Windows Analysis Report
FS001_ DT103024.bat

Overview

General Information

Sample name: FS001_ DT103024.bat
Analysis ID: 1546702
MD5: 3f526171c5f8abe5b38acc03f002c6e9
SHA1: f89f1f5961f3dd53cd76471d7603ae9bfc1fa0c1
SHA256: ba8888302e61b64da91ce078b99ee2c4afa90f53621f9005be2ffbe7bdde1767
Tags: bat
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Command shell drops VBS files
Found large BAT file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Potential malicious VBS script found (has network functionality)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe ReversingLabs: Detection: 54%
Multi AV Scanner detection for submitted file
Source: FS001_ DT103024.bat ReversingLabs: Detection: 45%
Yara detected FormBook
Source: Yara match File source: 7.2.x.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2389064110.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2388569618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe Joe Sandbox ML: detected
Source: Binary string: wntdll.pdbUGP source: x.exe, 00000007.00000002.2389202000.00000000013A0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: x.exe, x.exe, 00000007.00000002.2389202000.00000000013A0000.00000040.00001000.00020000.00000000.sdmp

Networking
barindex
Potential malicious VBS script found (has network functionality)
Source: C:\Windows\System32\cmd.exe Dropped file: b.SaveToFile p+"\x.exe",2'v Jump to dropped file
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49707
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:61507

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.x.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2389064110.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2388569618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Found large BAT file
Source: FS001_ DT103024.bat Static file information: 1405358
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0042C653 NtClose, 7_2_0042C653
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014135C0 NtCreateMutant,LdrInitializeThunk, 7_2_014135C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_01412DF0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_01412C70
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01413010 NtOpenDirectoryObject, 7_2_01413010
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01413090 NtSetValueKey, 7_2_01413090
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01414340 NtSetContextThread, 7_2_01414340
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01414650 NtSuspendThread, 7_2_01414650
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014139B0 NtGetContextThread, 7_2_014139B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412B60 NtClose, 7_2_01412B60
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412BE0 NtQueryValueKey, 7_2_01412BE0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412BF0 NtAllocateVirtualMemory, 7_2_01412BF0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412B80 NtQueryInformationFile, 7_2_01412B80
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412BA0 NtEnumerateValueKey, 7_2_01412BA0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412AD0 NtReadFile, 7_2_01412AD0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412AF0 NtWriteFile, 7_2_01412AF0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412AB0 NtWaitForSingleObject, 7_2_01412AB0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01413D70 NtOpenThread, 7_2_01413D70
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412D00 NtSetInformationFile, 7_2_01412D00
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412D10 NtMapViewOfSection, 7_2_01412D10
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01413D10 NtOpenProcessToken, 7_2_01413D10
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412D30 NtUnmapViewOfSection, 7_2_01412D30
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412DD0 NtDelayExecution, 7_2_01412DD0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412DB0 NtEnumerateKey, 7_2_01412DB0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412C60 NtCreateKey, 7_2_01412C60
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412C00 NtQueryInformationProcess, 7_2_01412C00
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412CC0 NtQueryVirtualMemory, 7_2_01412CC0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412CF0 NtOpenProcess, 7_2_01412CF0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412CA0 NtQueryInformationToken, 7_2_01412CA0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412F60 NtCreateProcessEx, 7_2_01412F60
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412F30 NtCreateSection, 7_2_01412F30
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412FE0 NtCreateFile, 7_2_01412FE0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412F90 NtProtectVirtualMemory, 7_2_01412F90
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412FA0 NtQuerySection, 7_2_01412FA0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412FB0 NtResumeThread, 7_2_01412FB0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412E30 NtWriteVirtualMemory, 7_2_01412E30
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412EE0 NtQueueApcThread, 7_2_01412EE0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412E80 NtReadVirtualMemory, 7_2_01412E80
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01412EA0 NtAdjustPrivilegesToken, 7_2_01412EA0
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_01193E34 5_2_01193E34
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_0119E04C 5_2_0119E04C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_0119703A 5_2_0119703A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F6AEF8 5_2_06F6AEF8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F621B0 5_2_06F621B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F6B6B8 5_2_06F6B6B8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F623F0 5_2_06F623F0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F82338 5_2_06F82338
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F81069 5_2_06F81069
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8918A 5_2_06F8918A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8C640 5_2_06F8C640
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8C630 5_2_06F8C630
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F85610 5_2_06F85610
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F85603 5_2_06F85603
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F845F0 5_2_06F845F0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F87588 5_2_06F87588
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8E290 5_2_06F8E290
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8E27F 5_2_06F8E27F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8C208 5_2_06F8C208
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8C1F9 5_2_06F8C1F9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8BDD0 5_2_06F8BDD0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8BDB1 5_2_06F8BDB1
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8EA05 5_2_06F8EA05
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8D8E0 5_2_06F8D8E0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8D8D1 5_2_06F8D8D1
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F858A8 5_2_06F858A8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F85897 5_2_06F85897
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F9E7E0 5_2_06F9E7E0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F92106 5_2_06F92106
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F96CE8 5_2_06F96CE8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F96CD8 5_2_06F96CD8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F92C38 5_2_06F92C38
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F98C00 5_2_06F98C00
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_07D70040 5_2_07D70040
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_07D719A8 5_2_07D719A8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_07D72CB8 5_2_07D72CB8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00410043 7_2_00410043
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0041694E 7_2_0041694E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00416953 7_2_00416953
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00402A45 7_2_00402A45
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00401250 7_2_00401250
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00402A50 7_2_00402A50
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00410263 7_2_00410263
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0040E2E3 7_2_0040E2E3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0042EC83 7_2_0042EC83
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_004026A0 7_2_004026A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00402FA0 7_2_00402FA0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014AB16B 7_2_014AB16B
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0141516C 7_2_0141516C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D0100 7_2_013D0100
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147A118 7_2_0147A118
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014981CC 7_2_014981CC
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EB1B0 7_2_013EB1B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A01AA 7_2_014A01AA
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148F0CC 7_2_0148F0CC
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014970E9 7_2_014970E9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149F0E0 7_2_0149F0E0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149A352 7_2_0149A352
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149132D 7_2_0149132D
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CD34C 7_2_013CD34C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A03E6 7_2_014A03E6
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EE3F0 7_2_013EE3F0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0142739A 7_2_0142739A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E52A0 7_2_013E52A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FB2C0 7_2_013FB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E0535 7_2_013E0535
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01497571 7_2_01497571
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A0591 7_2_014A0591
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147D5B0 7_2_0147D5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01492446 7_2_01492446
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D1460 7_2_013D1460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149F43F 7_2_0149F43F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148E4F6 7_2_0148E4F6
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01404750 7_2_01404750
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E0770 7_2_013E0770
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149F7B0 7_2_0149F7B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DC7C0 7_2_013DC7C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014916CC 7_2_014916CC
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FC6E0 7_2_013FC6E0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F6962 7_2_013F6962
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E9950 7_2_013E9950
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FB950 7_2_013FB950
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E29A0 7_2_013E29A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014AA9A6 7_2_014AA9A6
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144D800 7_2_0144D800
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EA840 7_2_013EA840
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E2840 7_2_013E2840
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C68B8 7_2_013C68B8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E8F0 7_2_0140E8F0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E38E0 7_2_013E38E0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149AB40 7_2_0149AB40
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149FB76 7_2_0149FB76
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01496BD7 7_2_01496BD7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01455BF0 7_2_01455BF0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0141DBF9 7_2_0141DBF9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013A9B80 7_2_013A9B80
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FFB80 7_2_013FFB80
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149FA49 7_2_0149FA49
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01497A46 7_2_01497A46
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01453A6C 7_2_01453A6C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148DAC6 7_2_0148DAC6
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DEA80 7_2_013DEA80
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01425AA0 7_2_01425AA0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147DAAC 7_2_0147DAAC
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01491D5A 7_2_01491D5A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01497D73 7_2_01497D73
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EAD00 7_2_013EAD00
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E3D40 7_2_013E3D40
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F8DBF 7_2_013F8DBF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DADE0 7_2_013DADE0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FFDC0 7_2_013FFDC0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E0C00 7_2_013E0C00
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01459C32 7_2_01459C32
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149FCF2 7_2_0149FCF2
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D0CF2 7_2_013D0CF2
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480CB5 7_2_01480CB5
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01454F40 7_2_01454F40
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149FF09 7_2_0149FF09
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01422F28 7_2_01422F28
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01400F30 7_2_01400F30
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1F92 7_2_013E1F92
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013ECFE0 7_2_013ECFE0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013A3FD2 7_2_013A3FD2
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013A3FD5 7_2_013A3FD5
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D2FC8 7_2_013D2FC8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149FFB1 7_2_0149FFB1
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E0E59 7_2_013E0E59
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149EE26 7_2_0149EE26
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E9EB0 7_2_013E9EB0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149EEDB 7_2_0149EEDB
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F2E90 7_2_013F2E90
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149CE93 7_2_0149CE93
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: String function: 0145F290 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: String function: 013CB970 appears 268 times
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: String function: 01427E54 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: String function: 0144EA12 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: String function: 01415130 appears 36 times
Source: x.exe.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 5.2.x.exe.45517f0.2.raw.unpack, dMn7Q7mEsppOh0xjvJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.x.exe.45d9c10.3.raw.unpack, dMn7Q7mEsppOh0xjvJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.x.exe.7ce0000.5.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs Security API names: _0020.SetAccessControl
Source: 5.2.x.exe.7ce0000.5.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.x.exe.7ce0000.5.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs Security API names: _0020.AddAccessRule
Source: 5.2.x.exe.45d9c10.3.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs Security API names: _0020.SetAccessControl
Source: 5.2.x.exe.45d9c10.3.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.x.exe.45d9c10.3.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs Security API names: _0020.AddAccessRule
Source: 5.2.x.exe.7ce0000.5.raw.unpack, dMn7Q7mEsppOh0xjvJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.x.exe.45517f0.2.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs Security API names: _0020.SetAccessControl
Source: 5.2.x.exe.45517f0.2.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.x.exe.45517f0.2.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.evad.winBAT@10/4@0/0
Source: C:\Users\user\AppData\Local\Temp\x.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_03
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Local\Temp\x Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\FS001_ DT103024.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs
Source: C:\Windows\System32\cscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cscript.exe, 00000004.00000003.2176193904.000002436179B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2177870963.000002435E934000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2177328526.0000024360E31000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2177390906.0000024361791000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000000.2179902047.0000000000702000.00000002.00000001.01000000.00000005.sdmp, x.exe.4.dr Binary or memory string: INSERT INTO Service (CustomerId, Active, Date) VALUES (@customerId, '1', @date);
Source: cscript.exe, 00000004.00000003.2176193904.000002436179B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2177870963.000002435E934000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2177328526.0000024360E31000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2177390906.0000024361791000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000000.2179902047.0000000000702000.00000002.00000001.01000000.00000005.sdmp, x.exe.4.dr Binary or memory string: SELECT COUNT(*) FROM Service WHERE (Active LIKE '1') AND (CustomerId = @id);
Source: FS001_ DT103024.bat ReversingLabs: Detection: 45%
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\FS001_ DT103024.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /e "'v" "C:\Users\user\Desktop\FS001_ DT103024.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exe
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /e "'v" "C:\Users\user\Desktop\FS001_ DT103024.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Windows\System32\cscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\x.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: FS001_ DT103024.bat Static file information: File size 1405358 > 1048576
Source: Binary string: wntdll.pdbUGP source: x.exe, 00000007.00000002.2389202000.00000000013A0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: x.exe, x.exe, 00000007.00000002.2389202000.00000000013A0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 5.2.x.exe.45517f0.2.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs .Net Code: TCbCVi3Wsb System.Reflection.Assembly.Load(byte[])
Source: 5.2.x.exe.6f30000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs .Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 5.2.x.exe.45d9c10.3.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs .Net Code: TCbCVi3Wsb System.Reflection.Assembly.Load(byte[])
Source: 5.2.x.exe.7ce0000.5.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs .Net Code: TCbCVi3Wsb System.Reflection.Assembly.Load(byte[])
Source: 5.2.x.exe.3ae5ab0.1.raw.unpack, XlF5VlCIHRSQX8M5eh.cs .Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 5.2.x.exe.3b05ad0.0.raw.unpack, XlF5VlCIHRSQX8M5eh.cs .Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F60882 push es; ret 5_2_06F60890
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F8B79E push B9FFFFFFh; retf 5_2_06F8B7A3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F917AD push FFFFFF8Fh; retf 5_2_06F917B4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F90A8E pushfd ; retf 5_2_06F90A8F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F90B02 pushfd ; retf 5_2_06F90B03
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_06F94910 push eax; ret 5_2_06F9491D
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 5_2_07D727E1 push esp; retf 5_2_07D727ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0040D877 push FE6D4712h; iretd 7_2_0040D8ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0040D836 push FE6D4712h; iretd 7_2_0040D8ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0041A8CB push eax; retf 7_2_0041A8CC
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_004071E9 push es; retf 7_2_004071FD
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0041F19C push edi; iretd 7_2_0041F19F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00404A73 push esi; ret 7_2_00404A7E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00403230 push eax; ret 7_2_00403232
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00404AC7 push edi; ret 7_2_00404AD4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00412349 push edi; retf 7_2_0041235F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_00412353 push edi; retf 7_2_0041235F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0040738B push cs; retf 7_2_0040738F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0041ED3E push ss; ret 7_2_0041ED3F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013AB008 push es; iretd 7_2_013AB009
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013A225F pushad ; ret 7_2_013A27F9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013A27FA pushad ; ret 7_2_013A27F9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013A9939 push es; iretd 7_2_013A9940
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D09AD push ecx; mov dword ptr [esp], ecx 7_2_013D09B6
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013A283D push eax; iretd 7_2_013A2858
Source: x.exe.4.dr Static PE information: section name: .text entropy: 7.736981568251297
Source: 5.2.x.exe.45517f0.2.raw.unpack, tyg1AJVRc3lAfFSla6.cs High entropy of concatenated method names: 'MRVIE49fbR', 'kqAIWeNwSt', 'JmiI7P85tg', 'wddIQa6lmb', 'r1YIOxHc5W', 'oeyI4ITfC3', 'AffIdkrtCQ', 'Ou4I6wiaG4', 'gR5Ifx61nr', 'h80IiLyFST'
Source: 5.2.x.exe.45517f0.2.raw.unpack, qvPCtU5v1i683AMkq5.cs High entropy of concatenated method names: 'Ka9F5bw7OP', 'IFHFHC4XWb', 'LyiF9ouKmN', 'DYB91n4AdF', 'Vwr9zIZNsb', 'nd5FuAyflG', 'rdeFv6KdBk', 'EhYFbksSec', 'S5IFJM8Mrx', 'lBOFCUqUxM'
Source: 5.2.x.exe.45517f0.2.raw.unpack, qQHIUfkqHkckfCGc3EH.cs High entropy of concatenated method names: 'IfCelZTqNn', 'EF1eXYpicv', 'o1teVl66aR', 'tb5eaSA5mN', 'xiBey8Z2AE', 'BmbeUkdS2b', 'xrterCZtBS', 'HQVepadR62', 'efQeRrED1n', 'uQJePUrBkv'
Source: 5.2.x.exe.45517f0.2.raw.unpack, Gb17w0T0wA9mVSBeuJ.cs High entropy of concatenated method names: 'nK69S00FJQ', 'HA09smh45Z', 'kAw9KN673M', 'JTC9FPJ1cI', 'wsp93aSqk0', 'ypjKTcas1x', 'Oa6KBhbPvm', 'o2IKDVkATH', 'EEuK0PuZlu', 'o28KcNmrTH'
Source: 5.2.x.exe.45517f0.2.raw.unpack, G9296xsYpuxFhFvQZi.cs High entropy of concatenated method names: 'Dispose', 'xF9vcg5fy0', 'HLmbOGZqfu', 'bLy22mggGL', 'GoZv1HgFYO', 'cOlvz0OWQ3', 'ProcessDialogKey', 'tNvbu6UAqb', 'NPabvbEQbD', 'c7sbbemMbC'
Source: 5.2.x.exe.45517f0.2.raw.unpack, mFJ92nZUGIWZd0yGov.cs High entropy of concatenated method names: 'ToString', 'bhZZhTRB5y', 'kRbZOxFp1N', 'YRRZ4FJ9eH', 'bVVZdjCWJi', 'J5QZ6WPrPx', 'OU3ZfI3h2X', 'SQ1ZioPxwX', 'BebZMxNJUO', 'UtKZqjyN9I'
Source: 5.2.x.exe.45517f0.2.raw.unpack, Q3JIIfB5ewGdb036pH.cs High entropy of concatenated method names: 'sXVFlGKfqH', 'U0vFXbEDOw', 'CERFV9FwVE', 'FvOFa9T1em', 'xuBFyDOwFJ', 'fgsFU5UyLE', 'QkkFr7ZfJg', 'QlRFpkerpQ', 'yTLFRkoWHG', 'D5oFPTMyfT'
Source: 5.2.x.exe.45517f0.2.raw.unpack, qWodHXM6bcYeEUK7Kb.cs High entropy of concatenated method names: 'VVbo0xbpLV', 'jAJo1SvYwX', 'mQfGuBuaBY', 'sofGvF5l6m', 'KhaohvA7mq', 'lI6oW8Zlc7', 'UqIoYRQFdq', 'Ftvo7qDLE9', 'ONdoQMkPLD', 'Hx6omPQyGn'
Source: 5.2.x.exe.45517f0.2.raw.unpack, cOV6GdkH8mVWMDomBbq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vyGn7hed8x', 'KZ8nQQnu6W', 'OBonmeJoGy', 'xpWn8E3mPF', 'amFnTK6hee', 's5bnBwErnk', 'aLKnD3G2M6'
Source: 5.2.x.exe.45517f0.2.raw.unpack, woDxRIpElIEKfjvhS7.cs High entropy of concatenated method names: 'IoAKyt1duO', 'dGjKrykRLt', 'AesH4vVr4f', 'ofOHd3nBWT', 'zTKH6HyZgt', 'ogmHfrcHZQ', 'thPHiTOA9B', 'XfoHMW6J29', 'UEKHqVqy98', 'bTiHEiqrY8'
Source: 5.2.x.exe.45517f0.2.raw.unpack, zYYKOJAWCGC8XTqj1s.cs High entropy of concatenated method names: 'cQrLpKaZyZ', 'gETLR4A3OV', 'alJLAYQcmU', 'kcuLODbpgE', 'hYOLdocCFV', 'ToJL6a9LgE', 'Eo6LiFMOZd', 'Mn1LM4n6Se', 'jIdLEeoJ9U', 'vbWLhOUPsI'
Source: 5.2.x.exe.45517f0.2.raw.unpack, iqslocnQKfRotlO4Ia.cs High entropy of concatenated method names: 'R48G5q0bQl', 'Lc2GslGXeM', 'FNUGHfSC0V', 'IjEGKv7FnW', 'w7VG9VT2PN', 'vuXGFRZByo', 'kpEG344bIe', 'a9vGjpVV5X', 'FsdGg4ga8R', 'xebGNdJIKO'
Source: 5.2.x.exe.45517f0.2.raw.unpack, tmUVgUD8XWmg4UU1HL.cs High entropy of concatenated method names: 'UccGA6h6Ru', 'vCAGOqSRP8', 'lgMG4Kkf3v', 'vr5GdWll3A', 'aJFG7YErQM', 'vomG6j73O6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.x.exe.45517f0.2.raw.unpack, P1KjSS8EMJ4Zj3i9oP.cs High entropy of concatenated method names: 'Oa4Vg2mKJ', 'MWXaWW78h', 'a9NUBI3pF', 'jONr6tJH9', 'lWBRQrnGy', 'sx9Py3sM6', 'tkHbyPs18qO6nIC2ym', 'M7u0NxyyYqNeL44JNC', 'y1NGpMwj9', 'q6lnyeVoM'
Source: 5.2.x.exe.45517f0.2.raw.unpack, Ldm2CSOPWLn1JUAKg7.cs High entropy of concatenated method names: 'PlDHa8T03d', 'ewiHU8bSpj', 'nE9HpBRxEP', 'Hp6HR1LUDI', 'eXfHII0fXS', 'NGsHZQRNCJ', 'LPmHonEoLr', 'nDuHGnlJtH', 'OarHejLPG7', 'BW4HnmDWZJ'
Source: 5.2.x.exe.45517f0.2.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs High entropy of concatenated method names: 'O4iJS6krbE', 'YWUJ5uN6BT', 'FXRJsSCvO0', 'S7eJH2gv5F', 'TMEJK3WmX3', 'liGJ9Nm0qh', 'wGDJFoecf7', 'eOKJ3foQxd', 'eOhJj25pC2', 'vxeJg9mVaQ'
Source: 5.2.x.exe.45517f0.2.raw.unpack, D0p1NKPVj9ucY2Qm8F.cs High entropy of concatenated method names: 'qaDvFICns7', 'JsEv3Ajh7c', 'lT1vgTYidi', 'cpmvNL6d6L', 'gSKvIE4I8P', 'lhevZ64vux', 'U2IfjrQUyiwX46rjll', 'u4TQBvUO9NdovsZNV3', 'UQhvvZwDQu', 'O1fvJxOkDH'
Source: 5.2.x.exe.45517f0.2.raw.unpack, z6oiKCyaK2NEMrrIhH.cs High entropy of concatenated method names: 'HVpev8UT4Z', 'fHoeJneEle', 'rLOeCNpPhj', 'wIde5ySMSb', 'Nb0esYOj60', 'EhDeKAjJ6R', 'bqme9Qx0Nd', 'yDeGD1ldIN', 'L0aG0MVP8y', 'UaeGctI9wl'
Source: 5.2.x.exe.45517f0.2.raw.unpack, dMn7Q7mEsppOh0xjvJ.cs High entropy of concatenated method names: 'IXMs7TDYo5', 'qmKsQ7w07K', 'mW8smme9x8', 'YHds8eIGAt', 'vpOsTISWTy', 'yxpsBMtpbS', 'NcmsDIcWTh', 'FUYs0FQJs6', 'vsqscKUklf', 'EXFs1gJjS7'
Source: 5.2.x.exe.45517f0.2.raw.unpack, nJ8tJ5aNcG8so8TN18.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FVbbcT7LGQ', 'uodb1FY2qp', 'I9sbztNVq5', 'onBJuvCHAp', 'GESJvvljer', 'wDgJbYm1Uv', 'B0lJJXrWtq', 'TRcRM3Zi8QX3NDOnAUb'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, tyg1AJVRc3lAfFSla6.cs High entropy of concatenated method names: 'MRVIE49fbR', 'kqAIWeNwSt', 'JmiI7P85tg', 'wddIQa6lmb', 'r1YIOxHc5W', 'oeyI4ITfC3', 'AffIdkrtCQ', 'Ou4I6wiaG4', 'gR5Ifx61nr', 'h80IiLyFST'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, qvPCtU5v1i683AMkq5.cs High entropy of concatenated method names: 'Ka9F5bw7OP', 'IFHFHC4XWb', 'LyiF9ouKmN', 'DYB91n4AdF', 'Vwr9zIZNsb', 'nd5FuAyflG', 'rdeFv6KdBk', 'EhYFbksSec', 'S5IFJM8Mrx', 'lBOFCUqUxM'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, qQHIUfkqHkckfCGc3EH.cs High entropy of concatenated method names: 'IfCelZTqNn', 'EF1eXYpicv', 'o1teVl66aR', 'tb5eaSA5mN', 'xiBey8Z2AE', 'BmbeUkdS2b', 'xrterCZtBS', 'HQVepadR62', 'efQeRrED1n', 'uQJePUrBkv'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, Gb17w0T0wA9mVSBeuJ.cs High entropy of concatenated method names: 'nK69S00FJQ', 'HA09smh45Z', 'kAw9KN673M', 'JTC9FPJ1cI', 'wsp93aSqk0', 'ypjKTcas1x', 'Oa6KBhbPvm', 'o2IKDVkATH', 'EEuK0PuZlu', 'o28KcNmrTH'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, G9296xsYpuxFhFvQZi.cs High entropy of concatenated method names: 'Dispose', 'xF9vcg5fy0', 'HLmbOGZqfu', 'bLy22mggGL', 'GoZv1HgFYO', 'cOlvz0OWQ3', 'ProcessDialogKey', 'tNvbu6UAqb', 'NPabvbEQbD', 'c7sbbemMbC'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, mFJ92nZUGIWZd0yGov.cs High entropy of concatenated method names: 'ToString', 'bhZZhTRB5y', 'kRbZOxFp1N', 'YRRZ4FJ9eH', 'bVVZdjCWJi', 'J5QZ6WPrPx', 'OU3ZfI3h2X', 'SQ1ZioPxwX', 'BebZMxNJUO', 'UtKZqjyN9I'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, Q3JIIfB5ewGdb036pH.cs High entropy of concatenated method names: 'sXVFlGKfqH', 'U0vFXbEDOw', 'CERFV9FwVE', 'FvOFa9T1em', 'xuBFyDOwFJ', 'fgsFU5UyLE', 'QkkFr7ZfJg', 'QlRFpkerpQ', 'yTLFRkoWHG', 'D5oFPTMyfT'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, qWodHXM6bcYeEUK7Kb.cs High entropy of concatenated method names: 'VVbo0xbpLV', 'jAJo1SvYwX', 'mQfGuBuaBY', 'sofGvF5l6m', 'KhaohvA7mq', 'lI6oW8Zlc7', 'UqIoYRQFdq', 'Ftvo7qDLE9', 'ONdoQMkPLD', 'Hx6omPQyGn'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, cOV6GdkH8mVWMDomBbq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vyGn7hed8x', 'KZ8nQQnu6W', 'OBonmeJoGy', 'xpWn8E3mPF', 'amFnTK6hee', 's5bnBwErnk', 'aLKnD3G2M6'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, woDxRIpElIEKfjvhS7.cs High entropy of concatenated method names: 'IoAKyt1duO', 'dGjKrykRLt', 'AesH4vVr4f', 'ofOHd3nBWT', 'zTKH6HyZgt', 'ogmHfrcHZQ', 'thPHiTOA9B', 'XfoHMW6J29', 'UEKHqVqy98', 'bTiHEiqrY8'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, zYYKOJAWCGC8XTqj1s.cs High entropy of concatenated method names: 'cQrLpKaZyZ', 'gETLR4A3OV', 'alJLAYQcmU', 'kcuLODbpgE', 'hYOLdocCFV', 'ToJL6a9LgE', 'Eo6LiFMOZd', 'Mn1LM4n6Se', 'jIdLEeoJ9U', 'vbWLhOUPsI'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, iqslocnQKfRotlO4Ia.cs High entropy of concatenated method names: 'R48G5q0bQl', 'Lc2GslGXeM', 'FNUGHfSC0V', 'IjEGKv7FnW', 'w7VG9VT2PN', 'vuXGFRZByo', 'kpEG344bIe', 'a9vGjpVV5X', 'FsdGg4ga8R', 'xebGNdJIKO'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, tmUVgUD8XWmg4UU1HL.cs High entropy of concatenated method names: 'UccGA6h6Ru', 'vCAGOqSRP8', 'lgMG4Kkf3v', 'vr5GdWll3A', 'aJFG7YErQM', 'vomG6j73O6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, P1KjSS8EMJ4Zj3i9oP.cs High entropy of concatenated method names: 'Oa4Vg2mKJ', 'MWXaWW78h', 'a9NUBI3pF', 'jONr6tJH9', 'lWBRQrnGy', 'sx9Py3sM6', 'tkHbyPs18qO6nIC2ym', 'M7u0NxyyYqNeL44JNC', 'y1NGpMwj9', 'q6lnyeVoM'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, Ldm2CSOPWLn1JUAKg7.cs High entropy of concatenated method names: 'PlDHa8T03d', 'ewiHU8bSpj', 'nE9HpBRxEP', 'Hp6HR1LUDI', 'eXfHII0fXS', 'NGsHZQRNCJ', 'LPmHonEoLr', 'nDuHGnlJtH', 'OarHejLPG7', 'BW4HnmDWZJ'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs High entropy of concatenated method names: 'O4iJS6krbE', 'YWUJ5uN6BT', 'FXRJsSCvO0', 'S7eJH2gv5F', 'TMEJK3WmX3', 'liGJ9Nm0qh', 'wGDJFoecf7', 'eOKJ3foQxd', 'eOhJj25pC2', 'vxeJg9mVaQ'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, D0p1NKPVj9ucY2Qm8F.cs High entropy of concatenated method names: 'qaDvFICns7', 'JsEv3Ajh7c', 'lT1vgTYidi', 'cpmvNL6d6L', 'gSKvIE4I8P', 'lhevZ64vux', 'U2IfjrQUyiwX46rjll', 'u4TQBvUO9NdovsZNV3', 'UQhvvZwDQu', 'O1fvJxOkDH'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, z6oiKCyaK2NEMrrIhH.cs High entropy of concatenated method names: 'HVpev8UT4Z', 'fHoeJneEle', 'rLOeCNpPhj', 'wIde5ySMSb', 'Nb0esYOj60', 'EhDeKAjJ6R', 'bqme9Qx0Nd', 'yDeGD1ldIN', 'L0aG0MVP8y', 'UaeGctI9wl'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, dMn7Q7mEsppOh0xjvJ.cs High entropy of concatenated method names: 'IXMs7TDYo5', 'qmKsQ7w07K', 'mW8smme9x8', 'YHds8eIGAt', 'vpOsTISWTy', 'yxpsBMtpbS', 'NcmsDIcWTh', 'FUYs0FQJs6', 'vsqscKUklf', 'EXFs1gJjS7'
Source: 5.2.x.exe.45d9c10.3.raw.unpack, nJ8tJ5aNcG8so8TN18.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FVbbcT7LGQ', 'uodb1FY2qp', 'I9sbztNVq5', 'onBJuvCHAp', 'GESJvvljer', 'wDgJbYm1Uv', 'B0lJJXrWtq', 'TRcRM3Zi8QX3NDOnAUb'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, tyg1AJVRc3lAfFSla6.cs High entropy of concatenated method names: 'MRVIE49fbR', 'kqAIWeNwSt', 'JmiI7P85tg', 'wddIQa6lmb', 'r1YIOxHc5W', 'oeyI4ITfC3', 'AffIdkrtCQ', 'Ou4I6wiaG4', 'gR5Ifx61nr', 'h80IiLyFST'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, qvPCtU5v1i683AMkq5.cs High entropy of concatenated method names: 'Ka9F5bw7OP', 'IFHFHC4XWb', 'LyiF9ouKmN', 'DYB91n4AdF', 'Vwr9zIZNsb', 'nd5FuAyflG', 'rdeFv6KdBk', 'EhYFbksSec', 'S5IFJM8Mrx', 'lBOFCUqUxM'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, qQHIUfkqHkckfCGc3EH.cs High entropy of concatenated method names: 'IfCelZTqNn', 'EF1eXYpicv', 'o1teVl66aR', 'tb5eaSA5mN', 'xiBey8Z2AE', 'BmbeUkdS2b', 'xrterCZtBS', 'HQVepadR62', 'efQeRrED1n', 'uQJePUrBkv'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, Gb17w0T0wA9mVSBeuJ.cs High entropy of concatenated method names: 'nK69S00FJQ', 'HA09smh45Z', 'kAw9KN673M', 'JTC9FPJ1cI', 'wsp93aSqk0', 'ypjKTcas1x', 'Oa6KBhbPvm', 'o2IKDVkATH', 'EEuK0PuZlu', 'o28KcNmrTH'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, G9296xsYpuxFhFvQZi.cs High entropy of concatenated method names: 'Dispose', 'xF9vcg5fy0', 'HLmbOGZqfu', 'bLy22mggGL', 'GoZv1HgFYO', 'cOlvz0OWQ3', 'ProcessDialogKey', 'tNvbu6UAqb', 'NPabvbEQbD', 'c7sbbemMbC'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, mFJ92nZUGIWZd0yGov.cs High entropy of concatenated method names: 'ToString', 'bhZZhTRB5y', 'kRbZOxFp1N', 'YRRZ4FJ9eH', 'bVVZdjCWJi', 'J5QZ6WPrPx', 'OU3ZfI3h2X', 'SQ1ZioPxwX', 'BebZMxNJUO', 'UtKZqjyN9I'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, Q3JIIfB5ewGdb036pH.cs High entropy of concatenated method names: 'sXVFlGKfqH', 'U0vFXbEDOw', 'CERFV9FwVE', 'FvOFa9T1em', 'xuBFyDOwFJ', 'fgsFU5UyLE', 'QkkFr7ZfJg', 'QlRFpkerpQ', 'yTLFRkoWHG', 'D5oFPTMyfT'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, qWodHXM6bcYeEUK7Kb.cs High entropy of concatenated method names: 'VVbo0xbpLV', 'jAJo1SvYwX', 'mQfGuBuaBY', 'sofGvF5l6m', 'KhaohvA7mq', 'lI6oW8Zlc7', 'UqIoYRQFdq', 'Ftvo7qDLE9', 'ONdoQMkPLD', 'Hx6omPQyGn'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, cOV6GdkH8mVWMDomBbq.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vyGn7hed8x', 'KZ8nQQnu6W', 'OBonmeJoGy', 'xpWn8E3mPF', 'amFnTK6hee', 's5bnBwErnk', 'aLKnD3G2M6'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, woDxRIpElIEKfjvhS7.cs High entropy of concatenated method names: 'IoAKyt1duO', 'dGjKrykRLt', 'AesH4vVr4f', 'ofOHd3nBWT', 'zTKH6HyZgt', 'ogmHfrcHZQ', 'thPHiTOA9B', 'XfoHMW6J29', 'UEKHqVqy98', 'bTiHEiqrY8'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, zYYKOJAWCGC8XTqj1s.cs High entropy of concatenated method names: 'cQrLpKaZyZ', 'gETLR4A3OV', 'alJLAYQcmU', 'kcuLODbpgE', 'hYOLdocCFV', 'ToJL6a9LgE', 'Eo6LiFMOZd', 'Mn1LM4n6Se', 'jIdLEeoJ9U', 'vbWLhOUPsI'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, iqslocnQKfRotlO4Ia.cs High entropy of concatenated method names: 'R48G5q0bQl', 'Lc2GslGXeM', 'FNUGHfSC0V', 'IjEGKv7FnW', 'w7VG9VT2PN', 'vuXGFRZByo', 'kpEG344bIe', 'a9vGjpVV5X', 'FsdGg4ga8R', 'xebGNdJIKO'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, tmUVgUD8XWmg4UU1HL.cs High entropy of concatenated method names: 'UccGA6h6Ru', 'vCAGOqSRP8', 'lgMG4Kkf3v', 'vr5GdWll3A', 'aJFG7YErQM', 'vomG6j73O6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, P1KjSS8EMJ4Zj3i9oP.cs High entropy of concatenated method names: 'Oa4Vg2mKJ', 'MWXaWW78h', 'a9NUBI3pF', 'jONr6tJH9', 'lWBRQrnGy', 'sx9Py3sM6', 'tkHbyPs18qO6nIC2ym', 'M7u0NxyyYqNeL44JNC', 'y1NGpMwj9', 'q6lnyeVoM'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, Ldm2CSOPWLn1JUAKg7.cs High entropy of concatenated method names: 'PlDHa8T03d', 'ewiHU8bSpj', 'nE9HpBRxEP', 'Hp6HR1LUDI', 'eXfHII0fXS', 'NGsHZQRNCJ', 'LPmHonEoLr', 'nDuHGnlJtH', 'OarHejLPG7', 'BW4HnmDWZJ'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, Iq9ZQy9BvVQNp1fKNT.cs High entropy of concatenated method names: 'O4iJS6krbE', 'YWUJ5uN6BT', 'FXRJsSCvO0', 'S7eJH2gv5F', 'TMEJK3WmX3', 'liGJ9Nm0qh', 'wGDJFoecf7', 'eOKJ3foQxd', 'eOhJj25pC2', 'vxeJg9mVaQ'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, D0p1NKPVj9ucY2Qm8F.cs High entropy of concatenated method names: 'qaDvFICns7', 'JsEv3Ajh7c', 'lT1vgTYidi', 'cpmvNL6d6L', 'gSKvIE4I8P', 'lhevZ64vux', 'U2IfjrQUyiwX46rjll', 'u4TQBvUO9NdovsZNV3', 'UQhvvZwDQu', 'O1fvJxOkDH'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, z6oiKCyaK2NEMrrIhH.cs High entropy of concatenated method names: 'HVpev8UT4Z', 'fHoeJneEle', 'rLOeCNpPhj', 'wIde5ySMSb', 'Nb0esYOj60', 'EhDeKAjJ6R', 'bqme9Qx0Nd', 'yDeGD1ldIN', 'L0aG0MVP8y', 'UaeGctI9wl'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, dMn7Q7mEsppOh0xjvJ.cs High entropy of concatenated method names: 'IXMs7TDYo5', 'qmKsQ7w07K', 'mW8smme9x8', 'YHds8eIGAt', 'vpOsTISWTy', 'yxpsBMtpbS', 'NcmsDIcWTh', 'FUYs0FQJs6', 'vsqscKUklf', 'EXFs1gJjS7'
Source: 5.2.x.exe.7ce0000.5.raw.unpack, nJ8tJ5aNcG8so8TN18.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FVbbcT7LGQ', 'uodb1FY2qp', 'I9sbztNVq5', 'onBJuvCHAp', 'GESJvvljer', 'wDgJbYm1Uv', 'B0lJJXrWtq', 'TRcRM3Zi8QX3NDOnAUb'

Persistence and Installation Behavior
barindex
Command shell drops VBS files
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Local\Temp\x.vbs Jump to behavior
Drops PE files
Source: C:\Windows\System32\cscript.exe File created: C:\Users\user\AppData\Local\Temp\x.exe Jump to dropped file
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: x.exe PID: 6728, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 1150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 2AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 4AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 9500000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: A500000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: A730000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: B730000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: BB80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: CB80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: DB80000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144D1C0 rdtsc 7_2_0144D1C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\x.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\x.exe API coverage: 0.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 4764 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7064 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\x.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: FS001_ DT103024.bat Binary or memory string: echo zERVMCInczNhUcTbd1EWG4MmMKlsuKW+nDHIbMxilXPhioqGJHY5ELg3eoVWNAzFT09MBX>>%tmp%\x
Source: cscript.exe, 00000004.00000003.2177185637.0000024361542000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: zERVMCInczNhUcTbd1EWG4MmMKlsuKW+nDHIbMxilXPhioqGJHY5ELg3eoVWNAzFT09MBX
Source: cscript.exe, 00000004.00000003.2177185637.0000024361542000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HnUZ/Q9U+L9D2WnUp4cl6J2Nr1kzIR4KRWJXN+q8VdD4uwN0KZ3QezjqXt6ot4UuSVmCi/
Source: FS001_ DT103024.bat Binary or memory string: echo HnUZ/Q9U+L9D2WnUp4cl6J2Nr1kzIR4KRWJXN+q8VdD4uwN0KZ3QezjqXt6ot4UuSVmCi/>>%tmp%\x
Source: FS001_ DT103024.bat Binary or memory string: echo UsGcBo0v/3Ec+Q+9KtjbPyn//qJWs0P6gWx+/43yNtfUP+N/A74YsZMRwIpACQqEmUAESa>>%tmp%\x
Source: cscript.exe, 00000004.00000003.2175918689.0000024361549000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2177014467.0000024360ACF000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2176716309.00000243608C2000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2173426892.0000024360AC9000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2174075666.0000024360BD8000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2174601298.0000024360DFC000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2177185637.0000024361542000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.2176674872.0000024360401000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UsGcBo0v/3Ec+Q+9KtjbPyn//qJWs0P6gWx+/43yNtfUP+N/A74YsZMRwIpACQqEmUAESa
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\x.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144D1C0 rdtsc 7_2_0144D1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_004178A3 LdrLoadDll, 7_2_004178A3
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01464144 mov eax, dword ptr fs:[00000030h] 7_2_01464144
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01464144 mov eax, dword ptr fs:[00000030h] 7_2_01464144
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01464144 mov ecx, dword ptr fs:[00000030h] 7_2_01464144
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01464144 mov eax, dword ptr fs:[00000030h] 7_2_01464144
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01464144 mov eax, dword ptr fs:[00000030h] 7_2_01464144
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CB136 mov eax, dword ptr fs:[00000030h] 7_2_013CB136
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CB136 mov eax, dword ptr fs:[00000030h] 7_2_013CB136
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CB136 mov eax, dword ptr fs:[00000030h] 7_2_013CB136
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CB136 mov eax, dword ptr fs:[00000030h] 7_2_013CB136
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D1131 mov eax, dword ptr fs:[00000030h] 7_2_013D1131
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D1131 mov eax, dword ptr fs:[00000030h] 7_2_013D1131
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A5152 mov eax, dword ptr fs:[00000030h] 7_2_014A5152
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01469179 mov eax, dword ptr fs:[00000030h] 7_2_01469179
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CF172 mov eax, dword ptr fs:[00000030h] 7_2_013CF172
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01490115 mov eax, dword ptr fs:[00000030h] 7_2_01490115
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147A118 mov ecx, dword ptr fs:[00000030h] 7_2_0147A118
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147A118 mov eax, dword ptr fs:[00000030h] 7_2_0147A118
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147A118 mov eax, dword ptr fs:[00000030h] 7_2_0147A118
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147A118 mov eax, dword ptr fs:[00000030h] 7_2_0147A118
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01400124 mov eax, dword ptr fs:[00000030h] 7_2_01400124
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D6154 mov eax, dword ptr fs:[00000030h] 7_2_013D6154
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D6154 mov eax, dword ptr fs:[00000030h] 7_2_013D6154
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CC156 mov eax, dword ptr fs:[00000030h] 7_2_013CC156
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D7152 mov eax, dword ptr fs:[00000030h] 7_2_013D7152
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C9148 mov eax, dword ptr fs:[00000030h] 7_2_013C9148
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C9148 mov eax, dword ptr fs:[00000030h] 7_2_013C9148
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C9148 mov eax, dword ptr fs:[00000030h] 7_2_013C9148
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C9148 mov eax, dword ptr fs:[00000030h] 7_2_013C9148
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A51CB mov eax, dword ptr fs:[00000030h] 7_2_014A51CB
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014961C3 mov eax, dword ptr fs:[00000030h] 7_2_014961C3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014961C3 mov eax, dword ptr fs:[00000030h] 7_2_014961C3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EB1B0 mov eax, dword ptr fs:[00000030h] 7_2_013EB1B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140D1D0 mov eax, dword ptr fs:[00000030h] 7_2_0140D1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140D1D0 mov ecx, dword ptr fs:[00000030h] 7_2_0140D1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0144E1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0144E1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144E1D0 mov ecx, dword ptr fs:[00000030h] 7_2_0144E1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0144E1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144E1D0 mov eax, dword ptr fs:[00000030h] 7_2_0144E1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CA197 mov eax, dword ptr fs:[00000030h] 7_2_013CA197
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CA197 mov eax, dword ptr fs:[00000030h] 7_2_013CA197
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CA197 mov eax, dword ptr fs:[00000030h] 7_2_013CA197
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A61E5 mov eax, dword ptr fs:[00000030h] 7_2_014A61E5
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014001F8 mov eax, dword ptr fs:[00000030h] 7_2_014001F8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014771F9 mov esi, dword ptr fs:[00000030h] 7_2_014771F9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148C188 mov eax, dword ptr fs:[00000030h] 7_2_0148C188
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148C188 mov eax, dword ptr fs:[00000030h] 7_2_0148C188
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01410185 mov eax, dword ptr fs:[00000030h] 7_2_01410185
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F51EF mov eax, dword ptr fs:[00000030h] 7_2_013F51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D51ED mov eax, dword ptr fs:[00000030h] 7_2_013D51ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01427190 mov eax, dword ptr fs:[00000030h] 7_2_01427190
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145019F mov eax, dword ptr fs:[00000030h] 7_2_0145019F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145019F mov eax, dword ptr fs:[00000030h] 7_2_0145019F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145019F mov eax, dword ptr fs:[00000030h] 7_2_0145019F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145019F mov eax, dword ptr fs:[00000030h] 7_2_0145019F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014811A4 mov eax, dword ptr fs:[00000030h] 7_2_014811A4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014811A4 mov eax, dword ptr fs:[00000030h] 7_2_014811A4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014811A4 mov eax, dword ptr fs:[00000030h] 7_2_014811A4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014811A4 mov eax, dword ptr fs:[00000030h] 7_2_014811A4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147705E mov ebx, dword ptr fs:[00000030h] 7_2_0147705E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147705E mov eax, dword ptr fs:[00000030h] 7_2_0147705E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CA020 mov eax, dword ptr fs:[00000030h] 7_2_013CA020
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CC020 mov eax, dword ptr fs:[00000030h] 7_2_013CC020
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EE016 mov eax, dword ptr fs:[00000030h] 7_2_013EE016
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EE016 mov eax, dword ptr fs:[00000030h] 7_2_013EE016
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EE016 mov eax, dword ptr fs:[00000030h] 7_2_013EE016
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EE016 mov eax, dword ptr fs:[00000030h] 7_2_013EE016
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A5060 mov eax, dword ptr fs:[00000030h] 7_2_014A5060
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145106E mov eax, dword ptr fs:[00000030h] 7_2_0145106E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144D070 mov ecx, dword ptr fs:[00000030h] 7_2_0144D070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01454000 mov ecx, dword ptr fs:[00000030h] 7_2_01454000
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FC073 mov eax, dword ptr fs:[00000030h] 7_2_013FC073
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov ecx, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E1070 mov eax, dword ptr fs:[00000030h] 7_2_013E1070
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D2050 mov eax, dword ptr fs:[00000030h] 7_2_013D2050
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FB052 mov eax, dword ptr fs:[00000030h] 7_2_013FB052
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149903E mov eax, dword ptr fs:[00000030h] 7_2_0149903E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149903E mov eax, dword ptr fs:[00000030h] 7_2_0149903E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149903E mov eax, dword ptr fs:[00000030h] 7_2_0149903E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149903E mov eax, dword ptr fs:[00000030h] 7_2_0149903E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144D0C0 mov eax, dword ptr fs:[00000030h] 7_2_0144D0C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144D0C0 mov eax, dword ptr fs:[00000030h] 7_2_0144D0C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A50D9 mov eax, dword ptr fs:[00000030h] 7_2_014A50D9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014520DE mov eax, dword ptr fs:[00000030h] 7_2_014520DE
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D5096 mov eax, dword ptr fs:[00000030h] 7_2_013D5096
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FD090 mov eax, dword ptr fs:[00000030h] 7_2_013FD090
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FD090 mov eax, dword ptr fs:[00000030h] 7_2_013FD090
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CD08D mov eax, dword ptr fs:[00000030h] 7_2_013CD08D
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014120F0 mov ecx, dword ptr fs:[00000030h] 7_2_014120F0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D208A mov eax, dword ptr fs:[00000030h] 7_2_013D208A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CC0F0 mov eax, dword ptr fs:[00000030h] 7_2_013CC0F0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D80E9 mov eax, dword ptr fs:[00000030h] 7_2_013D80E9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F50E4 mov eax, dword ptr fs:[00000030h] 7_2_013F50E4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F50E4 mov ecx, dword ptr fs:[00000030h] 7_2_013F50E4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140909C mov eax, dword ptr fs:[00000030h] 7_2_0140909C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CA0E3 mov ecx, dword ptr fs:[00000030h] 7_2_013CA0E3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F90DB mov eax, dword ptr fs:[00000030h] 7_2_013F90DB
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014960B8 mov eax, dword ptr fs:[00000030h] 7_2_014960B8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014960B8 mov ecx, dword ptr fs:[00000030h] 7_2_014960B8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov ecx, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov ecx, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov ecx, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov ecx, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E70C0 mov eax, dword ptr fs:[00000030h] 7_2_013E70C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A5341 mov eax, dword ptr fs:[00000030h] 7_2_014A5341
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C7330 mov eax, dword ptr fs:[00000030h] 7_2_013C7330
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01452349 mov eax, dword ptr fs:[00000030h] 7_2_01452349
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF32A mov eax, dword ptr fs:[00000030h] 7_2_013FF32A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145035C mov eax, dword ptr fs:[00000030h] 7_2_0145035C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145035C mov eax, dword ptr fs:[00000030h] 7_2_0145035C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145035C mov eax, dword ptr fs:[00000030h] 7_2_0145035C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145035C mov ecx, dword ptr fs:[00000030h] 7_2_0145035C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145035C mov eax, dword ptr fs:[00000030h] 7_2_0145035C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145035C mov eax, dword ptr fs:[00000030h] 7_2_0145035C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149A352 mov eax, dword ptr fs:[00000030h] 7_2_0149A352
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CC310 mov ecx, dword ptr fs:[00000030h] 7_2_013CC310
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148F367 mov eax, dword ptr fs:[00000030h] 7_2_0148F367
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F0310 mov ecx, dword ptr fs:[00000030h] 7_2_013F0310
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147437C mov eax, dword ptr fs:[00000030h] 7_2_0147437C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140A30B mov eax, dword ptr fs:[00000030h] 7_2_0140A30B
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140A30B mov eax, dword ptr fs:[00000030h] 7_2_0140A30B
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140A30B mov eax, dword ptr fs:[00000030h] 7_2_0140A30B
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D7370 mov eax, dword ptr fs:[00000030h] 7_2_013D7370
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D7370 mov eax, dword ptr fs:[00000030h] 7_2_013D7370
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D7370 mov eax, dword ptr fs:[00000030h] 7_2_013D7370
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145930B mov eax, dword ptr fs:[00000030h] 7_2_0145930B
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145930B mov eax, dword ptr fs:[00000030h] 7_2_0145930B
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145930B mov eax, dword ptr fs:[00000030h] 7_2_0145930B
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149132D mov eax, dword ptr fs:[00000030h] 7_2_0149132D
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149132D mov eax, dword ptr fs:[00000030h] 7_2_0149132D
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C9353 mov eax, dword ptr fs:[00000030h] 7_2_013C9353
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C9353 mov eax, dword ptr fs:[00000030h] 7_2_013C9353
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CD34C mov eax, dword ptr fs:[00000030h] 7_2_013CD34C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CD34C mov eax, dword ptr fs:[00000030h] 7_2_013CD34C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148C3CD mov eax, dword ptr fs:[00000030h] 7_2_0148C3CD
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148B3D0 mov ecx, dword ptr fs:[00000030h] 7_2_0148B3D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F33A5 mov eax, dword ptr fs:[00000030h] 7_2_013F33A5
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C8397 mov eax, dword ptr fs:[00000030h] 7_2_013C8397
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C8397 mov eax, dword ptr fs:[00000030h] 7_2_013C8397
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C8397 mov eax, dword ptr fs:[00000030h] 7_2_013C8397
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148F3E6 mov eax, dword ptr fs:[00000030h] 7_2_0148F3E6
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F438F mov eax, dword ptr fs:[00000030h] 7_2_013F438F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F438F mov eax, dword ptr fs:[00000030h] 7_2_013F438F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CE388 mov eax, dword ptr fs:[00000030h] 7_2_013CE388
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CE388 mov eax, dword ptr fs:[00000030h] 7_2_013CE388
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CE388 mov eax, dword ptr fs:[00000030h] 7_2_013CE388
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A53FC mov eax, dword ptr fs:[00000030h] 7_2_014A53FC
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014063FF mov eax, dword ptr fs:[00000030h] 7_2_014063FF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EE3F0 mov eax, dword ptr fs:[00000030h] 7_2_013EE3F0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EE3F0 mov eax, dword ptr fs:[00000030h] 7_2_013EE3F0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EE3F0 mov eax, dword ptr fs:[00000030h] 7_2_013EE3F0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A539D mov eax, dword ptr fs:[00000030h] 7_2_014A539D
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E03E9 mov eax, dword ptr fs:[00000030h] 7_2_013E03E9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E03E9 mov eax, dword ptr fs:[00000030h] 7_2_013E03E9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E03E9 mov eax, dword ptr fs:[00000030h] 7_2_013E03E9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E03E9 mov eax, dword ptr fs:[00000030h] 7_2_013E03E9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E03E9 mov eax, dword ptr fs:[00000030h] 7_2_013E03E9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E03E9 mov eax, dword ptr fs:[00000030h] 7_2_013E03E9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E03E9 mov eax, dword ptr fs:[00000030h] 7_2_013E03E9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E03E9 mov eax, dword ptr fs:[00000030h] 7_2_013E03E9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0142739A mov eax, dword ptr fs:[00000030h] 7_2_0142739A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0142739A mov eax, dword ptr fs:[00000030h] 7_2_0142739A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014033A0 mov eax, dword ptr fs:[00000030h] 7_2_014033A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014033A0 mov eax, dword ptr fs:[00000030h] 7_2_014033A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DA3C0 mov eax, dword ptr fs:[00000030h] 7_2_013DA3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DA3C0 mov eax, dword ptr fs:[00000030h] 7_2_013DA3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DA3C0 mov eax, dword ptr fs:[00000030h] 7_2_013DA3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DA3C0 mov eax, dword ptr fs:[00000030h] 7_2_013DA3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DA3C0 mov eax, dword ptr fs:[00000030h] 7_2_013DA3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DA3C0 mov eax, dword ptr fs:[00000030h] 7_2_013DA3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D83C0 mov eax, dword ptr fs:[00000030h] 7_2_013D83C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D83C0 mov eax, dword ptr fs:[00000030h] 7_2_013D83C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D83C0 mov eax, dword ptr fs:[00000030h] 7_2_013D83C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D83C0 mov eax, dword ptr fs:[00000030h] 7_2_013D83C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C823B mov eax, dword ptr fs:[00000030h] 7_2_013C823B
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140724D mov eax, dword ptr fs:[00000030h] 7_2_0140724D
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148B256 mov eax, dword ptr fs:[00000030h] 7_2_0148B256
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148B256 mov eax, dword ptr fs:[00000030h] 7_2_0148B256
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149D26B mov eax, dword ptr fs:[00000030h] 7_2_0149D26B
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0149D26B mov eax, dword ptr fs:[00000030h] 7_2_0149D26B
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01411270 mov eax, dword ptr fs:[00000030h] 7_2_01411270
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01411270 mov eax, dword ptr fs:[00000030h] 7_2_01411270
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01480274 mov eax, dword ptr fs:[00000030h] 7_2_01480274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01407208 mov eax, dword ptr fs:[00000030h] 7_2_01407208
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01407208 mov eax, dword ptr fs:[00000030h] 7_2_01407208
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F9274 mov eax, dword ptr fs:[00000030h] 7_2_013F9274
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C826B mov eax, dword ptr fs:[00000030h] 7_2_013C826B
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D4260 mov eax, dword ptr fs:[00000030h] 7_2_013D4260
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D4260 mov eax, dword ptr fs:[00000030h] 7_2_013D4260
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D4260 mov eax, dword ptr fs:[00000030h] 7_2_013D4260
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D6259 mov eax, dword ptr fs:[00000030h] 7_2_013D6259
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CA250 mov eax, dword ptr fs:[00000030h] 7_2_013CA250
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A5227 mov eax, dword ptr fs:[00000030h] 7_2_014A5227
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C9240 mov eax, dword ptr fs:[00000030h] 7_2_013C9240
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C9240 mov eax, dword ptr fs:[00000030h] 7_2_013C9240
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E02A0 mov eax, dword ptr fs:[00000030h] 7_2_013E02A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E02A0 mov eax, dword ptr fs:[00000030h] 7_2_013E02A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E52A0 mov eax, dword ptr fs:[00000030h] 7_2_013E52A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E52A0 mov eax, dword ptr fs:[00000030h] 7_2_013E52A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E52A0 mov eax, dword ptr fs:[00000030h] 7_2_013E52A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E52A0 mov eax, dword ptr fs:[00000030h] 7_2_013E52A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014812ED mov eax, dword ptr fs:[00000030h] 7_2_014812ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A52E2 mov eax, dword ptr fs:[00000030h] 7_2_014A52E2
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148F2F8 mov eax, dword ptr fs:[00000030h] 7_2_0148F2F8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C92FF mov eax, dword ptr fs:[00000030h] 7_2_013C92FF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E284 mov eax, dword ptr fs:[00000030h] 7_2_0140E284
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E284 mov eax, dword ptr fs:[00000030h] 7_2_0140E284
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01450283 mov eax, dword ptr fs:[00000030h] 7_2_01450283
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01450283 mov eax, dword ptr fs:[00000030h] 7_2_01450283
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01450283 mov eax, dword ptr fs:[00000030h] 7_2_01450283
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A5283 mov eax, dword ptr fs:[00000030h] 7_2_014A5283
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140329E mov eax, dword ptr fs:[00000030h] 7_2_0140329E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140329E mov eax, dword ptr fs:[00000030h] 7_2_0140329E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E02E1 mov eax, dword ptr fs:[00000030h] 7_2_013E02E1
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E02E1 mov eax, dword ptr fs:[00000030h] 7_2_013E02E1
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E02E1 mov eax, dword ptr fs:[00000030h] 7_2_013E02E1
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014662A0 mov eax, dword ptr fs:[00000030h] 7_2_014662A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014662A0 mov ecx, dword ptr fs:[00000030h] 7_2_014662A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014662A0 mov eax, dword ptr fs:[00000030h] 7_2_014662A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014662A0 mov eax, dword ptr fs:[00000030h] 7_2_014662A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014662A0 mov eax, dword ptr fs:[00000030h] 7_2_014662A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014662A0 mov eax, dword ptr fs:[00000030h] 7_2_014662A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014672A0 mov eax, dword ptr fs:[00000030h] 7_2_014672A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014672A0 mov eax, dword ptr fs:[00000030h] 7_2_014672A0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF2D0 mov eax, dword ptr fs:[00000030h] 7_2_013FF2D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF2D0 mov eax, dword ptr fs:[00000030h] 7_2_013FF2D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014992A6 mov eax, dword ptr fs:[00000030h] 7_2_014992A6
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014992A6 mov eax, dword ptr fs:[00000030h] 7_2_014992A6
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014992A6 mov eax, dword ptr fs:[00000030h] 7_2_014992A6
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014992A6 mov eax, dword ptr fs:[00000030h] 7_2_014992A6
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CB2D3 mov eax, dword ptr fs:[00000030h] 7_2_013CB2D3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CB2D3 mov eax, dword ptr fs:[00000030h] 7_2_013CB2D3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CB2D3 mov eax, dword ptr fs:[00000030h] 7_2_013CB2D3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D92C5 mov eax, dword ptr fs:[00000030h] 7_2_013D92C5
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D92C5 mov eax, dword ptr fs:[00000030h] 7_2_013D92C5
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014592BC mov eax, dword ptr fs:[00000030h] 7_2_014592BC
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014592BC mov eax, dword ptr fs:[00000030h] 7_2_014592BC
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014592BC mov ecx, dword ptr fs:[00000030h] 7_2_014592BC
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014592BC mov ecx, dword ptr fs:[00000030h] 7_2_014592BC
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DA2C3 mov eax, dword ptr fs:[00000030h] 7_2_013DA2C3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DA2C3 mov eax, dword ptr fs:[00000030h] 7_2_013DA2C3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DA2C3 mov eax, dword ptr fs:[00000030h] 7_2_013DA2C3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DA2C3 mov eax, dword ptr fs:[00000030h] 7_2_013DA2C3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DA2C3 mov eax, dword ptr fs:[00000030h] 7_2_013DA2C3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FB2C0 mov eax, dword ptr fs:[00000030h] 7_2_013FB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FB2C0 mov eax, dword ptr fs:[00000030h] 7_2_013FB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FB2C0 mov eax, dword ptr fs:[00000030h] 7_2_013FB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FB2C0 mov eax, dword ptr fs:[00000030h] 7_2_013FB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FB2C0 mov eax, dword ptr fs:[00000030h] 7_2_013FB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FB2C0 mov eax, dword ptr fs:[00000030h] 7_2_013FB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FB2C0 mov eax, dword ptr fs:[00000030h] 7_2_013FB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE53E mov eax, dword ptr fs:[00000030h] 7_2_013FE53E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE53E mov eax, dword ptr fs:[00000030h] 7_2_013FE53E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE53E mov eax, dword ptr fs:[00000030h] 7_2_013FE53E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE53E mov eax, dword ptr fs:[00000030h] 7_2_013FE53E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE53E mov eax, dword ptr fs:[00000030h] 7_2_013FE53E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DD534 mov eax, dword ptr fs:[00000030h] 7_2_013DD534
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DD534 mov eax, dword ptr fs:[00000030h] 7_2_013DD534
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DD534 mov eax, dword ptr fs:[00000030h] 7_2_013DD534
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DD534 mov eax, dword ptr fs:[00000030h] 7_2_013DD534
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DD534 mov eax, dword ptr fs:[00000030h] 7_2_013DD534
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DD534 mov eax, dword ptr fs:[00000030h] 7_2_013DD534
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E0535 mov eax, dword ptr fs:[00000030h] 7_2_013E0535
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E0535 mov eax, dword ptr fs:[00000030h] 7_2_013E0535
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E0535 mov eax, dword ptr fs:[00000030h] 7_2_013E0535
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E0535 mov eax, dword ptr fs:[00000030h] 7_2_013E0535
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E0535 mov eax, dword ptr fs:[00000030h] 7_2_013E0535
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013E0535 mov eax, dword ptr fs:[00000030h] 7_2_013E0535
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140656A mov eax, dword ptr fs:[00000030h] 7_2_0140656A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140656A mov eax, dword ptr fs:[00000030h] 7_2_0140656A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140656A mov eax, dword ptr fs:[00000030h] 7_2_0140656A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140B570 mov eax, dword ptr fs:[00000030h] 7_2_0140B570
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140B570 mov eax, dword ptr fs:[00000030h] 7_2_0140B570
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01407505 mov eax, dword ptr fs:[00000030h] 7_2_01407505
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01407505 mov ecx, dword ptr fs:[00000030h] 7_2_01407505
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A4500 mov eax, dword ptr fs:[00000030h] 7_2_014A4500
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A4500 mov eax, dword ptr fs:[00000030h] 7_2_014A4500
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A4500 mov eax, dword ptr fs:[00000030h] 7_2_014A4500
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A4500 mov eax, dword ptr fs:[00000030h] 7_2_014A4500
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A4500 mov eax, dword ptr fs:[00000030h] 7_2_014A4500
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A4500 mov eax, dword ptr fs:[00000030h] 7_2_014A4500
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A4500 mov eax, dword ptr fs:[00000030h] 7_2_014A4500
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CB562 mov eax, dword ptr fs:[00000030h] 7_2_013CB562
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147F525 mov eax, dword ptr fs:[00000030h] 7_2_0147F525
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147F525 mov eax, dword ptr fs:[00000030h] 7_2_0147F525
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147F525 mov eax, dword ptr fs:[00000030h] 7_2_0147F525
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147F525 mov eax, dword ptr fs:[00000030h] 7_2_0147F525
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147F525 mov eax, dword ptr fs:[00000030h] 7_2_0147F525
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147F525 mov eax, dword ptr fs:[00000030h] 7_2_0147F525
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0147F525 mov eax, dword ptr fs:[00000030h] 7_2_0147F525
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148B52F mov eax, dword ptr fs:[00000030h] 7_2_0148B52F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D8550 mov eax, dword ptr fs:[00000030h] 7_2_013D8550
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D8550 mov eax, dword ptr fs:[00000030h] 7_2_013D8550
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140D530 mov eax, dword ptr fs:[00000030h] 7_2_0140D530
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140D530 mov eax, dword ptr fs:[00000030h] 7_2_0140D530
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A5537 mov eax, dword ptr fs:[00000030h] 7_2_014A5537
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014055C0 mov eax, dword ptr fs:[00000030h] 7_2_014055C0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A55C9 mov eax, dword ptr fs:[00000030h] 7_2_014A55C9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F45B1 mov eax, dword ptr fs:[00000030h] 7_2_013F45B1
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F45B1 mov eax, dword ptr fs:[00000030h] 7_2_013F45B1
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E5CF mov eax, dword ptr fs:[00000030h] 7_2_0140E5CF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E5CF mov eax, dword ptr fs:[00000030h] 7_2_0140E5CF
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF5B0 mov eax, dword ptr fs:[00000030h] 7_2_013FF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF5B0 mov eax, dword ptr fs:[00000030h] 7_2_013FF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF5B0 mov eax, dword ptr fs:[00000030h] 7_2_013FF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF5B0 mov eax, dword ptr fs:[00000030h] 7_2_013FF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF5B0 mov eax, dword ptr fs:[00000030h] 7_2_013FF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF5B0 mov eax, dword ptr fs:[00000030h] 7_2_013FF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF5B0 mov eax, dword ptr fs:[00000030h] 7_2_013FF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF5B0 mov eax, dword ptr fs:[00000030h] 7_2_013FF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FF5B0 mov eax, dword ptr fs:[00000030h] 7_2_013FF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140A5D0 mov eax, dword ptr fs:[00000030h] 7_2_0140A5D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140A5D0 mov eax, dword ptr fs:[00000030h] 7_2_0140A5D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144D5D0 mov eax, dword ptr fs:[00000030h] 7_2_0144D5D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0144D5D0 mov ecx, dword ptr fs:[00000030h] 7_2_0144D5D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F15A9 mov eax, dword ptr fs:[00000030h] 7_2_013F15A9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F15A9 mov eax, dword ptr fs:[00000030h] 7_2_013F15A9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F15A9 mov eax, dword ptr fs:[00000030h] 7_2_013F15A9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F15A9 mov eax, dword ptr fs:[00000030h] 7_2_013F15A9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F15A9 mov eax, dword ptr fs:[00000030h] 7_2_013F15A9
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A35D7 mov eax, dword ptr fs:[00000030h] 7_2_014A35D7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A35D7 mov eax, dword ptr fs:[00000030h] 7_2_014A35D7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A35D7 mov eax, dword ptr fs:[00000030h] 7_2_014A35D7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140C5ED mov eax, dword ptr fs:[00000030h] 7_2_0140C5ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140C5ED mov eax, dword ptr fs:[00000030h] 7_2_0140C5ED
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C758F mov eax, dword ptr fs:[00000030h] 7_2_013C758F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C758F mov eax, dword ptr fs:[00000030h] 7_2_013C758F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C758F mov eax, dword ptr fs:[00000030h] 7_2_013C758F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D2582 mov eax, dword ptr fs:[00000030h] 7_2_013D2582
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D2582 mov ecx, dword ptr fs:[00000030h] 7_2_013D2582
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01404588 mov eax, dword ptr fs:[00000030h] 7_2_01404588
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F15F4 mov eax, dword ptr fs:[00000030h] 7_2_013F15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F15F4 mov eax, dword ptr fs:[00000030h] 7_2_013F15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F15F4 mov eax, dword ptr fs:[00000030h] 7_2_013F15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F15F4 mov eax, dword ptr fs:[00000030h] 7_2_013F15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F15F4 mov eax, dword ptr fs:[00000030h] 7_2_013F15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F15F4 mov eax, dword ptr fs:[00000030h] 7_2_013F15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145B594 mov eax, dword ptr fs:[00000030h] 7_2_0145B594
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0145B594 mov eax, dword ptr fs:[00000030h] 7_2_0145B594
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE5E7 mov eax, dword ptr fs:[00000030h] 7_2_013FE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE5E7 mov eax, dword ptr fs:[00000030h] 7_2_013FE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE5E7 mov eax, dword ptr fs:[00000030h] 7_2_013FE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE5E7 mov eax, dword ptr fs:[00000030h] 7_2_013FE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE5E7 mov eax, dword ptr fs:[00000030h] 7_2_013FE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE5E7 mov eax, dword ptr fs:[00000030h] 7_2_013FE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE5E7 mov eax, dword ptr fs:[00000030h] 7_2_013FE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FE5E7 mov eax, dword ptr fs:[00000030h] 7_2_013FE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E59C mov eax, dword ptr fs:[00000030h] 7_2_0140E59C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D25E0 mov eax, dword ptr fs:[00000030h] 7_2_013D25E0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014505A7 mov eax, dword ptr fs:[00000030h] 7_2_014505A7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014505A7 mov eax, dword ptr fs:[00000030h] 7_2_014505A7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014505A7 mov eax, dword ptr fs:[00000030h] 7_2_014505A7
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F95DA mov eax, dword ptr fs:[00000030h] 7_2_013F95DA
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D65D0 mov eax, dword ptr fs:[00000030h] 7_2_013D65D0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148F5BE mov eax, dword ptr fs:[00000030h] 7_2_0148F5BE
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014635BA mov eax, dword ptr fs:[00000030h] 7_2_014635BA
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014635BA mov eax, dword ptr fs:[00000030h] 7_2_014635BA
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014635BA mov eax, dword ptr fs:[00000030h] 7_2_014635BA
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014635BA mov eax, dword ptr fs:[00000030h] 7_2_014635BA
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E443 mov eax, dword ptr fs:[00000030h] 7_2_0140E443
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E443 mov eax, dword ptr fs:[00000030h] 7_2_0140E443
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E443 mov eax, dword ptr fs:[00000030h] 7_2_0140E443
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E443 mov eax, dword ptr fs:[00000030h] 7_2_0140E443
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E443 mov eax, dword ptr fs:[00000030h] 7_2_0140E443
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E443 mov eax, dword ptr fs:[00000030h] 7_2_0140E443
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E443 mov eax, dword ptr fs:[00000030h] 7_2_0140E443
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140E443 mov eax, dword ptr fs:[00000030h] 7_2_0140E443
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0148F453 mov eax, dword ptr fs:[00000030h] 7_2_0148F453
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CC427 mov eax, dword ptr fs:[00000030h] 7_2_013CC427
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CE420 mov eax, dword ptr fs:[00000030h] 7_2_013CE420
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CE420 mov eax, dword ptr fs:[00000030h] 7_2_013CE420
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CE420 mov eax, dword ptr fs:[00000030h] 7_2_013CE420
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F340D mov eax, dword ptr fs:[00000030h] 7_2_013F340D
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A547F mov eax, dword ptr fs:[00000030h] 7_2_014A547F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01408402 mov eax, dword ptr fs:[00000030h] 7_2_01408402
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01408402 mov eax, dword ptr fs:[00000030h] 7_2_01408402
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_01408402 mov eax, dword ptr fs:[00000030h] 7_2_01408402
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FA470 mov eax, dword ptr fs:[00000030h] 7_2_013FA470
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FA470 mov eax, dword ptr fs:[00000030h] 7_2_013FA470
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013FA470 mov eax, dword ptr fs:[00000030h] 7_2_013FA470
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D1460 mov eax, dword ptr fs:[00000030h] 7_2_013D1460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D1460 mov eax, dword ptr fs:[00000030h] 7_2_013D1460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D1460 mov eax, dword ptr fs:[00000030h] 7_2_013D1460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D1460 mov eax, dword ptr fs:[00000030h] 7_2_013D1460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D1460 mov eax, dword ptr fs:[00000030h] 7_2_013D1460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EF460 mov eax, dword ptr fs:[00000030h] 7_2_013EF460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EF460 mov eax, dword ptr fs:[00000030h] 7_2_013EF460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EF460 mov eax, dword ptr fs:[00000030h] 7_2_013EF460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EF460 mov eax, dword ptr fs:[00000030h] 7_2_013EF460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EF460 mov eax, dword ptr fs:[00000030h] 7_2_013EF460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013EF460 mov eax, dword ptr fs:[00000030h] 7_2_013EF460
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013C645D mov eax, dword ptr fs:[00000030h] 7_2_013C645D
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013F245A mov eax, dword ptr fs:[00000030h] 7_2_013F245A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_0140A430 mov eax, dword ptr fs:[00000030h] 7_2_0140A430
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DB440 mov eax, dword ptr fs:[00000030h] 7_2_013DB440
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DB440 mov eax, dword ptr fs:[00000030h] 7_2_013DB440
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DB440 mov eax, dword ptr fs:[00000030h] 7_2_013DB440
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DB440 mov eax, dword ptr fs:[00000030h] 7_2_013DB440
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DB440 mov eax, dword ptr fs:[00000030h] 7_2_013DB440
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013DB440 mov eax, dword ptr fs:[00000030h] 7_2_013DB440
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014A54DB mov eax, dword ptr fs:[00000030h] 7_2_014A54DB
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D64AB mov eax, dword ptr fs:[00000030h] 7_2_013D64AB
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_014794E0 mov eax, dword ptr fs:[00000030h] 7_2_014794E0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D9486 mov eax, dword ptr fs:[00000030h] 7_2_013D9486
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013D9486 mov eax, dword ptr fs:[00000030h] 7_2_013D9486
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 7_2_013CB480 mov eax, dword ptr fs:[00000030h] 7_2_013CB480
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory written: C:\Users\user\AppData\Local\Temp\x.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /e "'v" "C:\Users\user\Desktop\FS001_ DT103024.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cscript.exe cscript //nologo C:\Users\user\AppData\Local\Temp\x.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\x.exe C:\Users\user\AppData\Local\Temp\x.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\x.exe Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\cscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.x.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2389064110.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2388569618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.x.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2389064110.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2388569618.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546702 Sample: FS001_ DT103024.bat Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected FormBook 2->31 33 Yara detected AntiVM3 2->33 35 6 other signatures 2->35 7 cmd.exe 3 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\Temp\x.vbs, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\Temp\x, ASCII 7->25 dropped 37 Potential malicious VBS script found (has network functionality) 7->37 39 Command shell drops VBS files 7->39 11 x.exe 3 7->11         started        14 cscript.exe 2 7->14         started        17 conhost.exe 7->17         started        19 findstr.exe 1 7->19         started        signatures5 process6 file7 41 Multi AV Scanner detection for dropped file 11->41 43 Machine Learning detection for dropped file 11->43 45 Injects a PE file into a foreign processes 11->45 21 x.exe 11->21         started        27 C:\Users\user\AppData\Local\Temp\x.exe, PE32 14->27 dropped signatures8 process9
No contacted IP infos