net
Source: global traffic DNS traffic detected: DNS query: www.invigoratewell.com
Source: global traffic DNS traffic detected: DNS query: www.legalix.xyz
Source: global traffic DNS traffic detected: DNS query: www.21stcut.shop
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:05:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MAbLK1QdlRV6LTBnBQHP4GMtosATTCpVjiz%2F%2B8enYj6c8u0AHIppOl0xFo2qiVuQVaotmCVNuMU9HCRRoMoShzJFVrl5VcK8YiriQ5ZaRymFb5cMcNjDMhOkipfaQtZ83MDb%2F%2FPM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93ea39e95042c0-EWRalt-svc: h3=":443"; ma=86400Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.22.1</center></body></html>0

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041A360 NtCreateFile, 4_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041A410 NtReadFile, 4_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041A490 NtClose, 4_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041A540 NtAllocateVirtualMemory, 4_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041A35A NtCreateFile, 4_2_0041A35A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041A53A NtAllocateVirtualMemory, 4_2_0041A53A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2B60 NtClose,LdrInitializeThunk, 4_2_012D2B60
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_012D2BF0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2AD0 NtReadFile,LdrInitializeThunk, 4_2_012D2AD0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2D30 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_012D2D30
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2D10 NtMapViewOfSection,LdrInitializeThunk, 4_2_012D2D10
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_012D2DF0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2DD0 NtDelayExecution,LdrInitializeThunk, 4_2_012D2DD0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_012D2C70
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2CA0 NtQueryInformationToken,LdrInitializeThunk, 4_2_012D2CA0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2F30 NtCreateSection,LdrInitializeThunk, 4_2_012D2F30
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2FB0 NtResumeThread,LdrInitializeThunk, 4_2_012D2FB0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2F90 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_012D2F90
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2FE0 NtCreateFile,LdrInitializeThunk, 4_2_012D2FE0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_012D2EA0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2E80 NtReadVirtualMemory,LdrInitializeThunk, 4_2_012D2E80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D4340 NtSetContextThread, 4_2_012D4340
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D4650 NtSuspendThread, 4_2_012D4650
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2BA0 NtEnumerateValueKey, 4_2_012D2BA0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2B80 NtQueryInformationFile, 4_2_012D2B80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2BE0 NtQueryValueKey, 4_2_012D2BE0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2AB0 NtWaitForSingleObject, 4_2_012D2AB0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2AF0 NtWriteFile, 4_2_012D2AF0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2D00 NtSetInformationFile, 4_2_012D2D00
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2DB0 NtEnumerateKey, 4_2_012D2DB0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2C00 NtQueryInformationProcess, 4_2_012D2C00
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2C60 NtCreateKey, 4_2_012D2C60
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2CF0 NtOpenProcess, 4_2_012D2CF0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2CC0 NtQueryVirtualMemory, 4_2_012D2CC0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2F60 NtCreateProcessEx, 4_2_012D2F60
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2FA0 NtQuerySection, 4_2_012D2FA0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2E30 NtWriteVirtualMemory, 4_2_012D2E30
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2EE0 NtQueueApcThread, 4_2_012D2EE0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D3010 NtOpenDirectoryObject, 4_2_012D3010
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D3090 NtSetValueKey, 4_2_012D3090
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D35C0 NtCreateMutant, 4_2_012D35C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D39B0 NtGetContextThread, 4_2_012D39B0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D3D10 NtOpenProcessToken, 4_2_012D3D10
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D3D70 NtOpenThread, 4_2_012D3D70
Source: C:\Windows\explorer.exe Code function: 5_2_11269232 NtCreateFile, 5_2_11269232
Source: C:\Windows\explorer.exe Code function: 5_2_1126AE12 NtProtectVirtualMemory, 5_2_1126AE12
Source: C:\Windows\explorer.exe Code function: 5_2_1126AE0A NtProtectVirtualMemory, 5_2_1126AE0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2CA0 NtQueryInformationToken,LdrInitializeThunk, 6_2_04DA2CA0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2C70 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_04DA2C70
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2C60 NtCreateKey,LdrInitializeThunk, 6_2_04DA2C60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2DD0 NtDelayExecution,LdrInitializeThunk, 6_2_04DA2DD0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2DF0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_04DA2DF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2D10 NtMapViewOfSection,LdrInitializeThunk, 6_2_04DA2D10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_04DA2EA0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2FE0 NtCreateFile,LdrInitializeThunk, 6_2_04DA2FE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2F30 NtCreateSection,LdrInitializeThunk, 6_2_04DA2F30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2AD0 NtReadFile,LdrInitializeThunk, 6_2_04DA2AD0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_04DA2BF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2BE0 NtQueryValueKey,LdrInitializeThunk, 6_2_04DA2BE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2B60 NtClose,LdrInitializeThunk, 6_2_04DA2B60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA35C0 NtCreateMutant,LdrInitializeThunk, 6_2_04DA35C0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA4650 NtSuspendThread, 6_2_04DA4650
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA4340 NtSetContextThread, 6_2_04DA4340
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2CC0 NtQueryVirtualMemory, 6_2_04DA2CC0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2CF0 NtOpenProcess, 6_2_04DA2CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2C00 NtQueryInformationProcess, 6_2_04DA2C00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2DB0 NtEnumerateKey, 6_2_04DA2DB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2D00 NtSetInformationFile, 6_2_04DA2D00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2D30 NtUnmapViewOfSection, 6_2_04DA2D30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2EE0 NtQueueApcThread, 6_2_04DA2EE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2E80 NtReadVirtualMemory, 6_2_04DA2E80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2E30 NtWriteVirtualMemory, 6_2_04DA2E30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2F90 NtProtectVirtualMemory, 6_2_04DA2F90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2FB0 NtResumeThread, 6_2_04DA2FB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2FA0 NtQuerySection, 6_2_04DA2FA0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2F60 NtCreateProcessEx, 6_2_04DA2F60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2AF0 NtWriteFile, 6_2_04DA2AF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2AB0 NtWaitForSingleObject, 6_2_04DA2AB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2B80 NtQueryInformationFile, 6_2_04DA2B80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA2BA0 NtEnumerateValueKey, 6_2_04DA2BA0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA3090 NtSetValueKey, 6_2_04DA3090
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA3010 NtOpenDirectoryObject, 6_2_04DA3010
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA3D70 NtOpenThread, 6_2_04DA3D70
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA3D10 NtOpenProcessToken, 6_2_04DA3D10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA39B0 NtGetContextThread, 6_2_04DA39B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091A360 NtCreateFile, 6_2_0091A360
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091A490 NtClose, 6_2_0091A490
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091A410 NtReadFile, 6_2_0091A410
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091A540 NtAllocateVirtualMemory, 6_2_0091A540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091A35A NtCreateFile, 6_2_0091A35A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091A53A NtAllocateVirtualMemory, 6_2_0091A53A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04ADA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread, 6_2_04ADA036
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04AD9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 6_2_04AD9BAF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04ADA042 NtQueryInformationProcess, 6_2_04ADA042
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04AD9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_04AD9BB2
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_04B3D5DC 2_2_04B3D5DC
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051CECD8 2_2_051CECD8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051C85D8 2_2_051C85D8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051C85C8 2_2_051C85C8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051C0400 2_2_051C0400
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051C8193 2_2_051C8193
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051C81A0 2_2_051C81A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051CA0B8 2_2_051CA0B8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051CA0A8 2_2_051CA0A8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051C03F0 2_2_051C03F0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051C7D5B 2_2_051C7D5B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051C7D68 2_2_051C7D68
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051C9C70 2_2_051C9C70
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051C9C80 2_2_051C9C80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_00401174 4_2_00401174
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041D90C 4_2_0041D90C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041E23C 4_2_0041E23C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041EB3A 4_2_0041EB3A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041C3E6 4_2_0041C3E6
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_00402D88 4_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041D5A6 4_2_0041D5A6
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_00409E5B 4_2_00409E5B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_00409E60 4_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041E7AF 4_2_0041E7AF
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_00402FB0 4_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290100 4_2_01290100
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133A118 4_2_0133A118
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01328158 4_2_01328158
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013601AA 4_2_013601AA
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013581CC 4_2_013581CC
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01332000 4_2_01332000
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135A352 4_2_0135A352
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013603E6 4_2_013603E6
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AE3F0 4_2_012AE3F0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013202C0 4_2_013202C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0535 4_2_012A0535
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01360591 4_2_01360591
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01352446 4_2_01352446
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0134E4F6 4_2_0134E4F6
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C4750 4_2_012C4750
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129C7C0 4_2_0129C7C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BC6E0 4_2_012BC6E0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B6962 4_2_012B6962
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0136A9A6 4_2_0136A9A6
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A2840 4_2_012A2840
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AA840 4_2_012AA840
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012868B8 4_2_012868B8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE8F0 4_2_012CE8F0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135AB40 4_2_0135AB40
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01356BD7 4_2_01356BD7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129EA80 4_2_0129EA80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AAD00 4_2_012AAD00
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B8DBF 4_2_012B8DBF
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129ADE0 4_2_0129ADE0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0C00 4_2_012A0C00
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340CB5 4_2_01340CB5
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290CF2 4_2_01290CF2
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012E2F28 4_2_012E2F28
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C0F30 4_2_012C0F30
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01314F40 4_2_01314F40
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131EFA0 4_2_0131EFA0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012ACFE0 4_2_012ACFE0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01292FC8 4_2_01292FC8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135EE26 4_2_0135EE26
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0E59 4_2_012A0E59
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135CE93 4_2_0135CE93
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B2E90 4_2_012B2E90
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135EEDB 4_2_0135EEDB
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D516C 4_2_012D516C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128F172 4_2_0128F172
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0136B16B 4_2_0136B16B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AB1B0 4_2_012AB1B0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135F0E0 4_2_0135F0E0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013570E9 4_2_013570E9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A70C0 4_2_012A70C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0134F0CC 4_2_0134F0CC
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135132D 4_2_0135132D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128D34C 4_2_0128D34C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012E739A 4_2_012E739A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A52A0 4_2_012A52A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013412ED 4_2_013412ED
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BB2C0 4_2_012BB2C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01357571 4_2_01357571
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133D5B0 4_2_0133D5B0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135F43F 4_2_0135F43F
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01291460 4_2_01291460
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135F7B0 4_2_0135F7B0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013516CC 4_2_013516CC
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01335910 4_2_01335910
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A9950 4_2_012A9950
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BB950 4_2_012BB950
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130D800 4_2_0130D800
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A38E0 4_2_012A38E0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135FB76 4_2_0135FB76
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BFB80 4_2_012BFB80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01315BF0 4_2_01315BF0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012DDBF9 4_2_012DDBF9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01313A6C 4_2_01313A6C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01357A46 4_2_01357A46
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135FA49 4_2_0135FA49
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012E5AA0 4_2_012E5AA0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133DAAC 4_2_0133DAAC
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0134DAC6 4_2_0134DAC6
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01357D73 4_2_01357D73
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A3D40 4_2_012A3D40
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01351D5A 4_2_01351D5A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BFDC0 4_2_012BFDC0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01319C32 4_2_01319C32
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135FCF2 4_2_0135FCF2
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135FF09 4_2_0135FF09
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135FFB1 4_2_0135FFB1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A1F92 4_2_012A1F92
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A9EB0 4_2_012A9EB0
Source: C:\Windows\explorer.exe Code function: 5_2_0E6EC232 5_2_0E6EC232
Source: C:\Windows\explorer.exe Code function: 5_2_0E6E6B32 5_2_0E6E6B32
Source: C:\Windows\explorer.exe Code function: 5_2_0E6E6B30 5_2_0E6E6B30
Source: C:\Windows\explorer.exe Code function: 5_2_0E6EB036 5_2_0E6EB036
Source: C:\Windows\explorer.exe Code function: 5_2_0E6E2082 5_2_0E6E2082
Source: C:\Windows\explorer.exe Code function: 5_2_0E6E3D02 5_2_0E6E3D02
Source: C:\Windows\explorer.exe Code function: 5_2_0E6E9912 5_2_0E6E9912
Source: C:\Windows\explorer.exe Code function: 5_2_0E6EF5CD 5_2_0E6EF5CD
Source: C:\Windows\explorer.exe Code function: 5_2_11269232 5_2_11269232
Source: C:\Windows\explorer.exe Code function: 5_2_11263B32 5_2_11263B32
Source: C:\Windows\explorer.exe Code function: 5_2_11263B30 5_2_11263B30
Source: C:\Windows\explorer.exe Code function: 5_2_11260D02 5_2_11260D02
Source: C:\Windows\explorer.exe Code function: 5_2_11266912 5_2_11266912
Source: C:\Windows\explorer.exe Code function: 5_2_1126C5CD 5_2_1126C5CD
Source: C:\Windows\explorer.exe Code function: 5_2_11268036 5_2_11268036
Source: C:\Windows\explorer.exe Code function: 5_2_1125F082 5_2_1125F082
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E1E4F6 6_2_04E1E4F6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E22446 6_2_04E22446
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E30591 6_2_04E30591
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D70535 6_2_04D70535
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D8C6E0 6_2_04D8C6E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D6C7C0 6_2_04D6C7C0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D94750 6_2_04D94750
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D70770 6_2_04D70770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E02000 6_2_04E02000
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E281CC 6_2_04E281CC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E301AA 6_2_04E301AA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DF8158 6_2_04DF8158
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D60100 6_2_04D60100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E0A118 6_2_04E0A118
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DF02C0 6_2_04DF02C0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E10274 6_2_04E10274
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E303E6 6_2_04E303E6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D7E3F0 6_2_04D7E3F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2A352 6_2_04E2A352
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D60CF2 6_2_04D60CF2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E10CB5 6_2_04E10CB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D70C00 6_2_04D70C00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D6ADE0 6_2_04D6ADE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D88DBF 6_2_04D88DBF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D7AD00 6_2_04D7AD00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2EEDB 6_2_04E2EEDB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D82E90 6_2_04D82E90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2CE93 6_2_04E2CE93
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D70E59 6_2_04D70E59
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2EE26 6_2_04E2EE26
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D62FC8 6_2_04D62FC8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D7CFE0 6_2_04D7CFE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DEEFA0 6_2_04DEEFA0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DE4F40 6_2_04DE4F40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D90F30 6_2_04D90F30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DB2F28 6_2_04DB2F28
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D9E8F0 6_2_04D9E8F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D568B8 6_2_04D568B8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D72840 6_2_04D72840
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D7A840 6_2_04D7A840
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E3A9A6 6_2_04E3A9A6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D729A0 6_2_04D729A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D86962 6_2_04D86962
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D6EA80 6_2_04D6EA80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E26BD7 6_2_04E26BD7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2AB40 6_2_04E2AB40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D61460 6_2_04D61460
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2F43F 6_2_04E2F43F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E0D5B0 6_2_04E0D5B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E27571 6_2_04E27571
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E216CC 6_2_04E216CC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2F7B0 6_2_04E2F7B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2F0E0 6_2_04E2F0E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E270E9 6_2_04E270E9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D770C0 6_2_04D770C0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E1F0CC 6_2_04E1F0CC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D7B1B0 6_2_04D7B1B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E3B16B 6_2_04E3B16B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D5F172 6_2_04D5F172
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DA516C 6_2_04DA516C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E112ED 6_2_04E112ED
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D8B2C0 6_2_04D8B2C0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D752A0 6_2_04D752A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DB739A 6_2_04DB739A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D5D34C 6_2_04D5D34C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2132D 6_2_04E2132D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2FCF2 6_2_04E2FCF2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DE9C32 6_2_04DE9C32
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D8FDC0 6_2_04D8FDC0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E27D73 6_2_04E27D73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D73D40 6_2_04D73D40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E21D5A 6_2_04E21D5A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D79EB0 6_2_04D79EB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D33FD2 6_2_04D33FD2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D33FD5 6_2_04D33FD5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D71F92 6_2_04D71F92
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2FFB1 6_2_04E2FFB1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2FF09 6_2_04E2FF09
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D738E0 6_2_04D738E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DDD800 6_2_04DDD800
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D79950 6_2_04D79950
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D8B950 6_2_04D8B950
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E05910 6_2_04E05910
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E1DAC6 6_2_04E1DAC6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E0DAAC 6_2_04E0DAAC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DB5AA0 6_2_04DB5AA0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E27A46 6_2_04E27A46
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2FA49 6_2_04E2FA49
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DE3A6C 6_2_04DE3A6C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DADBF9 6_2_04DADBF9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04DE5BF0 6_2_04DE5BF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D8FB80 6_2_04D8FB80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04E2FB76 6_2_04E2FB76
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091E23C 6_2_0091E23C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091C3E6 6_2_0091C3E6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091D5A6 6_2_0091D5A6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091E7AF 6_2_0091E7AF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091D90C 6_2_0091D90C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091EB3A 6_2_0091EB3A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_00902D90 6_2_00902D90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_00902D88 6_2_00902D88
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_00909E5B 6_2_00909E5B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_00909E60 6_2_00909E60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_00902FB0 6_2_00902FB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04ADA036 6_2_04ADA036
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04ADE5CD 6_2_04ADE5CD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04AD2D02 6_2_04AD2D02
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04AD1082 6_2_04AD1082
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04AD8912 6_2_04AD8912
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04ADB232 6_2_04ADB232
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04AD5B30 6_2_04AD5B30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04AD5B32 6_2_04AD5B32
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 04DEF290 appears 105 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 04DA5130 appears 57 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 04D5B970 appears 275 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 04DB7E54 appears 100 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 04DDEA12 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: String function: 0128B970 appears 275 times
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: String function: 0131F290 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: String function: 012E7E54 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: String function: 0130EA12 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: String function: 012D5130 appears 57 times
Yara signature match
Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: HHhHh.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, BGUFogHKxxHBnv1yFK.cs Security API names: _0020.SetAccessControl
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, BGUFogHKxxHBnv1yFK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, BGUFogHKxxHBnv1yFK.cs Security API names: _0020.AddAccessRule
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, wjoM4miaX9WrPncB9X.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.HHhHh.exe.273924c.2.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 2.2.HHhHh.exe.271a080.6.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 2.2.HHhHh.exe.5150000.8.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.evad.winVBE@10/2@12/5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009BB52D FormatMessageW,LocalAlloc,GetLastError,swprintf_s,FormatMessageA,LocalAlloc,sprintf_s,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,SysAllocString,LocalFree,LocalFree, 6_2_009BB52D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009C08FD CLSIDFromProgID,CoCreateInstance, 6_2_009C08FD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009C6D75 FindResourceExW,LoadResource, 6_2_009C6D75
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HHhHh.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\HHhHh.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TNS71092E68UI0.vbe Virustotal: Detection: 16%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNS71092E68UI0.vbe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe"
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\HHhHh.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\HHhHh.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.shell.broker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: wntdll.pdb source: HHhHh.exe, wscript.exe
Source: Binary string: wscript.pdb source: wscript.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: HHhHh.exe.0.dr, frmMain.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 2.2.HHhHh.exe.50f0000.7.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 2.2.HHhHh.exe.50f0000.7.raw.unpack, PingPong.cs .Net Code: Justy
Source: 2.2.HHhHh.exe.27064c8.5.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 2.2.HHhHh.exe.27064c8.5.raw.unpack, PingPong.cs .Net Code: Justy
Source: 2.2.HHhHh.exe.26d7bb0.3.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 2.2.HHhHh.exe.26d7bb0.3.raw.unpack, PingPong.cs .Net Code: Justy
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, BGUFogHKxxHBnv1yFK.cs .Net Code: IULKWjhlCQ System.Reflection.Assembly.Load(byte[])
Source: 5.2.explorer.exe.109cf840.0.raw.unpack, frmMain.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 6.2.wscript.exe.527f840.3.raw.unpack, frmMain.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 2_2_051CB286 push ss; iretd 2_2_051CB287
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041E8DF push edi; ret 4_2_0041E8E8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_004169FC push esp; ret 4_2_004169FD
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_00408394 pushfd ; iretd 4_2_00408395
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041D4B5 push eax; ret 4_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_004044B7 push es; ret 4_2_004044BE
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041D56C push eax; ret 4_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041D502 push eax; ret 4_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0041D50B push eax; ret 4_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_004166E0 pushad ; retf 4_2_004167DA
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0040AEBD pushfd ; ret 4_2_0040AEBE
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012909AD push ecx; mov dword ptr [esp], ecx 4_2_012909B6
Source: C:\Windows\explorer.exe Code function: 5_2_0E6EFB02 push esp; retn 0000h 5_2_0E6EFB03
Source: C:\Windows\explorer.exe Code function: 5_2_0E6EFB1E push esp; retn 0000h 5_2_0E6EFB1F
Source: C:\Windows\explorer.exe Code function: 5_2_0E6EF9B5 push esp; retn 0000h 5_2_0E6EFAE7
Source: C:\Windows\explorer.exe Code function: 5_2_1126CB02 push esp; retn 0000h 5_2_1126CB03
Source: C:\Windows\explorer.exe Code function: 5_2_1126CB1E push esp; retn 0000h 5_2_1126CB1F
Source: C:\Windows\explorer.exe Code function: 5_2_1126C9B5 push esp; retn 0000h 5_2_1126CAE7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009C7C89 push ecx; ret 6_2_009C7C9C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D327FA pushad ; ret 6_2_04D327F9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D3225F pushad ; ret 6_2_04D327F9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D3283D push eax; iretd 6_2_04D32858
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D609AD push ecx; mov dword ptr [esp], ecx 6_2_04D609B6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_04D39939 push es; iretd 6_2_04D39940
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_00908394 pushfd ; iretd 6_2_00908395
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091D4B5 push eax; ret 6_2_0091D508
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009044B7 push es; ret 6_2_009044BE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091D502 push eax; ret 6_2_0091D508
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091D50B push eax; ret 6_2_0091D572
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0091D56C push eax; ret 6_2_0091D572
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009166E0 pushad ; retf 6_2_009167DA
Source: HHhHh.exe.0.dr Static PE information: section name: .text entropy: 7.977898409102027
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, YFDO78B3dyBKqsJeRM.cs High entropy of concatenated method names: 'BsTWXMBY4', 'MlGVle9El', 'uyFpyA5UF', 'CXwv1jUNL', 'UpWTMP4QP', 'ecvxHSt9h', 'eC8idFCtDjrIiXHpiF', 'it1j21VULSrTwLtLq1', 'bShYZKgMo', 'CPh40rtYn'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, fvMv36VRIIyjbOhLr2k.cs High entropy of concatenated method names: 'WeyDgZhMiq', 'D8NDwPS0JY', 'e1CDWPXuNB', 'sd1DVmpgZg', 'vpeD3DrBwn', 'cJXDpn4nfD', 'CYDDvKdE0V', 'wqJDE1kOVB', 'eXSDTrXQbk', 'Oy2DxvKcmc'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, BGUFogHKxxHBnv1yFK.cs High entropy of concatenated method names: 'B13QHOl95e', 'VqCQduXgwa', 'eOmQ6Ykdal', 'tOIQPrFGmP', 'KwqQOD6fVu', 'rOsQjYacSG', 'J52Q2XofWY', 'lLBQyhaWqH', 'gaRQbFb1bS', 'GZEQhJPm8R'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, DnjhEJZrH59805e1tj.cs High entropy of concatenated method names: 'SYGGNHUmVL', 'LXdGFovu0d', 'AYjY5OuAXO', 'U3xYc5eBy7', 'wC2GZZR7FV', 'roZGRDTMHN', 'xmnGXg2XI6', 'RnBGt9rCjM', 'cHKGs2sIqk', 'n1jGBOexrp'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, kkAjKaMbOgY15BMU2V.cs High entropy of concatenated method names: 'JMm2ghAvem', 'iGk2w5OfPc', 'M6R2W3DeKD', 'F4M2Valgby', 'ECt23oTK2M', 'iHN2pX8RZ6', 'Qgt2vD7Xkj', 'T4q2E1BaLD', 'MmQ2TokwRg', 'eRv2xlwxnx'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, V7MKVcAbI46kQVW9k0.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'lcInupZO1D', 'Mu3nFh3L7M', 'BRKnzs4NOx', 'KLYQ5pkmQr', 'Wp3QcUBnDj', 'zdSQn4ptxD', 'Y7CQQVJfG5', 'aLqoUXMuiZntw6psDqN'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, WsUtYha7JiycjC3Xcp.cs High entropy of concatenated method names: 'w0gjUe2tOI', 'PH3jgcFpN3', 'stAjWbHEeE', 'lynjVVaT7C', 'YKujp6lk0J', 'QTBjv984Lc', 'g5xjTvLeGG', 'HASjxgvDWa', 'GX9chRYAxXEnBGQhdMu', 'IPtSPWYhEMlNB36dVPo'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, M0EcBdetKyuEBtUKgB.cs High entropy of concatenated method names: 'l0ikEj2Lep', 'v78kTEMEfN', 'AWWkopxaWE', 'c8tkL0q8bc', 'SkakilwA3e', 'ApkkaIZ2lx', 'hGAk1AkbNt', 'jgDkIW8kKP', 'jHUklm0F08', 'wg1kZ8Kfuy'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, RJwk7uqHNXtymbkcXC.cs High entropy of concatenated method names: 'qpuGhegov1', 'P0lG0amQZb', 'ToString', 'uQEGdnaGWA', 'JpaG6J7iZx', 'pxoGPSmrOo', 'bE6GOeI4yW', 'Q9QGjQoktb', 'aiWG2C7aKT', 'xUiGyQAPJu'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, PseVlKsl9npQT7AhaE.cs High entropy of concatenated method names: 'rH6PVcKL9S', 'TMBPpEgTTH', 'kx8PEjIpx0', 'aLEPTHCIe1', 'sLuPCMxjiQ', 'AG6Pqqr1Z0', 'ie7PGPXVp4', 'QnhPYbgHC4', 'lEuPDoYupj', 'VecP4uUd5x'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, SQMUrft2hqvHsrieyT.cs High entropy of concatenated method names: 'nsijHWqCan', 'fJij6HA0Au', 'MKGjOOZEqt', 'SwTj2x2TYq', 'pyUjyvSeZH', 'RuBOAOncyJ', 'K29OfqLTFT', 'drhOShnKl1', 'kg0ONKQFu5', 'b4WOuhxVgp'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, vOIxEplE8AnWIAfrrt.cs High entropy of concatenated method names: 'ToString', 'YKvqZ9Goop', 'vX0qLuT45u', 'GeEqeMWeA6', 'e4EqiafFl9', 'mDxqaYNGaY', 'Xm9qmAdeBu', 'sJAq1whoix', 'EukqI6HBrI', 'HbSq9dIHtf'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, odnbvwjktDSWWe4pEj.cs High entropy of concatenated method names: 'Q6P2dYNQip', 'GuS2PMF6Tm', 'XBv2jdFpPS', 'uotjFqnvRx', 'tJLjzOx77q', 'kO6251bUjq', 'UIV2cj8u5v', 'h582npE2ji', 'YTV2QNF5TQ', 'XVN2Kpepio'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, oY2KAGdktRtY42PnXh.cs High entropy of concatenated method names: 'kA2Yd8gP25', 'cAHY6N2DwY', 'a8dYPcFklw', 'DuFYOp59ua', 'q3GYjHaxiS', 're9Y2fSQVP', 'zcGYyI2YGC', 'Nw8YbsfNDK', 'OUcYhWmScs', 'zfVY0CyT5r'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, wjoM4miaX9WrPncB9X.cs High entropy of concatenated method names: 'ryU6t2idBU', 'wRP6sfShS5', 'tk36BJPSxx', 'lB26rMNIhC', 'abv6AtgeWv', 'zee6flAsNF', 'rUt6S5BgqN', 'ij86NxjfM0', 'dBW6uZu38g', 'uEo6FASs9Y'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, MFWBRaSgXAlsGkiGZF.cs High entropy of concatenated method names: 'Dispose', 'NnpcucFVtC', 'obonL44KC6', 'IKQMMyu2le', 'boxcFKMxtA', 'ndVczSmOZT', 'ProcessDialogKey', 'oHhn5K9QOX', 'I2AncLNJos', 'twlnnZNDKd'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, RWH8U3x1RFh1MUc0ly.cs High entropy of concatenated method names: 'iqlc2nTSwi', 'utqcy3purM', 'JGFchSgxDD', 'i8Mc0hBG1s', 'KgZcClqVwu', 'HfEcqm7oc6', 'XKRcCaf2M9AknOwyEl', 'kptRfWERWrdWPlC38I', 'mbkcc7glRr', 'CQwcQGkfwF'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, Y86arQv56RqLK7lxN8.cs High entropy of concatenated method names: 'kFQO3gCMlO', 'xamOvQUS29', 'CmPPepCMVl', 'u7gPiayuAl', 'mihPaPIoHu', 'cVQPmu4GJv', 'VyDP1KiLFq', 'wlVPIjuyar', 'MG6P9FStoT', 'VLcPl21tg9'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, uH6vU8V8hKc8o2xpTyb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c934tZZHG1', 'hS24s6MDka', 'POc4BBVJ8k', 'HFu4rZ5RjM', 'ArO4AftYr9', 'ARv4fNniit', 'ist4SYiqE2'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, brnWriW6QiT2akgS1J.cs High entropy of concatenated method names: 'hmJClC4ZqV', 'haKCRG8Vnt', 'O7aCtpf7MO', 'sXvCs0lLhT', 'DrvCL9ZWph', 'zK2Cem4yYW', 'EfdCi5KEpW', 'qPWCagtlBF', 'eH8CmeKQoG', 'bfVC1bwLcK'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, My7AEnEGgddFOKOHKB.cs High entropy of concatenated method names: 'RddDc7Dp3Q', 'eR7DQllMGK', 'Sg6DKBqdou', 'iIIDdHLY1w', 'YZuD6pqrBb', 'iytDOvD3HH', 'TPKDjQfDum', 'qJFYSc77sh', 'KhsYNebb0C', 'YkUYu90XaV'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, ObuY3EzelE09x3dtVg.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CtVDkiTWdE', 'w83DCsnkpZ', 'Yh7DqKSY63', 'rYJDG4VWsM', 'JmmDYQiwM4', 'MG7DDUUi1g', 'nX8D4RgTFl'
Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, zN2gLZkwMSpQA3gaY4.cs High entropy of concatenated method names: 'cOjYokAUuM', 'PFiYLgvAlR', 'htLYenGmVC', 'SomYiEmMGp', 'FulYtr7KrM', 'J7hYaXJ7Jh', 'Next', 'Next', 'Next', 'NextBytes'
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\HHhHh.exe Jump to dropped file
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\wscript.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\wscript.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\wscript.exe API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\wscript.exe API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\wscript.exe API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\wscript.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\wscript.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\wscript.exe API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\wscript.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 909904 second address: 90990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 909B7E second address: 909B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Memory allocated: 25F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Memory allocated: 26B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Memory allocated: 25F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Memory allocated: 88C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Memory allocated: 6BB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Memory allocated: 88C0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_00409AB0 rdtsc 4_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1808 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 8129 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 901 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 852 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window / User API: threadDelayed 9842 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe API coverage: 1.7 %
Source: C:\Windows\SysWOW64\wscript.exe API coverage: 1.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe TID: 5948 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5836 Thread sleep count: 1808 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5836 Thread sleep time: -3616000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5836 Thread sleep count: 8129 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5836 Thread sleep time: -16258000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3292 Thread sleep count: 132 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3292 Thread sleep time: -264000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3292 Thread sleep count: 9842 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3292 Thread sleep time: -19684000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\wscript.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009C23CE GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose, 6_2_009C23CE
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wscript.exe, 00000000.00000003.2102632040.0000020734E38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2102469274.0000020734DE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bRoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1uWNJ
Source: wscript.exe, 00000000.00000003.2111597853.0000020734DAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2102832884.0000020734D9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110811181.0000020734DAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2111315899.0000020734DAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2111847662.0000020734DB7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bRoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1uWNYcmvIf
Source: wscript.exe, 00000000.00000003.2097920261.000002073488B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101278008.00000207348A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094053067.0000020734870000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2096800451.000002073488B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093147100.000002073486F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094169799.000002073487B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099646800.000002073489E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094703457.0000020734887000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2098729542.0000020734894000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101410771.00000207348A6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Skj9FIy&&l@&&RUED4yIBH2QL3QujPCxhSjE/ewQcl5gRis#RoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1u
Source: wscript.exe, 00000000.00000003.2121428986.0000020734FA8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2123896454.0000020734E45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &&RUED4yIBH2QL3QujPCxhSjE/ewQcl5gRisVRoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz
Source: wscript.exe, 00000000.00000003.2082217621.0000020734FE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082784146.0000020734FE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078931964.0000020734FE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2084727269.000002073500C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082523938.0000020734FE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2081423094.0000020734FE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2083329701.0000020734FFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2086044332.000002073500C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2083764851.0000020735001000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2088075126.0000020735015000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Skj9FIy&&l@&&RUED4yIBH2QL3QujPCxhSjE/ewQcl5gRis#RoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1uf
Source: wscript.exe, 00000000.00000003.2060374399.0000020734E80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2060900694.0000020734E80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s&&4PN9??C+mK0HNkPaoCwMjYUlGvlxufC5sr2znawu??ZTZeUfEZO??1q72pqbYtPDIrvZNLe2#7e3&&??Skj9FIy&&l@&&RUED4yIBH2QL3QujPCxhSjE/ewQcl5gRis#RoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1u??N##ac&&+x#mduMsw0tM4&&1p
Source: wscript.exe, 00000000.00000003.2066616044.000002073485F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2070232121.0000020734864000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069476462.0000020734864000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s&&4PN9??C+mK0HNkPaoCwMjYUlGvlxufC5sr2znawu??ZTZeUfEZO??1q72pqbYtPDIrvZNLe2#7e3&&??Skj9FIy&&l@&&RUED4yIBH2QL3QujPCxhSjE/ewQcl5gRis#RoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1u??N##ac&&+x#mduMsw0tM4&&1p%
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_00409AB0 rdtsc 4_2_00409AB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0040ACF0 LdrLoadDll, 4_2_0040ACF0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C0124 mov eax, dword ptr fs:[00000030h] 4_2_012C0124
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01350115 mov eax, dword ptr fs:[00000030h] 4_2_01350115
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133A118 mov ecx, dword ptr fs:[00000030h] 4_2_0133A118
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133A118 mov eax, dword ptr fs:[00000030h] 4_2_0133A118
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133A118 mov eax, dword ptr fs:[00000030h] 4_2_0133A118
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133A118 mov eax, dword ptr fs:[00000030h] 4_2_0133A118
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01328158 mov eax, dword ptr fs:[00000030h] 4_2_01328158
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01324144 mov eax, dword ptr fs:[00000030h] 4_2_01324144
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01324144 mov eax, dword ptr fs:[00000030h] 4_2_01324144
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01324144 mov ecx, dword ptr fs:[00000030h] 4_2_01324144
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01324144 mov eax, dword ptr fs:[00000030h] 4_2_01324144
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01324144 mov eax, dword ptr fs:[00000030h] 4_2_01324144
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01296154 mov eax, dword ptr fs:[00000030h] 4_2_01296154
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01296154 mov eax, dword ptr fs:[00000030h] 4_2_01296154
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128C156 mov eax, dword ptr fs:[00000030h] 4_2_0128C156
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D0185 mov eax, dword ptr fs:[00000030h] 4_2_012D0185
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131019F mov eax, dword ptr fs:[00000030h] 4_2_0131019F
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131019F mov eax, dword ptr fs:[00000030h] 4_2_0131019F
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131019F mov eax, dword ptr fs:[00000030h] 4_2_0131019F
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131019F mov eax, dword ptr fs:[00000030h] 4_2_0131019F
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01334180 mov eax, dword ptr fs:[00000030h] 4_2_01334180
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01334180 mov eax, dword ptr fs:[00000030h] 4_2_01334180
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0134C188 mov eax, dword ptr fs:[00000030h] 4_2_0134C188
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0134C188 mov eax, dword ptr fs:[00000030h] 4_2_0134C188
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128A197 mov eax, dword ptr fs:[00000030h] 4_2_0128A197
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128A197 mov eax, dword ptr fs:[00000030h] 4_2_0128A197
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128A197 mov eax, dword ptr fs:[00000030h] 4_2_0128A197
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013661E5 mov eax, dword ptr fs:[00000030h] 4_2_013661E5
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C01F8 mov eax, dword ptr fs:[00000030h] 4_2_012C01F8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0130E1D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0130E1D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E1D0 mov ecx, dword ptr fs:[00000030h] 4_2_0130E1D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0130E1D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0130E1D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013561C3 mov eax, dword ptr fs:[00000030h] 4_2_013561C3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013561C3 mov eax, dword ptr fs:[00000030h] 4_2_013561C3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01326030 mov eax, dword ptr fs:[00000030h] 4_2_01326030
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128A020 mov eax, dword ptr fs:[00000030h] 4_2_0128A020
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128C020 mov eax, dword ptr fs:[00000030h] 4_2_0128C020
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01314000 mov ecx, dword ptr fs:[00000030h] 4_2_01314000
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01332000 mov eax, dword ptr fs:[00000030h] 4_2_01332000
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01332000 mov eax, dword ptr fs:[00000030h] 4_2_01332000
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01332000 mov eax, dword ptr fs:[00000030h] 4_2_01332000
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01332000 mov eax, dword ptr fs:[00000030h] 4_2_01332000
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01332000 mov eax, dword ptr fs:[00000030h] 4_2_01332000
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01332000 mov eax, dword ptr fs:[00000030h] 4_2_01332000
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01332000 mov eax, dword ptr fs:[00000030h] 4_2_01332000
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01332000 mov eax, dword ptr fs:[00000030h] 4_2_01332000
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AE016 mov eax, dword ptr fs:[00000030h] 4_2_012AE016
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AE016 mov eax, dword ptr fs:[00000030h] 4_2_012AE016
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AE016 mov eax, dword ptr fs:[00000030h] 4_2_012AE016
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AE016 mov eax, dword ptr fs:[00000030h] 4_2_012AE016
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BC073 mov eax, dword ptr fs:[00000030h] 4_2_012BC073
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01316050 mov eax, dword ptr fs:[00000030h] 4_2_01316050
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01292050 mov eax, dword ptr fs:[00000030h] 4_2_01292050
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013560B8 mov eax, dword ptr fs:[00000030h] 4_2_013560B8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013560B8 mov ecx, dword ptr fs:[00000030h] 4_2_013560B8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013280A8 mov eax, dword ptr fs:[00000030h] 4_2_013280A8
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129208A mov eax, dword ptr fs:[00000030h] 4_2_0129208A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012980E9 mov eax, dword ptr fs:[00000030h] 4_2_012980E9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128A0E3 mov ecx, dword ptr fs:[00000030h] 4_2_0128A0E3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013160E0 mov eax, dword ptr fs:[00000030h] 4_2_013160E0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128C0F0 mov eax, dword ptr fs:[00000030h] 4_2_0128C0F0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D20F0 mov ecx, dword ptr fs:[00000030h] 4_2_012D20F0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013120DE mov eax, dword ptr fs:[00000030h] 4_2_013120DE
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CA30B mov eax, dword ptr fs:[00000030h] 4_2_012CA30B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CA30B mov eax, dword ptr fs:[00000030h] 4_2_012CA30B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CA30B mov eax, dword ptr fs:[00000030h] 4_2_012CA30B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128C310 mov ecx, dword ptr fs:[00000030h] 4_2_0128C310
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B0310 mov ecx, dword ptr fs:[00000030h] 4_2_012B0310
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133437C mov eax, dword ptr fs:[00000030h] 4_2_0133437C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01338350 mov ecx, dword ptr fs:[00000030h] 4_2_01338350
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135A352 mov eax, dword ptr fs:[00000030h] 4_2_0135A352
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131035C mov eax, dword ptr fs:[00000030h] 4_2_0131035C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131035C mov eax, dword ptr fs:[00000030h] 4_2_0131035C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131035C mov eax, dword ptr fs:[00000030h] 4_2_0131035C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131035C mov ecx, dword ptr fs:[00000030h] 4_2_0131035C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131035C mov eax, dword ptr fs:[00000030h] 4_2_0131035C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131035C mov eax, dword ptr fs:[00000030h] 4_2_0131035C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01312349 mov eax, dword ptr fs:[00000030h] 4_2_01312349
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128E388 mov eax, dword ptr fs:[00000030h] 4_2_0128E388
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128E388 mov eax, dword ptr fs:[00000030h] 4_2_0128E388
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128E388 mov eax, dword ptr fs:[00000030h] 4_2_0128E388
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B438F mov eax, dword ptr fs:[00000030h] 4_2_012B438F
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B438F mov eax, dword ptr fs:[00000030h] 4_2_012B438F
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01288397 mov eax, dword ptr fs:[00000030h] 4_2_01288397
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01288397 mov eax, dword ptr fs:[00000030h] 4_2_01288397
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01288397 mov eax, dword ptr fs:[00000030h] 4_2_01288397
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h] 4_2_012A03E9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h] 4_2_012A03E9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h] 4_2_012A03E9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h] 4_2_012A03E9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h] 4_2_012A03E9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h] 4_2_012A03E9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h] 4_2_012A03E9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h] 4_2_012A03E9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C63FF mov eax, dword ptr fs:[00000030h] 4_2_012C63FF
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AE3F0 mov eax, dword ptr fs:[00000030h] 4_2_012AE3F0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AE3F0 mov eax, dword ptr fs:[00000030h] 4_2_012AE3F0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AE3F0 mov eax, dword ptr fs:[00000030h] 4_2_012AE3F0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013343D4 mov eax, dword ptr fs:[00000030h] 4_2_013343D4
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013343D4 mov eax, dword ptr fs:[00000030h] 4_2_013343D4
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0129A3C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0129A3C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0129A3C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0129A3C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0129A3C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0129A3C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012983C0 mov eax, dword ptr fs:[00000030h] 4_2_012983C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012983C0 mov eax, dword ptr fs:[00000030h] 4_2_012983C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012983C0 mov eax, dword ptr fs:[00000030h] 4_2_012983C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012983C0 mov eax, dword ptr fs:[00000030h] 4_2_012983C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013163C0 mov eax, dword ptr fs:[00000030h] 4_2_013163C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0134C3CD mov eax, dword ptr fs:[00000030h] 4_2_0134C3CD
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128823B mov eax, dword ptr fs:[00000030h] 4_2_0128823B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01340274 mov eax, dword ptr fs:[00000030h] 4_2_01340274
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128826B mov eax, dword ptr fs:[00000030h] 4_2_0128826B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01294260 mov eax, dword ptr fs:[00000030h] 4_2_01294260
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01294260 mov eax, dword ptr fs:[00000030h] 4_2_01294260
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01294260 mov eax, dword ptr fs:[00000030h] 4_2_01294260
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01296259 mov eax, dword ptr fs:[00000030h] 4_2_01296259
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01318243 mov eax, dword ptr fs:[00000030h] 4_2_01318243
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01318243 mov ecx, dword ptr fs:[00000030h] 4_2_01318243
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128A250 mov eax, dword ptr fs:[00000030h] 4_2_0128A250
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A02A0 mov eax, dword ptr fs:[00000030h] 4_2_012A02A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A02A0 mov eax, dword ptr fs:[00000030h] 4_2_012A02A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013262A0 mov eax, dword ptr fs:[00000030h] 4_2_013262A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013262A0 mov ecx, dword ptr fs:[00000030h] 4_2_013262A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013262A0 mov eax, dword ptr fs:[00000030h] 4_2_013262A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013262A0 mov eax, dword ptr fs:[00000030h] 4_2_013262A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013262A0 mov eax, dword ptr fs:[00000030h] 4_2_013262A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013262A0 mov eax, dword ptr fs:[00000030h] 4_2_013262A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE284 mov eax, dword ptr fs:[00000030h] 4_2_012CE284
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE284 mov eax, dword ptr fs:[00000030h] 4_2_012CE284
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01310283 mov eax, dword ptr fs:[00000030h] 4_2_01310283
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01310283 mov eax, dword ptr fs:[00000030h] 4_2_01310283
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01310283 mov eax, dword ptr fs:[00000030h] 4_2_01310283
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A02E1 mov eax, dword ptr fs:[00000030h] 4_2_012A02E1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A02E1 mov eax, dword ptr fs:[00000030h] 4_2_012A02E1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A02E1 mov eax, dword ptr fs:[00000030h] 4_2_012A02E1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0129A2C3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0129A2C3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0129A2C3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0129A2C3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0129A2C3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE53E mov eax, dword ptr fs:[00000030h] 4_2_012BE53E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE53E mov eax, dword ptr fs:[00000030h] 4_2_012BE53E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE53E mov eax, dword ptr fs:[00000030h] 4_2_012BE53E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE53E mov eax, dword ptr fs:[00000030h] 4_2_012BE53E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE53E mov eax, dword ptr fs:[00000030h] 4_2_012BE53E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h] 4_2_012A0535
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h] 4_2_012A0535
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h] 4_2_012A0535
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h] 4_2_012A0535
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h] 4_2_012A0535
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h] 4_2_012A0535
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01326500 mov eax, dword ptr fs:[00000030h] 4_2_01326500
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01364500 mov eax, dword ptr fs:[00000030h] 4_2_01364500
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01364500 mov eax, dword ptr fs:[00000030h] 4_2_01364500
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01364500 mov eax, dword ptr fs:[00000030h] 4_2_01364500
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01364500 mov eax, dword ptr fs:[00000030h] 4_2_01364500
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01364500 mov eax, dword ptr fs:[00000030h] 4_2_01364500
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01364500 mov eax, dword ptr fs:[00000030h] 4_2_01364500
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01364500 mov eax, dword ptr fs:[00000030h] 4_2_01364500
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C656A mov eax, dword ptr fs:[00000030h] 4_2_012C656A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C656A mov eax, dword ptr fs:[00000030h] 4_2_012C656A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C656A mov eax, dword ptr fs:[00000030h] 4_2_012C656A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298550 mov eax, dword ptr fs:[00000030h] 4_2_01298550
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298550 mov eax, dword ptr fs:[00000030h] 4_2_01298550
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013105A7 mov eax, dword ptr fs:[00000030h] 4_2_013105A7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013105A7 mov eax, dword ptr fs:[00000030h] 4_2_013105A7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013105A7 mov eax, dword ptr fs:[00000030h] 4_2_013105A7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B45B1 mov eax, dword ptr fs:[00000030h] 4_2_012B45B1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B45B1 mov eax, dword ptr fs:[00000030h] 4_2_012B45B1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C4588 mov eax, dword ptr fs:[00000030h] 4_2_012C4588
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01292582 mov eax, dword ptr fs:[00000030h] 4_2_01292582
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01292582 mov ecx, dword ptr fs:[00000030h] 4_2_01292582
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE59C mov eax, dword ptr fs:[00000030h] 4_2_012CE59C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CC5ED mov eax, dword ptr fs:[00000030h] 4_2_012CC5ED
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CC5ED mov eax, dword ptr fs:[00000030h] 4_2_012CC5ED
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012925E0 mov eax, dword ptr fs:[00000030h] 4_2_012925E0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_012BE5E7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_012BE5E7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_012BE5E7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_012BE5E7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_012BE5E7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_012BE5E7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_012BE5E7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h] 4_2_012BE5E7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE5CF mov eax, dword ptr fs:[00000030h] 4_2_012CE5CF
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE5CF mov eax, dword ptr fs:[00000030h] 4_2_012CE5CF
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012965D0 mov eax, dword ptr fs:[00000030h] 4_2_012965D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CA5D0 mov eax, dword ptr fs:[00000030h] 4_2_012CA5D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CA5D0 mov eax, dword ptr fs:[00000030h] 4_2_012CA5D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128E420 mov eax, dword ptr fs:[00000030h] 4_2_0128E420
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128E420 mov eax, dword ptr fs:[00000030h] 4_2_0128E420
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128E420 mov eax, dword ptr fs:[00000030h] 4_2_0128E420
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128C427 mov eax, dword ptr fs:[00000030h] 4_2_0128C427
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01316420 mov eax, dword ptr fs:[00000030h] 4_2_01316420
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01316420 mov eax, dword ptr fs:[00000030h] 4_2_01316420
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01316420 mov eax, dword ptr fs:[00000030h] 4_2_01316420
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01316420 mov eax, dword ptr fs:[00000030h] 4_2_01316420
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01316420 mov eax, dword ptr fs:[00000030h] 4_2_01316420
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01316420 mov eax, dword ptr fs:[00000030h] 4_2_01316420
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01316420 mov eax, dword ptr fs:[00000030h] 4_2_01316420
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CA430 mov eax, dword ptr fs:[00000030h] 4_2_012CA430
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C8402 mov eax, dword ptr fs:[00000030h] 4_2_012C8402
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C8402 mov eax, dword ptr fs:[00000030h] 4_2_012C8402
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C8402 mov eax, dword ptr fs:[00000030h] 4_2_012C8402
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131C460 mov ecx, dword ptr fs:[00000030h] 4_2_0131C460
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BA470 mov eax, dword ptr fs:[00000030h] 4_2_012BA470
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BA470 mov eax, dword ptr fs:[00000030h] 4_2_012BA470
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BA470 mov eax, dword ptr fs:[00000030h] 4_2_012BA470
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h] 4_2_012CE443
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h] 4_2_012CE443
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h] 4_2_012CE443
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h] 4_2_012CE443
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h] 4_2_012CE443
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h] 4_2_012CE443
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h] 4_2_012CE443
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h] 4_2_012CE443
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B245A mov eax, dword ptr fs:[00000030h] 4_2_012B245A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128645D mov eax, dword ptr fs:[00000030h] 4_2_0128645D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131A4B0 mov eax, dword ptr fs:[00000030h] 4_2_0131A4B0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012964AB mov eax, dword ptr fs:[00000030h] 4_2_012964AB
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C44B0 mov ecx, dword ptr fs:[00000030h] 4_2_012C44B0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012904E5 mov ecx, dword ptr fs:[00000030h] 4_2_012904E5
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130C730 mov eax, dword ptr fs:[00000030h] 4_2_0130C730
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CC720 mov eax, dword ptr fs:[00000030h] 4_2_012CC720
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CC720 mov eax, dword ptr fs:[00000030h] 4_2_012CC720
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C273C mov eax, dword ptr fs:[00000030h] 4_2_012C273C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C273C mov ecx, dword ptr fs:[00000030h] 4_2_012C273C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C273C mov eax, dword ptr fs:[00000030h] 4_2_012C273C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CC700 mov eax, dword ptr fs:[00000030h] 4_2_012CC700
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290710 mov eax, dword ptr fs:[00000030h] 4_2_01290710
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C0710 mov eax, dword ptr fs:[00000030h] 4_2_012C0710
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298770 mov eax, dword ptr fs:[00000030h] 4_2_01298770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h] 4_2_012A0770
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C674D mov esi, dword ptr fs:[00000030h] 4_2_012C674D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C674D mov eax, dword ptr fs:[00000030h] 4_2_012C674D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C674D mov eax, dword ptr fs:[00000030h] 4_2_012C674D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01314755 mov eax, dword ptr fs:[00000030h] 4_2_01314755
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131E75D mov eax, dword ptr fs:[00000030h] 4_2_0131E75D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290750 mov eax, dword ptr fs:[00000030h] 4_2_01290750
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2750 mov eax, dword ptr fs:[00000030h] 4_2_012D2750
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2750 mov eax, dword ptr fs:[00000030h] 4_2_012D2750
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012907AF mov eax, dword ptr fs:[00000030h] 4_2_012907AF
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133678E mov eax, dword ptr fs:[00000030h] 4_2_0133678E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B27ED mov eax, dword ptr fs:[00000030h] 4_2_012B27ED
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B27ED mov eax, dword ptr fs:[00000030h] 4_2_012B27ED
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B27ED mov eax, dword ptr fs:[00000030h] 4_2_012B27ED
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131E7E1 mov eax, dword ptr fs:[00000030h] 4_2_0131E7E1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012947FB mov eax, dword ptr fs:[00000030h] 4_2_012947FB
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012947FB mov eax, dword ptr fs:[00000030h] 4_2_012947FB
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129C7C0 mov eax, dword ptr fs:[00000030h] 4_2_0129C7C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013107C3 mov eax, dword ptr fs:[00000030h] 4_2_013107C3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129262C mov eax, dword ptr fs:[00000030h] 4_2_0129262C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C6620 mov eax, dword ptr fs:[00000030h] 4_2_012C6620
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C8620 mov eax, dword ptr fs:[00000030h] 4_2_012C8620
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AE627 mov eax, dword ptr fs:[00000030h] 4_2_012AE627
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A260B mov eax, dword ptr fs:[00000030h] 4_2_012A260B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A260B mov eax, dword ptr fs:[00000030h] 4_2_012A260B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A260B mov eax, dword ptr fs:[00000030h] 4_2_012A260B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A260B mov eax, dword ptr fs:[00000030h] 4_2_012A260B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A260B mov eax, dword ptr fs:[00000030h] 4_2_012A260B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A260B mov eax, dword ptr fs:[00000030h] 4_2_012A260B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A260B mov eax, dword ptr fs:[00000030h] 4_2_012A260B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D2619 mov eax, dword ptr fs:[00000030h] 4_2_012D2619
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E609 mov eax, dword ptr fs:[00000030h] 4_2_0130E609
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CA660 mov eax, dword ptr fs:[00000030h] 4_2_012CA660
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CA660 mov eax, dword ptr fs:[00000030h] 4_2_012CA660
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C2674 mov eax, dword ptr fs:[00000030h] 4_2_012C2674
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135866E mov eax, dword ptr fs:[00000030h] 4_2_0135866E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135866E mov eax, dword ptr fs:[00000030h] 4_2_0135866E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AC640 mov eax, dword ptr fs:[00000030h] 4_2_012AC640
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CC6A6 mov eax, dword ptr fs:[00000030h] 4_2_012CC6A6
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C66B0 mov eax, dword ptr fs:[00000030h] 4_2_012C66B0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01294690 mov eax, dword ptr fs:[00000030h] 4_2_01294690
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01294690 mov eax, dword ptr fs:[00000030h] 4_2_01294690
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013106F1 mov eax, dword ptr fs:[00000030h] 4_2_013106F1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013106F1 mov eax, dword ptr fs:[00000030h] 4_2_013106F1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0130E6F2
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0130E6F2
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0130E6F2
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0130E6F2
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CA6C7 mov ebx, dword ptr fs:[00000030h] 4_2_012CA6C7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CA6C7 mov eax, dword ptr fs:[00000030h] 4_2_012CA6C7
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0132892B mov eax, dword ptr fs:[00000030h] 4_2_0132892B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131892A mov eax, dword ptr fs:[00000030h] 4_2_0131892A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131C912 mov eax, dword ptr fs:[00000030h] 4_2_0131C912
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01288918 mov eax, dword ptr fs:[00000030h] 4_2_01288918
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01288918 mov eax, dword ptr fs:[00000030h] 4_2_01288918
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E908 mov eax, dword ptr fs:[00000030h] 4_2_0130E908
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130E908 mov eax, dword ptr fs:[00000030h] 4_2_0130E908
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D096E mov eax, dword ptr fs:[00000030h] 4_2_012D096E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D096E mov edx, dword ptr fs:[00000030h] 4_2_012D096E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012D096E mov eax, dword ptr fs:[00000030h] 4_2_012D096E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B6962 mov eax, dword ptr fs:[00000030h] 4_2_012B6962
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B6962 mov eax, dword ptr fs:[00000030h] 4_2_012B6962
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B6962 mov eax, dword ptr fs:[00000030h] 4_2_012B6962
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01334978 mov eax, dword ptr fs:[00000030h] 4_2_01334978
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01334978 mov eax, dword ptr fs:[00000030h] 4_2_01334978
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131C97C mov eax, dword ptr fs:[00000030h] 4_2_0131C97C
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01310946 mov eax, dword ptr fs:[00000030h] 4_2_01310946
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013189B3 mov esi, dword ptr fs:[00000030h] 4_2_013189B3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013189B3 mov eax, dword ptr fs:[00000030h] 4_2_013189B3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013189B3 mov eax, dword ptr fs:[00000030h] 4_2_013189B3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012909AD mov eax, dword ptr fs:[00000030h] 4_2_012909AD
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012909AD mov eax, dword ptr fs:[00000030h] 4_2_012909AD
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h] 4_2_012A29A0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131E9E0 mov eax, dword ptr fs:[00000030h] 4_2_0131E9E0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C29F9 mov eax, dword ptr fs:[00000030h] 4_2_012C29F9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C29F9 mov eax, dword ptr fs:[00000030h] 4_2_012C29F9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135A9D3 mov eax, dword ptr fs:[00000030h] 4_2_0135A9D3
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_013269C0 mov eax, dword ptr fs:[00000030h] 4_2_013269C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0129A9D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0129A9D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0129A9D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0129A9D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0129A9D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0129A9D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C49D0 mov eax, dword ptr fs:[00000030h] 4_2_012C49D0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133483A mov eax, dword ptr fs:[00000030h] 4_2_0133483A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133483A mov eax, dword ptr fs:[00000030h] 4_2_0133483A
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CA830 mov eax, dword ptr fs:[00000030h] 4_2_012CA830
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B2835 mov eax, dword ptr fs:[00000030h] 4_2_012B2835
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B2835 mov eax, dword ptr fs:[00000030h] 4_2_012B2835
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B2835 mov eax, dword ptr fs:[00000030h] 4_2_012B2835
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B2835 mov ecx, dword ptr fs:[00000030h] 4_2_012B2835
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B2835 mov eax, dword ptr fs:[00000030h] 4_2_012B2835
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B2835 mov eax, dword ptr fs:[00000030h] 4_2_012B2835
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131C810 mov eax, dword ptr fs:[00000030h] 4_2_0131C810
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01326870 mov eax, dword ptr fs:[00000030h] 4_2_01326870
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01326870 mov eax, dword ptr fs:[00000030h] 4_2_01326870
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131E872 mov eax, dword ptr fs:[00000030h] 4_2_0131E872
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131E872 mov eax, dword ptr fs:[00000030h] 4_2_0131E872
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A2840 mov ecx, dword ptr fs:[00000030h] 4_2_012A2840
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01294859 mov eax, dword ptr fs:[00000030h] 4_2_01294859
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01294859 mov eax, dword ptr fs:[00000030h] 4_2_01294859
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C0854 mov eax, dword ptr fs:[00000030h] 4_2_012C0854
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131C89D mov eax, dword ptr fs:[00000030h] 4_2_0131C89D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290887 mov eax, dword ptr fs:[00000030h] 4_2_01290887
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135A8E4 mov eax, dword ptr fs:[00000030h] 4_2_0135A8E4
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CC8F9 mov eax, dword ptr fs:[00000030h] 4_2_012CC8F9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CC8F9 mov eax, dword ptr fs:[00000030h] 4_2_012CC8F9
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BE8C0 mov eax, dword ptr fs:[00000030h] 4_2_012BE8C0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BEB20 mov eax, dword ptr fs:[00000030h] 4_2_012BEB20
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BEB20 mov eax, dword ptr fs:[00000030h] 4_2_012BEB20
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01358B28 mov eax, dword ptr fs:[00000030h] 4_2_01358B28
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01358B28 mov eax, dword ptr fs:[00000030h] 4_2_01358B28
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h] 4_2_0130EB1D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h] 4_2_0130EB1D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h] 4_2_0130EB1D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h] 4_2_0130EB1D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h] 4_2_0130EB1D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h] 4_2_0130EB1D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h] 4_2_0130EB1D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h] 4_2_0130EB1D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h] 4_2_0130EB1D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128CB7E mov eax, dword ptr fs:[00000030h] 4_2_0128CB7E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01338B42 mov eax, dword ptr fs:[00000030h] 4_2_01338B42
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01326B40 mov eax, dword ptr fs:[00000030h] 4_2_01326B40
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01326B40 mov eax, dword ptr fs:[00000030h] 4_2_01326B40
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0135AB40 mov eax, dword ptr fs:[00000030h] 4_2_0135AB40
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0BBE mov eax, dword ptr fs:[00000030h] 4_2_012A0BBE
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0BBE mov eax, dword ptr fs:[00000030h] 4_2_012A0BBE
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131CBF0 mov eax, dword ptr fs:[00000030h] 4_2_0131CBF0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BEBFC mov eax, dword ptr fs:[00000030h] 4_2_012BEBFC
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298BF0 mov eax, dword ptr fs:[00000030h] 4_2_01298BF0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298BF0 mov eax, dword ptr fs:[00000030h] 4_2_01298BF0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298BF0 mov eax, dword ptr fs:[00000030h] 4_2_01298BF0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B0BCB mov eax, dword ptr fs:[00000030h] 4_2_012B0BCB
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B0BCB mov eax, dword ptr fs:[00000030h] 4_2_012B0BCB
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B0BCB mov eax, dword ptr fs:[00000030h] 4_2_012B0BCB
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0133EBD0 mov eax, dword ptr fs:[00000030h] 4_2_0133EBD0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290BCD mov eax, dword ptr fs:[00000030h] 4_2_01290BCD
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290BCD mov eax, dword ptr fs:[00000030h] 4_2_01290BCD
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290BCD mov eax, dword ptr fs:[00000030h] 4_2_01290BCD
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012BEA2E mov eax, dword ptr fs:[00000030h] 4_2_012BEA2E
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CCA24 mov eax, dword ptr fs:[00000030h] 4_2_012CCA24
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CCA38 mov eax, dword ptr fs:[00000030h] 4_2_012CCA38
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B4A35 mov eax, dword ptr fs:[00000030h] 4_2_012B4A35
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B4A35 mov eax, dword ptr fs:[00000030h] 4_2_012B4A35
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0131CA11 mov eax, dword ptr fs:[00000030h] 4_2_0131CA11
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130CA72 mov eax, dword ptr fs:[00000030h] 4_2_0130CA72
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0130CA72 mov eax, dword ptr fs:[00000030h] 4_2_0130CA72
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CCA6F mov eax, dword ptr fs:[00000030h] 4_2_012CCA6F
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CCA6F mov eax, dword ptr fs:[00000030h] 4_2_012CCA6F
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CCA6F mov eax, dword ptr fs:[00000030h] 4_2_012CCA6F
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0A5B mov eax, dword ptr fs:[00000030h] 4_2_012A0A5B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012A0A5B mov eax, dword ptr fs:[00000030h] 4_2_012A0A5B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h] 4_2_01296A50
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h] 4_2_01296A50
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h] 4_2_01296A50
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h] 4_2_01296A50
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h] 4_2_01296A50
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h] 4_2_01296A50
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h] 4_2_01296A50
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298AA0 mov eax, dword ptr fs:[00000030h] 4_2_01298AA0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298AA0 mov eax, dword ptr fs:[00000030h] 4_2_01298AA0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012E6AA4 mov eax, dword ptr fs:[00000030h] 4_2_012E6AA4
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h] 4_2_0129EA80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h] 4_2_0129EA80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h] 4_2_0129EA80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h] 4_2_0129EA80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h] 4_2_0129EA80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h] 4_2_0129EA80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h] 4_2_0129EA80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h] 4_2_0129EA80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h] 4_2_0129EA80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01364A80 mov eax, dword ptr fs:[00000030h] 4_2_01364A80
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C8A90 mov edx, dword ptr fs:[00000030h] 4_2_012C8A90
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CAAEE mov eax, dword ptr fs:[00000030h] 4_2_012CAAEE
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CAAEE mov eax, dword ptr fs:[00000030h] 4_2_012CAAEE
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012E6ACC mov eax, dword ptr fs:[00000030h] 4_2_012E6ACC
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012E6ACC mov eax, dword ptr fs:[00000030h] 4_2_012E6ACC
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012E6ACC mov eax, dword ptr fs:[00000030h] 4_2_012E6ACC
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290AD0 mov eax, dword ptr fs:[00000030h] 4_2_01290AD0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C4AD0 mov eax, dword ptr fs:[00000030h] 4_2_012C4AD0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C4AD0 mov eax, dword ptr fs:[00000030h] 4_2_012C4AD0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01318D20 mov eax, dword ptr fs:[00000030h] 4_2_01318D20
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01348D10 mov eax, dword ptr fs:[00000030h] 4_2_01348D10
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01348D10 mov eax, dword ptr fs:[00000030h] 4_2_01348D10
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AAD00 mov eax, dword ptr fs:[00000030h] 4_2_012AAD00
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AAD00 mov eax, dword ptr fs:[00000030h] 4_2_012AAD00
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012AAD00 mov eax, dword ptr fs:[00000030h] 4_2_012AAD00
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C4D1D mov eax, dword ptr fs:[00000030h] 4_2_012C4D1D
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01286D10 mov eax, dword ptr fs:[00000030h] 4_2_01286D10
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01286D10 mov eax, dword ptr fs:[00000030h] 4_2_01286D10
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01286D10 mov eax, dword ptr fs:[00000030h] 4_2_01286D10
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01328D6B mov eax, dword ptr fs:[00000030h] 4_2_01328D6B
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290D59 mov eax, dword ptr fs:[00000030h] 4_2_01290D59
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290D59 mov eax, dword ptr fs:[00000030h] 4_2_01290D59
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01290D59 mov eax, dword ptr fs:[00000030h] 4_2_01290D59
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298D59 mov eax, dword ptr fs:[00000030h] 4_2_01298D59
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298D59 mov eax, dword ptr fs:[00000030h] 4_2_01298D59
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298D59 mov eax, dword ptr fs:[00000030h] 4_2_01298D59
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298D59 mov eax, dword ptr fs:[00000030h] 4_2_01298D59
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01298D59 mov eax, dword ptr fs:[00000030h] 4_2_01298D59
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012C6DA0 mov eax, dword ptr fs:[00000030h] 4_2_012C6DA0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B8DBF mov eax, dword ptr fs:[00000030h] 4_2_012B8DBF
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012B8DBF mov eax, dword ptr fs:[00000030h] 4_2_012B8DBF
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01358DAE mov eax, dword ptr fs:[00000030h] 4_2_01358DAE
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01358DAE mov eax, dword ptr fs:[00000030h] 4_2_01358DAE
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01364DAD mov eax, dword ptr fs:[00000030h] 4_2_01364DAD
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CCDB1 mov ecx, dword ptr fs:[00000030h] 4_2_012CCDB1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CCDB1 mov eax, dword ptr fs:[00000030h] 4_2_012CCDB1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_012CCDB1 mov eax, dword ptr fs:[00000030h] 4_2_012CCDB1
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128CDEA mov eax, dword ptr fs:[00000030h] 4_2_0128CDEA
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_0128CDEA mov eax, dword ptr fs:[00000030h] 4_2_0128CDEA
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01330DF0 mov eax, dword ptr fs:[00000030h] 4_2_01330DF0
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Code function: 4_2_01330DF0 mov eax, dword ptr fs:[00000030h] 4_2_01330DF0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009C51BD GetProcessHeap,HeapFree, 6_2_009C51BD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009C7A38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_009C7A38
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: HHhHh.exe.0.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 103.169.142.0 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.242 80 Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe NtQueueApcThread: Indirect: 0x123A4F2 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe NtClose: Indirect: 0x123A56C
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Memory written: C:\Users\user\AppData\Local\Temp\HHhHh.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Thread register set: target process: 1028 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 1028 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 9B0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Process created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\HHhHh.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\wscript.exe Code function: GetLocaleInfoW,wcsncmp, 6_2_009C7084
Source: C:\Windows\SysWOW64\wscript.exe Code function: GetUserDefaultLCID,GetLocaleInfoW,GetModuleFileNameW,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA, 6_2_009C544C
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\HHhHh.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009C79A0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 6_2_009C79A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009BB8C3 RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,SysFreeString,RegCloseKey,RegCloseKey, 6_2_009BB8C3
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009B91C6 SysAllocString,GetVersionExA,IsTextUnicode,MultiByteToWideChar,GetLastError,SysAllocStringLen,MultiByteToWideChar,GetLastError,_swab,memmove,SysFreeString, 6_2_009B91C6
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009B9D9A CreateBindCtx,SysFreeString,SysAllocStringByteLen, 6_2_009B9D9A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009C1170 CreateBindCtx,CreateFileMoniker,MkParseDisplayName, 6_2_009C1170
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_009BDEED CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx, 6_2_009BDEED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482976 Sample: TNS71092E68UI0.vbe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 35 www.tateshades.xyz 2->35 37 www.legalix.xyz 2->37 39 14 other IPs or domains 2->39 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 63 5 other signatures 2->63 12 wscript.exe 2 2->12         started        signatures3 61 Performs DNS queries to domains with low reputation 37->61 process4 file5 33 C:\Users\user\AppData\Local\Temp\HHhHh.exe, PE32 12->33 dropped 83 Benign windows process drops PE files 12->83 85 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->85 16 HHhHh.exe 3 12->16         started        signatures6 process7 signatures8 47 Antivirus detection for dropped file 16->47 49 Machine Learning detection for dropped file 16->49 51 Tries to detect virtualization through RDTSC time measurements 16->51 53 2 other signatures 16->53 19 HHhHh.exe 16->19         started        process9 signatures10 65 Modifies the context of a thread in another process (thread injection) 19->65 67 Maps a DLL or memory area into another process 19->67 69 Sample uses process hollowing technique 19->69 71 2 other signatures 19->71 22 explorer.exe 85 1 19->22 injected process11 dnsIp12 41 www.tateshades.xyz 198.54.117.242, 49716, 80 NAMECHEAP-NETUS United States 22->41 43 especialistaleitura.online 195.35.41.249, 49721, 80 MTSRU Germany 22->43 45 3 other IPs or domains 22->45 73 System process connects to network (likely due to code injection or exploit) 22->73 26 wscript.exe 22->26         started        signatures13 process14 signatures15 75 Modifies the context of a thread in another process (thread injection) 26->75 77 Maps a DLL or memory area into another process 26->77 79 Tries to detect virtualization through RDTSC time measurements 26->79 81 Switches to a custom stack to bypass stack traces 26->81 29 cmd.exe 1 26->29         started        process16 process17 31 conhost.exe 29->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.35.41.249
 especialistaleitura.online Germany
8359 MTSRU true
103.169.142.0
 www.gyosei-arimura.com unknown
7575 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe true
198.54.117.242
 www.tateshades.xyz United States
22612 NAMECHEAP-NETUS true
104.21.29.136
 www.rendamaisbr.com United States
13335 CLOUDFLARENETUS false
79.133.41.250
 ashleymorgan.live Germany
203833 AT-FIRSTCOLOAustriaAT true

Contacted Domains

Name IP Active
especialistaleitura.online 195.35.41.249 true
host.websitepro.hosting 34.149.86.124 true
www.rendamaisbr.com 104.21.29.136 true
www.tateshades.xyz 198.54.117.242 true
www.gyosei-arimura.com 103.169.142.0 true
ashleymorgan.live 79.133.41.250 true
rtproketslotcsn.art 67.223.118.63 true
ext-sq.squarespace.com 198.185.159.144 true
www.21stcut.shop 103.224.182.210 true
www.ashleymorgan.live unknown unknown
www.especialistaleitura.online unknown unknown
www.legalix.xyz unknown unknown
www.rtproketslotcsn.art unknown unknown
www.gv031.net unknown unknown
www.exploringtheoutdoors.net unknown unknown
www.invigoratewell.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.gyosei-arimura.com/de94/?jBZ=DixB1qykAeF3P3PXJeHdSknPWO1HgPnInxoSQIfAm9wP6zKJEe36YOPFRPwN1ZbEVsUi&iH=L48pdJnx true
  • Avira URL Cloud: safe
 unknown
http://www.ashleymorgan.live/de94/?iH=L48pdJnx&jBZ=5tT0wx6F9dDlvd0I7/Gf0Z876YhP5UCSCTQNI7gCLgEp6gs1sNLPrbs4iKZbSyW3sHh4 false
  • Avira URL Cloud: safe
 unknown
http://www.rendamaisbr.com/de94/?jBZ=oGEpRlg+OmPq0B7KIcYot+ASNw6YPmukejZMyF938WrRMvUmELkE1jbD5t8azbvrsm6P&iH=L48pdJnx false
  • Avira URL Cloud: safe
 unknown
http://www.tateshades.xyz/de94/?iH=L48pdJnx&jBZ=KxdOA0Mo1WZhrruLdWg4BGjiUazPRKkva+c6BVUkR9pg9lvbFJGOvuIlGrqlewJrvTBn true
  • Avira URL Cloud: safe
 unknown
www.happygreenfarm.com/de94/ true
  • Avira URL Cloud: safe
 unknown