Windows Analysis Report
Anfrage244384.exe

AI detected suspicious sample

Source: Yara match

File source: 00000003.00000002.3110222192.00000000349F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Anfrage244384.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.40.95.144:443 -> 192.168.2.5:49792 version: TLS 1.2

Source: Anfrage244384.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Anfrage244384.exe, 00000003.00000001.2332876628.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: Anfrage244384.exe, 00000003.00000002.3110255884.0000000034EEE000.00000040.00001000.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3110255884.0000000034D50000.00000040.00001000.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000003.2748365519.00000000349F3000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000003.2750495664.0000000034BA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Anfrage244384.exe, Anfrage244384.exe, 00000003.00000002.3110255884.0000000034EEE000.00000040.00001000.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3110255884.0000000034D50000.00000040.00001000.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000003.2748365519.00000000349F3000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000003.2750495664.0000000034BA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Anfrage244384.exe, 00000003.00000001.2332876628.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 0_2_00405665 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405665
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 0_2_0040270B FindFirstFileA,	0_2_0040270B
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 0_2_004060C7 FindFirstFileA,FindClose,	0_2_004060C7

Source: Joe Sandbox View

IP Address: 188.40.95.144 188.40.95.144

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49792 -> 188.40.95.144:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49855

Source: global traffic

HTTP traffic detected: GET /rmANWge110.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: familytherapycenter.rsCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /rmANWge110.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: familytherapycenter.rsCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: familytherapycenter.rs

Source: Anfrage244384.exe	String found in binary or memory: http://crl.apple.com/root.crl0
Source: Anfrage244384.exe	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: Anfrage244384.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Anfrage244384.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Anfrage244384.exe	String found in binary or memory: http://www.apple.com/appleca0
Source: Anfrage244384.exe, 00000003.00000001.2332876628.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Anfrage244384.exe, 00000003.00000001.2332876628.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Anfrage244384.exe, 00000003.00000001.2332876628.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: Anfrage244384.exe, 00000003.00000003.2748759588.0000000004C9B000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3081198942.0000000004C9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/
Source: Anfrage244384.exe, 00000003.00000003.2748759588.0000000004C9B000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3081198942.0000000004C9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/B5
Source: Anfrage244384.exe, 00000003.00000002.3081198942.0000000004C9C000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3109787992.0000000034170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/rmANWge110.bin
Source: Anfrage244384.exe, 00000003.00000003.2748759588.0000000004C9B000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3081198942.0000000004C9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/rmANWge110.binD1
Source: Anfrage244384.exe, 00000003.00000002.3081198942.0000000004C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://familytherapycenter.rs/rmANWge110.bin~
Source: Anfrage244384.exe, 00000003.00000001.2332876628.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: Anfrage244384.exe	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443

Source: unknown

HTTPS traffic detected: 188.40.95.144:443 -> 192.168.2.5:49792 version: TLS 1.2

Source: C:\Users\user\Desktop\Anfrage244384.exe

Code function: 0_2_0040511A GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040511A

E-Banking Fraud

Source: Yara match

File source: 00000003.00000002.3110222192.00000000349F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC35C0 NtCreateMutant,LdrInitializeThunk,	3_2_34DC35C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_34DC2DF0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC3090 NtSetValueKey,	3_2_34DC3090
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC3010 NtOpenDirectoryObject,	3_2_34DC3010
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC3D70 NtOpenThread,	3_2_34DC3D70
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC3D10 NtOpenProcessToken,	3_2_34DC3D10
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC39B0 NtGetContextThread,	3_2_34DC39B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC4650 NtSuspendThread,	3_2_34DC4650
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC4340 NtSetContextThread,	3_2_34DC4340
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2CC0 NtQueryVirtualMemory,	3_2_34DC2CC0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2CF0 NtOpenProcess,	3_2_34DC2CF0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2CA0 NtQueryInformationToken,	3_2_34DC2CA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2C70 NtFreeVirtualMemory,	3_2_34DC2C70
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2C60 NtCreateKey,	3_2_34DC2C60
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2C00 NtQueryInformationProcess,	3_2_34DC2C00
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2DD0 NtDelayExecution,	3_2_34DC2DD0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2DB0 NtEnumerateKey,	3_2_34DC2DB0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2D10 NtMapViewOfSection,	3_2_34DC2D10
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2D00 NtSetInformationFile,	3_2_34DC2D00
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2D30 NtUnmapViewOfSection,	3_2_34DC2D30
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2EE0 NtQueueApcThread,	3_2_34DC2EE0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2E80 NtReadVirtualMemory,	3_2_34DC2E80
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2EA0 NtAdjustPrivilegesToken,	3_2_34DC2EA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2E30 NtWriteVirtualMemory,	3_2_34DC2E30
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2FE0 NtCreateFile,	3_2_34DC2FE0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2F90 NtProtectVirtualMemory,	3_2_34DC2F90
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2FB0 NtResumeThread,	3_2_34DC2FB0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2FA0 NtQuerySection,	3_2_34DC2FA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2F60 NtCreateProcessEx,	3_2_34DC2F60
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2F30 NtCreateSection,	3_2_34DC2F30
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2AD0 NtReadFile,	3_2_34DC2AD0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2AF0 NtWriteFile,	3_2_34DC2AF0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2AB0 NtWaitForSingleObject,	3_2_34DC2AB0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2BF0 NtAllocateVirtualMemory,	3_2_34DC2BF0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2BE0 NtQueryValueKey,	3_2_34DC2BE0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2B80 NtQueryInformationFile,	3_2_34DC2B80
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2BA0 NtEnumerateValueKey,	3_2_34DC2BA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC2B60 NtClose,	3_2_34DC2B60

Source: C:\Users\user\Desktop\Anfrage244384.exe

Code function: 0_2_004031A3 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031A3

Source: C:\Users\user\Desktop\Anfrage244384.exe

File created: C:\Windows\resources\soenderbro.ini

Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 0_2_00404959	0_2_00404959
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 0_2_0040655F	0_2_0040655F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 0_2_00406D36	0_2_00406D36
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D81460	3_2_34D81460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4F43F	3_2_34E4F43F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2D5B0	3_2_34E2D5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E47571	3_2_34E47571
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E416CC	3_2_34E416CC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4F7B0	3_2_34E4F7B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4F0E0	3_2_34E4F0E0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E470E9	3_2_34E470E9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3F0CC	3_2_34E3F0CC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9B1B0	3_2_34D9B1B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E5B16B	3_2_34E5B16B
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC516C	3_2_34DC516C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAB2C0	3_2_34DAB2C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D952A0	3_2_34D952A0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DD739A	3_2_34DD739A
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7D34C	3_2_34D7D34C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4132D	3_2_34E4132D
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4FCF2	3_2_34E4FCF2
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D51CAF	3_2_34D51CAF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E09C32	3_2_34E09C32
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAFDC0	3_2_34DAFDC0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E47D73	3_2_34E47D73
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D93D40	3_2_34D93D40
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E41D5A	3_2_34E41D5A
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D99EB0	3_2_34D99EB0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D53FD5	3_2_34D53FD5
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D53FD2	3_2_34D53FD2
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91F92	3_2_34D91F92
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4FFB1	3_2_34E4FFB1
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4FF09	3_2_34E4FF09
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D938E0	3_2_34D938E0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DFD800	3_2_34DFD800
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D99950	3_2_34D99950
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAB950	3_2_34DAB950
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E25910	3_2_34E25910
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3DAC6	3_2_34E3DAC6
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2DAAC	3_2_34E2DAAC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DD5AA0	3_2_34DD5AA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E03A6C	3_2_34E03A6C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E47A46	3_2_34E47A46
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4FA49	3_2_34E4FA49
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E05BF0	3_2_34E05BF0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DCDBF9	3_2_34DCDBF9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAFB80	3_2_34DAFB80
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4FB76	3_2_34E4FB76
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3E4F6	3_2_34E3E4F6
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E42446	3_2_34E42446
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E50591	3_2_34E50591
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D90535	3_2_34D90535
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAC6E0	3_2_34DAC6E0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8C7C0	3_2_34D8C7C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB4750	3_2_34DB4750
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D90770	3_2_34D90770
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E22000	3_2_34E22000
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E481CC	3_2_34E481CC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E501AA	3_2_34E501AA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E18158	3_2_34E18158
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D80100	3_2_34D80100
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2A118	3_2_34E2A118
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E102C0	3_2_34E102C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E30274	3_2_34E30274
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E503E6	3_2_34E503E6
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9E3F0	3_2_34D9E3F0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4A352	3_2_34E4A352
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D80CF2	3_2_34D80CF2
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E30CB5	3_2_34E30CB5
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D90C00	3_2_34D90C00
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8ADE0	3_2_34D8ADE0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA8DBF	3_2_34DA8DBF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9AD00	3_2_34D9AD00
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2CD1F	3_2_34E2CD1F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4EEDB	3_2_34E4EEDB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA2E90	3_2_34DA2E90
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4CE93	3_2_34E4CE93
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D90E59	3_2_34D90E59
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4EE26	3_2_34E4EE26
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D82FC8	3_2_34D82FC8
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9CFE0	3_2_34D9CFE0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0EFA0	3_2_34E0EFA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E04F40	3_2_34E04F40
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB0F30	3_2_34DB0F30
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DD2F28	3_2_34DD2F28
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBE8F0	3_2_34DBE8F0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D768B8	3_2_34D768B8
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9A840	3_2_34D9A840
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D92840	3_2_34D92840
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E5A9A6	3_2_34E5A9A6
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D929A0	3_2_34D929A0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA6962	3_2_34DA6962
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8EA80	3_2_34D8EA80
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E46BD7	3_2_34E46BD7
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4AB40	3_2_34E4AB40

Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: String function: 34D7B970 appears 275 times
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: String function: 34DFEA12 appears 86 times
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: String function: 34E0F290 appears 105 times
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: String function: 34DD7E54 appears 101 times
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: String function: 34DC5130 appears 58 times

Source: Anfrage244384.exe

Static PE information: invalid certificate

Source: Anfrage244384.exe, 00000003.00000003.2748365519.0000000034B16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage244384.exe
Source: Anfrage244384.exe, 00000003.00000002.3110255884.0000000034E7D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage244384.exe
Source: Anfrage244384.exe, 00000003.00000003.2750495664.0000000034CD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Anfrage244384.exe

Source: Anfrage244384.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/10@1/1

Source: C:\Users\user\Desktop\Anfrage244384.exe

0_2_004031A3

Source: C:\Users\user\Desktop\Anfrage244384.exe

Code function: 0_2_004043E6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004043E6

Source: C:\Users\user\Desktop\Anfrage244384.exe

Code function: 0_2_004020CD CoCreateInstance,MultiByteToWideChar,

0_2_004020CD

Source: C:\Users\user\Desktop\Anfrage244384.exe

File created: C:\Users\user\AppData\Roaming\secretaryships

Source: C:\Users\user\Desktop\Anfrage244384.exe

File created: C:\Users\user\AppData\Local\Temp\nsv8D55.tmp

Source: Anfrage244384.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Anfrage244384.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\Anfrage244384.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Anfrage244384.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\Anfrage244384.exe

File read: C:\Users\user\Desktop\Anfrage244384.exe

Source: unknown	Process created: C:\Users\user\Desktop\Anfrage244384.exe "C:\Users\user\Desktop\Anfrage244384.exe"
Source: C:\Users\user\Desktop\Anfrage244384.exe	Process created: C:\Users\user\Desktop\Anfrage244384.exe "C:\Users\user\Desktop\Anfrage244384.exe"
Source: C:\Users\user\Desktop\Anfrage244384.exe	Process created: C:\Users\user\Desktop\Anfrage244384.exe "C:\Users\user\Desktop\Anfrage244384.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Anfrage244384.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Switches to a custom stack to bypass stack traces

Source: Anfrage244384.exe

Static file information: File size 1235192 > 1048576

Source: Anfrage244384.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Anfrage244384.exe, 00000003.00000001.2332876628.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: Anfrage244384.exe, 00000003.00000002.3110255884.0000000034EEE000.00000040.00001000.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3110255884.0000000034D50000.00000040.00001000.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000003.2748365519.00000000349F3000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000003.2750495664.0000000034BA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Anfrage244384.exe, Anfrage244384.exe, 00000003.00000002.3110255884.0000000034EEE000.00000040.00001000.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3110255884.0000000034D50000.00000040.00001000.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000003.2748365519.00000000349F3000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000003.2750495664.0000000034BA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Anfrage244384.exe, 00000003.00000001.2332876628.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2333673755.0000000003E32000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Anfrage244384.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 0_2_10002D20 push eax; ret	0_2_10002D4E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D59939 push es; iretd	3_2_34D59940
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D527FA pushad ; ret	3_2_34D527F9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D5225F pushad ; ret	3_2_34D527F9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D5283D push eax; iretd	3_2_34D52858
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D809AD push ecx; mov dword ptr [esp], ecx	3_2_34D809B6

Source: C:\Users\user\Desktop\Anfrage244384.exe

File created: C:\Users\user\AppData\Local\Temp\nsb8E12.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Anfrage244384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Anfrage244384.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\Anfrage244384.exe	API/Special instruction interceptor: Address: 40FEB98
Source: C:\Users\user\Desktop\Anfrage244384.exe	API/Special instruction interceptor: Address: 2DFEB98

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Anfrage244384.exe	RDTSC instruction interceptor: First address: 40C40EF second address: 40C40EF instructions: 0x00000000 rdtsc 0x00000002 test ch, bh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F03F4BF3626h 0x00000008 inc ebp 0x00000009 test bl, cl 0x0000000b inc ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Anfrage244384.exe	RDTSC instruction interceptor: First address: 2DC40EF second address: 2DC40EF instructions: 0x00000000 rdtsc 0x00000002 test ch, bh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F03F4D56FC6h 0x00000008 inc ebp 0x00000009 test bl, cl 0x0000000b inc ebx 0x0000000c rdtsc

Source: C:\Users\user\Desktop\Anfrage244384.exe

Code function: 3_2_34DFD1C0 rdtsc

3_2_34DFD1C0

Source: C:\Users\user\Desktop\Anfrage244384.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb8E12.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Anfrage244384.exe

API coverage: 0.1 %

Source: C:\Users\user\Desktop\Anfrage244384.exe TID: 2464

Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 0_2_00405665 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405665
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 0_2_0040270B FindFirstFileA,	0_2_0040270B
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 0_2_004060C7 FindFirstFileA,FindClose,	0_2_004060C7

Source: Anfrage244384.exe, 00000003.00000002.3081263744.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3081198942.0000000004C58000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000003.2748908748.0000000004CAF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Anfrage244384.exe	API call chain: ExitProcess graph end node			graph_0-3753
Source: C:\Users\user\Desktop\Anfrage244384.exe	API call chain: ExitProcess graph end node			graph_0-3939

Source: C:\Users\user\Desktop\Anfrage244384.exe

Code function: 3_2_34DFD1C0 rdtsc

3_2_34DFD1C0

Source: C:\Users\user\Desktop\Anfrage244384.exe

Code function: 3_2_34DC35C0 NtCreateMutant,LdrInitializeThunk,

3_2_34DC35C0

Source: C:\Users\user\Desktop\Anfrage244384.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E294E0 mov eax, dword ptr fs:[00000030h]	3_2_34E294E0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E554DB mov eax, dword ptr fs:[00000030h]	3_2_34E554DB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B480 mov eax, dword ptr fs:[00000030h]	3_2_34D7B480
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D89486 mov eax, dword ptr fs:[00000030h]	3_2_34D89486
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D89486 mov eax, dword ptr fs:[00000030h]	3_2_34D89486
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D774B0 mov eax, dword ptr fs:[00000030h]	3_2_34D774B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D774B0 mov eax, dword ptr fs:[00000030h]	3_2_34D774B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB34B0 mov eax, dword ptr fs:[00000030h]	3_2_34DB34B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B440 mov eax, dword ptr fs:[00000030h]	3_2_34D8B440
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B440 mov eax, dword ptr fs:[00000030h]	3_2_34D8B440
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B440 mov eax, dword ptr fs:[00000030h]	3_2_34D8B440
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B440 mov eax, dword ptr fs:[00000030h]	3_2_34D8B440
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B440 mov eax, dword ptr fs:[00000030h]	3_2_34D8B440
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B440 mov eax, dword ptr fs:[00000030h]	3_2_34D8B440
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E5547F mov eax, dword ptr fs:[00000030h]	3_2_34E5547F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3F453 mov eax, dword ptr fs:[00000030h]	3_2_34E3F453
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2B450 mov eax, dword ptr fs:[00000030h]	3_2_34E2B450
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2B450 mov eax, dword ptr fs:[00000030h]	3_2_34E2B450
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2B450 mov eax, dword ptr fs:[00000030h]	3_2_34E2B450
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2B450 mov eax, dword ptr fs:[00000030h]	3_2_34E2B450
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D81460 mov eax, dword ptr fs:[00000030h]	3_2_34D81460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D81460 mov eax, dword ptr fs:[00000030h]	3_2_34D81460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D81460 mov eax, dword ptr fs:[00000030h]	3_2_34D81460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D81460 mov eax, dword ptr fs:[00000030h]	3_2_34D81460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D81460 mov eax, dword ptr fs:[00000030h]	3_2_34D81460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9F460 mov eax, dword ptr fs:[00000030h]	3_2_34D9F460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9F460 mov eax, dword ptr fs:[00000030h]	3_2_34D9F460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9F460 mov eax, dword ptr fs:[00000030h]	3_2_34D9F460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9F460 mov eax, dword ptr fs:[00000030h]	3_2_34D9F460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9F460 mov eax, dword ptr fs:[00000030h]	3_2_34D9F460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9F460 mov eax, dword ptr fs:[00000030h]	3_2_34D9F460
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA340D mov eax, dword ptr fs:[00000030h]	3_2_34DA340D
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E07410 mov eax, dword ptr fs:[00000030h]	3_2_34E07410
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA95DA mov eax, dword ptr fs:[00000030h]	3_2_34DA95DA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DFD5D0 mov eax, dword ptr fs:[00000030h]	3_2_34DFD5D0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DFD5D0 mov ecx, dword ptr fs:[00000030h]	3_2_34DFD5D0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB55C0 mov eax, dword ptr fs:[00000030h]	3_2_34DB55C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E555C9 mov eax, dword ptr fs:[00000030h]	3_2_34E555C9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA15F4 mov eax, dword ptr fs:[00000030h]	3_2_34DA15F4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA15F4 mov eax, dword ptr fs:[00000030h]	3_2_34DA15F4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA15F4 mov eax, dword ptr fs:[00000030h]	3_2_34DA15F4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA15F4 mov eax, dword ptr fs:[00000030h]	3_2_34DA15F4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA15F4 mov eax, dword ptr fs:[00000030h]	3_2_34DA15F4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA15F4 mov eax, dword ptr fs:[00000030h]	3_2_34DA15F4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E535D7 mov eax, dword ptr fs:[00000030h]	3_2_34E535D7
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E535D7 mov eax, dword ptr fs:[00000030h]	3_2_34E535D7
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E535D7 mov eax, dword ptr fs:[00000030h]	3_2_34E535D7
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E1D5B0 mov eax, dword ptr fs:[00000030h]	3_2_34E1D5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E1D5B0 mov eax, dword ptr fs:[00000030h]	3_2_34E1D5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7758F mov eax, dword ptr fs:[00000030h]	3_2_34D7758F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7758F mov eax, dword ptr fs:[00000030h]	3_2_34D7758F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7758F mov eax, dword ptr fs:[00000030h]	3_2_34D7758F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E135BA mov eax, dword ptr fs:[00000030h]	3_2_34E135BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E135BA mov eax, dword ptr fs:[00000030h]	3_2_34E135BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E135BA mov eax, dword ptr fs:[00000030h]	3_2_34E135BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E135BA mov eax, dword ptr fs:[00000030h]	3_2_34E135BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3F5BE mov eax, dword ptr fs:[00000030h]	3_2_34E3F5BE
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF5B0 mov eax, dword ptr fs:[00000030h]	3_2_34DAF5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF5B0 mov eax, dword ptr fs:[00000030h]	3_2_34DAF5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF5B0 mov eax, dword ptr fs:[00000030h]	3_2_34DAF5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF5B0 mov eax, dword ptr fs:[00000030h]	3_2_34DAF5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF5B0 mov eax, dword ptr fs:[00000030h]	3_2_34DAF5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF5B0 mov eax, dword ptr fs:[00000030h]	3_2_34DAF5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF5B0 mov eax, dword ptr fs:[00000030h]	3_2_34DAF5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF5B0 mov eax, dword ptr fs:[00000030h]	3_2_34DAF5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF5B0 mov eax, dword ptr fs:[00000030h]	3_2_34DAF5B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA15A9 mov eax, dword ptr fs:[00000030h]	3_2_34DA15A9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA15A9 mov eax, dword ptr fs:[00000030h]	3_2_34DA15A9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA15A9 mov eax, dword ptr fs:[00000030h]	3_2_34DA15A9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA15A9 mov eax, dword ptr fs:[00000030h]	3_2_34DA15A9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA15A9 mov eax, dword ptr fs:[00000030h]	3_2_34DA15A9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0B594 mov eax, dword ptr fs:[00000030h]	3_2_34E0B594
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0B594 mov eax, dword ptr fs:[00000030h]	3_2_34E0B594
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBB570 mov eax, dword ptr fs:[00000030h]	3_2_34DBB570
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBB570 mov eax, dword ptr fs:[00000030h]	3_2_34DBB570
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2B550 mov eax, dword ptr fs:[00000030h]	3_2_34E2B550
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2B550 mov eax, dword ptr fs:[00000030h]	3_2_34E2B550
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2B550 mov eax, dword ptr fs:[00000030h]	3_2_34E2B550
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B562 mov eax, dword ptr fs:[00000030h]	3_2_34D7B562
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2F525 mov eax, dword ptr fs:[00000030h]	3_2_34E2F525
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2F525 mov eax, dword ptr fs:[00000030h]	3_2_34E2F525
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2F525 mov eax, dword ptr fs:[00000030h]	3_2_34E2F525
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2F525 mov eax, dword ptr fs:[00000030h]	3_2_34E2F525
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2F525 mov eax, dword ptr fs:[00000030h]	3_2_34E2F525
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2F525 mov eax, dword ptr fs:[00000030h]	3_2_34E2F525
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2F525 mov eax, dword ptr fs:[00000030h]	3_2_34E2F525
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3B52F mov eax, dword ptr fs:[00000030h]	3_2_34E3B52F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E55537 mov eax, dword ptr fs:[00000030h]	3_2_34E55537
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB7505 mov eax, dword ptr fs:[00000030h]	3_2_34DB7505
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB7505 mov ecx, dword ptr fs:[00000030h]	3_2_34DB7505
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBD530 mov eax, dword ptr fs:[00000030h]	3_2_34DBD530
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBD530 mov eax, dword ptr fs:[00000030h]	3_2_34DBD530
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8D534 mov eax, dword ptr fs:[00000030h]	3_2_34D8D534
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8D534 mov eax, dword ptr fs:[00000030h]	3_2_34D8D534
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8D534 mov eax, dword ptr fs:[00000030h]	3_2_34D8D534
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8D534 mov eax, dword ptr fs:[00000030h]	3_2_34D8D534
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8D534 mov eax, dword ptr fs:[00000030h]	3_2_34D8D534
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8D534 mov eax, dword ptr fs:[00000030h]	3_2_34D8D534
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E136EE mov eax, dword ptr fs:[00000030h]	3_2_34E136EE
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E136EE mov eax, dword ptr fs:[00000030h]	3_2_34E136EE
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E136EE mov eax, dword ptr fs:[00000030h]	3_2_34E136EE
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E136EE mov eax, dword ptr fs:[00000030h]	3_2_34E136EE
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E136EE mov eax, dword ptr fs:[00000030h]	3_2_34E136EE
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E136EE mov eax, dword ptr fs:[00000030h]	3_2_34E136EE
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3D6F0 mov eax, dword ptr fs:[00000030h]	3_2_34E3D6F0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB16CF mov eax, dword ptr fs:[00000030h]	3_2_34DB16CF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_34D8B6C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_34D8B6C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_34D8B6C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_34D8B6C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_34D8B6C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8B6C0 mov eax, dword ptr fs:[00000030h]	3_2_34D8B6C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3F6C7 mov eax, dword ptr fs:[00000030h]	3_2_34E3F6C7
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E416CC mov eax, dword ptr fs:[00000030h]	3_2_34E416CC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E416CC mov eax, dword ptr fs:[00000030h]	3_2_34E416CC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E416CC mov eax, dword ptr fs:[00000030h]	3_2_34E416CC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E416CC mov eax, dword ptr fs:[00000030h]	3_2_34E416CC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB36EF mov eax, dword ptr fs:[00000030h]	3_2_34DB36EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAD6E0 mov eax, dword ptr fs:[00000030h]	3_2_34DAD6E0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAD6E0 mov eax, dword ptr fs:[00000030h]	3_2_34DAD6E0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D776B2 mov eax, dword ptr fs:[00000030h]	3_2_34D776B2
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D776B2 mov eax, dword ptr fs:[00000030h]	3_2_34D776B2
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D776B2 mov eax, dword ptr fs:[00000030h]	3_2_34D776B2
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0368C mov eax, dword ptr fs:[00000030h]	3_2_34E0368C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0368C mov eax, dword ptr fs:[00000030h]	3_2_34E0368C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0368C mov eax, dword ptr fs:[00000030h]	3_2_34E0368C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0368C mov eax, dword ptr fs:[00000030h]	3_2_34E0368C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7D6AA mov eax, dword ptr fs:[00000030h]	3_2_34D7D6AA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7D6AA mov eax, dword ptr fs:[00000030h]	3_2_34D7D6AA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E1D660 mov eax, dword ptr fs:[00000030h]	3_2_34E1D660
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB9660 mov eax, dword ptr fs:[00000030h]	3_2_34DB9660
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB9660 mov eax, dword ptr fs:[00000030h]	3_2_34DB9660
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D83616 mov eax, dword ptr fs:[00000030h]	3_2_34D83616
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D83616 mov eax, dword ptr fs:[00000030h]	3_2_34D83616
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E55636 mov eax, dword ptr fs:[00000030h]	3_2_34E55636
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBF603 mov eax, dword ptr fs:[00000030h]	3_2_34DBF603
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB1607 mov eax, dword ptr fs:[00000030h]	3_2_34DB1607
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F626 mov eax, dword ptr fs:[00000030h]	3_2_34D7F626
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F626 mov eax, dword ptr fs:[00000030h]	3_2_34D7F626
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F626 mov eax, dword ptr fs:[00000030h]	3_2_34D7F626
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F626 mov eax, dword ptr fs:[00000030h]	3_2_34D7F626
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F626 mov eax, dword ptr fs:[00000030h]	3_2_34D7F626
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F626 mov eax, dword ptr fs:[00000030h]	3_2_34D7F626
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F626 mov eax, dword ptr fs:[00000030h]	3_2_34D7F626
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F626 mov eax, dword ptr fs:[00000030h]	3_2_34D7F626
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F626 mov eax, dword ptr fs:[00000030h]	3_2_34D7F626
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D857C0 mov eax, dword ptr fs:[00000030h]	3_2_34D857C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D857C0 mov eax, dword ptr fs:[00000030h]	3_2_34D857C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D857C0 mov eax, dword ptr fs:[00000030h]	3_2_34D857C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8D7E0 mov ecx, dword ptr fs:[00000030h]	3_2_34D8D7E0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E097A9 mov eax, dword ptr fs:[00000030h]	3_2_34E097A9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0F7AF mov eax, dword ptr fs:[00000030h]	3_2_34E0F7AF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0F7AF mov eax, dword ptr fs:[00000030h]	3_2_34E0F7AF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0F7AF mov eax, dword ptr fs:[00000030h]	3_2_34E0F7AF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0F7AF mov eax, dword ptr fs:[00000030h]	3_2_34E0F7AF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0F7AF mov eax, dword ptr fs:[00000030h]	3_2_34E0F7AF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E537B6 mov eax, dword ptr fs:[00000030h]	3_2_34E537B6
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3F78A mov eax, dword ptr fs:[00000030h]	3_2_34E3F78A
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAD7B0 mov eax, dword ptr fs:[00000030h]	3_2_34DAD7B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F7BA mov eax, dword ptr fs:[00000030h]	3_2_34D7F7BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F7BA mov eax, dword ptr fs:[00000030h]	3_2_34D7F7BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F7BA mov eax, dword ptr fs:[00000030h]	3_2_34D7F7BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F7BA mov eax, dword ptr fs:[00000030h]	3_2_34D7F7BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F7BA mov eax, dword ptr fs:[00000030h]	3_2_34D7F7BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F7BA mov eax, dword ptr fs:[00000030h]	3_2_34D7F7BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F7BA mov eax, dword ptr fs:[00000030h]	3_2_34D7F7BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F7BA mov eax, dword ptr fs:[00000030h]	3_2_34D7F7BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F7BA mov eax, dword ptr fs:[00000030h]	3_2_34D7F7BA
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D93740 mov eax, dword ptr fs:[00000030h]	3_2_34D93740
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D93740 mov eax, dword ptr fs:[00000030h]	3_2_34D93740
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D93740 mov eax, dword ptr fs:[00000030h]	3_2_34D93740
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E53749 mov eax, dword ptr fs:[00000030h]	3_2_34E53749
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B765 mov eax, dword ptr fs:[00000030h]	3_2_34D7B765
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B765 mov eax, dword ptr fs:[00000030h]	3_2_34D7B765
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B765 mov eax, dword ptr fs:[00000030h]	3_2_34D7B765
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B765 mov eax, dword ptr fs:[00000030h]	3_2_34D7B765
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2375F mov eax, dword ptr fs:[00000030h]	3_2_34E2375F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2375F mov eax, dword ptr fs:[00000030h]	3_2_34E2375F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2375F mov eax, dword ptr fs:[00000030h]	3_2_34E2375F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2375F mov eax, dword ptr fs:[00000030h]	3_2_34E2375F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2375F mov eax, dword ptr fs:[00000030h]	3_2_34E2375F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBF71F mov eax, dword ptr fs:[00000030h]	3_2_34DBF71F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBF71F mov eax, dword ptr fs:[00000030h]	3_2_34DBF71F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3F72E mov eax, dword ptr fs:[00000030h]	3_2_34E3F72E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4972B mov eax, dword ptr fs:[00000030h]	3_2_34E4972B
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E5B73C mov eax, dword ptr fs:[00000030h]	3_2_34E5B73C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E5B73C mov eax, dword ptr fs:[00000030h]	3_2_34E5B73C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E5B73C mov eax, dword ptr fs:[00000030h]	3_2_34E5B73C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E5B73C mov eax, dword ptr fs:[00000030h]	3_2_34E5B73C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D85702 mov eax, dword ptr fs:[00000030h]	3_2_34D85702
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D85702 mov eax, dword ptr fs:[00000030h]	3_2_34D85702
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D87703 mov eax, dword ptr fs:[00000030h]	3_2_34D87703
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8973A mov eax, dword ptr fs:[00000030h]	3_2_34D8973A
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8973A mov eax, dword ptr fs:[00000030h]	3_2_34D8973A
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79730 mov eax, dword ptr fs:[00000030h]	3_2_34D79730
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79730 mov eax, dword ptr fs:[00000030h]	3_2_34D79730
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB5734 mov eax, dword ptr fs:[00000030h]	3_2_34DB5734
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D83720 mov eax, dword ptr fs:[00000030h]	3_2_34D83720
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9F720 mov eax, dword ptr fs:[00000030h]	3_2_34D9F720
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9F720 mov eax, dword ptr fs:[00000030h]	3_2_34D9F720
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9F720 mov eax, dword ptr fs:[00000030h]	3_2_34D9F720
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA90DB mov eax, dword ptr fs:[00000030h]	3_2_34DA90DB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov ecx, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov ecx, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov ecx, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov ecx, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D970C0 mov eax, dword ptr fs:[00000030h]	3_2_34D970C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DFD0C0 mov eax, dword ptr fs:[00000030h]	3_2_34DFD0C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DFD0C0 mov eax, dword ptr fs:[00000030h]	3_2_34DFD0C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E550D9 mov eax, dword ptr fs:[00000030h]	3_2_34E550D9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA50E4 mov eax, dword ptr fs:[00000030h]	3_2_34DA50E4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA50E4 mov ecx, dword ptr fs:[00000030h]	3_2_34DA50E4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB909C mov eax, dword ptr fs:[00000030h]	3_2_34DB909C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAD090 mov eax, dword ptr fs:[00000030h]	3_2_34DAD090
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAD090 mov eax, dword ptr fs:[00000030h]	3_2_34DAD090
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D85096 mov eax, dword ptr fs:[00000030h]	3_2_34D85096
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7D08D mov eax, dword ptr fs:[00000030h]	3_2_34D7D08D
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0D080 mov eax, dword ptr fs:[00000030h]	3_2_34E0D080
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0D080 mov eax, dword ptr fs:[00000030h]	3_2_34E0D080
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E55060 mov eax, dword ptr fs:[00000030h]	3_2_34E55060
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAB052 mov eax, dword ptr fs:[00000030h]	3_2_34DAB052
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0106E mov eax, dword ptr fs:[00000030h]	3_2_34E0106E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov ecx, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91070 mov eax, dword ptr fs:[00000030h]	3_2_34D91070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DFD070 mov ecx, dword ptr fs:[00000030h]	3_2_34DFD070
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2705E mov ebx, dword ptr fs:[00000030h]	3_2_34E2705E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2705E mov eax, dword ptr fs:[00000030h]	3_2_34E2705E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4903E mov eax, dword ptr fs:[00000030h]	3_2_34E4903E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4903E mov eax, dword ptr fs:[00000030h]	3_2_34E4903E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4903E mov eax, dword ptr fs:[00000030h]	3_2_34E4903E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4903E mov eax, dword ptr fs:[00000030h]	3_2_34E4903E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBD1D0 mov eax, dword ptr fs:[00000030h]	3_2_34DBD1D0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBD1D0 mov ecx, dword ptr fs:[00000030h]	3_2_34DBD1D0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E271F9 mov esi, dword ptr fs:[00000030h]	3_2_34E271F9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E551CB mov eax, dword ptr fs:[00000030h]	3_2_34E551CB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA51EF mov eax, dword ptr fs:[00000030h]	3_2_34DA51EF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D851ED mov eax, dword ptr fs:[00000030h]	3_2_34D851ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E311A4 mov eax, dword ptr fs:[00000030h]	3_2_34E311A4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E311A4 mov eax, dword ptr fs:[00000030h]	3_2_34E311A4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E311A4 mov eax, dword ptr fs:[00000030h]	3_2_34E311A4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E311A4 mov eax, dword ptr fs:[00000030h]	3_2_34E311A4
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DD7190 mov eax, dword ptr fs:[00000030h]	3_2_34DD7190
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9B1B0 mov eax, dword ptr fs:[00000030h]	3_2_34D9B1B0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D87152 mov eax, dword ptr fs:[00000030h]	3_2_34D87152
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E19179 mov eax, dword ptr fs:[00000030h]	3_2_34E19179
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79148 mov eax, dword ptr fs:[00000030h]	3_2_34D79148
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79148 mov eax, dword ptr fs:[00000030h]	3_2_34D79148
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79148 mov eax, dword ptr fs:[00000030h]	3_2_34D79148
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79148 mov eax, dword ptr fs:[00000030h]	3_2_34D79148
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E13140 mov eax, dword ptr fs:[00000030h]	3_2_34E13140
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E13140 mov eax, dword ptr fs:[00000030h]	3_2_34E13140
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E13140 mov eax, dword ptr fs:[00000030h]	3_2_34E13140
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7F172 mov eax, dword ptr fs:[00000030h]	3_2_34D7F172
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E55152 mov eax, dword ptr fs:[00000030h]	3_2_34E55152
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B136 mov eax, dword ptr fs:[00000030h]	3_2_34D7B136
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B136 mov eax, dword ptr fs:[00000030h]	3_2_34D7B136
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B136 mov eax, dword ptr fs:[00000030h]	3_2_34D7B136
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B136 mov eax, dword ptr fs:[00000030h]	3_2_34D7B136
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D81131 mov eax, dword ptr fs:[00000030h]	3_2_34D81131
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D81131 mov eax, dword ptr fs:[00000030h]	3_2_34D81131
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_34D7B2D3
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_34D7B2D3
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7B2D3 mov eax, dword ptr fs:[00000030h]	3_2_34D7B2D3
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E552E2 mov eax, dword ptr fs:[00000030h]	3_2_34E552E2
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF2D0 mov eax, dword ptr fs:[00000030h]	3_2_34DAF2D0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF2D0 mov eax, dword ptr fs:[00000030h]	3_2_34DAF2D0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E312ED mov eax, dword ptr fs:[00000030h]	3_2_34E312ED
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2B2F0 mov eax, dword ptr fs:[00000030h]	3_2_34E2B2F0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2B2F0 mov eax, dword ptr fs:[00000030h]	3_2_34E2B2F0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_34DAB2C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_34DAB2C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_34DAB2C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_34DAB2C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_34DAB2C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_34DAB2C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAB2C0 mov eax, dword ptr fs:[00000030h]	3_2_34DAB2C0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3F2F8 mov eax, dword ptr fs:[00000030h]	3_2_34E3F2F8
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D892C5 mov eax, dword ptr fs:[00000030h]	3_2_34D892C5
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D892C5 mov eax, dword ptr fs:[00000030h]	3_2_34D892C5
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D792FF mov eax, dword ptr fs:[00000030h]	3_2_34D792FF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E172A0 mov eax, dword ptr fs:[00000030h]	3_2_34E172A0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E172A0 mov eax, dword ptr fs:[00000030h]	3_2_34E172A0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E492A6 mov eax, dword ptr fs:[00000030h]	3_2_34E492A6
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E492A6 mov eax, dword ptr fs:[00000030h]	3_2_34E492A6
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E492A6 mov eax, dword ptr fs:[00000030h]	3_2_34E492A6
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E492A6 mov eax, dword ptr fs:[00000030h]	3_2_34E492A6
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB329E mov eax, dword ptr fs:[00000030h]	3_2_34DB329E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB329E mov eax, dword ptr fs:[00000030h]	3_2_34DB329E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E092BC mov eax, dword ptr fs:[00000030h]	3_2_34E092BC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E092BC mov eax, dword ptr fs:[00000030h]	3_2_34E092BC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E092BC mov ecx, dword ptr fs:[00000030h]	3_2_34E092BC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E092BC mov ecx, dword ptr fs:[00000030h]	3_2_34E092BC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E55283 mov eax, dword ptr fs:[00000030h]	3_2_34E55283
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D952A0 mov eax, dword ptr fs:[00000030h]	3_2_34D952A0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D952A0 mov eax, dword ptr fs:[00000030h]	3_2_34D952A0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D952A0 mov eax, dword ptr fs:[00000030h]	3_2_34D952A0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D952A0 mov eax, dword ptr fs:[00000030h]	3_2_34D952A0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4D26B mov eax, dword ptr fs:[00000030h]	3_2_34E4D26B
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4D26B mov eax, dword ptr fs:[00000030h]	3_2_34E4D26B
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB724D mov eax, dword ptr fs:[00000030h]	3_2_34DB724D
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79240 mov eax, dword ptr fs:[00000030h]	3_2_34D79240
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79240 mov eax, dword ptr fs:[00000030h]	3_2_34D79240
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC1270 mov eax, dword ptr fs:[00000030h]	3_2_34DC1270
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DC1270 mov eax, dword ptr fs:[00000030h]	3_2_34DC1270
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA9274 mov eax, dword ptr fs:[00000030h]	3_2_34DA9274
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0D250 mov ecx, dword ptr fs:[00000030h]	3_2_34E0D250
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3B256 mov eax, dword ptr fs:[00000030h]	3_2_34E3B256
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3B256 mov eax, dword ptr fs:[00000030h]	3_2_34E3B256
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E55227 mov eax, dword ptr fs:[00000030h]	3_2_34E55227
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB7208 mov eax, dword ptr fs:[00000030h]	3_2_34DB7208
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB7208 mov eax, dword ptr fs:[00000030h]	3_2_34DB7208
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3F3E6 mov eax, dword ptr fs:[00000030h]	3_2_34E3F3E6
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E553FC mov eax, dword ptr fs:[00000030h]	3_2_34E553FC
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3B3D0 mov ecx, dword ptr fs:[00000030h]	3_2_34E3B3D0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DD739A mov eax, dword ptr fs:[00000030h]	3_2_34DD739A
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DD739A mov eax, dword ptr fs:[00000030h]	3_2_34DD739A
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E213B9 mov eax, dword ptr fs:[00000030h]	3_2_34E213B9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E213B9 mov eax, dword ptr fs:[00000030h]	3_2_34E213B9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E213B9 mov eax, dword ptr fs:[00000030h]	3_2_34E213B9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E5539D mov eax, dword ptr fs:[00000030h]	3_2_34E5539D
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB33A0 mov eax, dword ptr fs:[00000030h]	3_2_34DB33A0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB33A0 mov eax, dword ptr fs:[00000030h]	3_2_34DB33A0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DA33A5 mov eax, dword ptr fs:[00000030h]	3_2_34DA33A5
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79353 mov eax, dword ptr fs:[00000030h]	3_2_34D79353
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79353 mov eax, dword ptr fs:[00000030h]	3_2_34D79353
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3F367 mov eax, dword ptr fs:[00000030h]	3_2_34E3F367
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E23370 mov eax, dword ptr fs:[00000030h]	3_2_34E23370
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7D34C mov eax, dword ptr fs:[00000030h]	3_2_34D7D34C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7D34C mov eax, dword ptr fs:[00000030h]	3_2_34D7D34C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E55341 mov eax, dword ptr fs:[00000030h]	3_2_34E55341
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D87370 mov eax, dword ptr fs:[00000030h]	3_2_34D87370
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D87370 mov eax, dword ptr fs:[00000030h]	3_2_34D87370
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D87370 mov eax, dword ptr fs:[00000030h]	3_2_34D87370
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4132D mov eax, dword ptr fs:[00000030h]	3_2_34E4132D
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4132D mov eax, dword ptr fs:[00000030h]	3_2_34E4132D
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D77330 mov eax, dword ptr fs:[00000030h]	3_2_34D77330
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0930B mov eax, dword ptr fs:[00000030h]	3_2_34E0930B
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0930B mov eax, dword ptr fs:[00000030h]	3_2_34E0930B
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0930B mov eax, dword ptr fs:[00000030h]	3_2_34E0930B
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAF32A mov eax, dword ptr fs:[00000030h]	3_2_34DAF32A
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D77CD5 mov eax, dword ptr fs:[00000030h]	3_2_34D77CD5
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D77CD5 mov eax, dword ptr fs:[00000030h]	3_2_34D77CD5
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D77CD5 mov eax, dword ptr fs:[00000030h]	3_2_34D77CD5
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D77CD5 mov eax, dword ptr fs:[00000030h]	3_2_34D77CD5
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D77CD5 mov eax, dword ptr fs:[00000030h]	3_2_34D77CD5
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E21CF9 mov eax, dword ptr fs:[00000030h]	3_2_34E21CF9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E21CF9 mov eax, dword ptr fs:[00000030h]	3_2_34E21CF9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E21CF9 mov eax, dword ptr fs:[00000030h]	3_2_34E21CF9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB5CC0 mov eax, dword ptr fs:[00000030h]	3_2_34DB5CC0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB5CC0 mov eax, dword ptr fs:[00000030h]	3_2_34DB5CC0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91CC7 mov eax, dword ptr fs:[00000030h]	3_2_34D91CC7
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91CC7 mov eax, dword ptr fs:[00000030h]	3_2_34D91CC7
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E03CDB mov eax, dword ptr fs:[00000030h]	3_2_34E03CDB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E03CDB mov eax, dword ptr fs:[00000030h]	3_2_34E03CDB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E03CDB mov eax, dword ptr fs:[00000030h]	3_2_34E03CDB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2FCDF mov eax, dword ptr fs:[00000030h]	3_2_34E2FCDF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2FCDF mov eax, dword ptr fs:[00000030h]	3_2_34E2FCDF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E2FCDF mov eax, dword ptr fs:[00000030h]	3_2_34E2FCDF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FCAB mov eax, dword ptr fs:[00000030h]	3_2_34E3FCAB
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D83C84 mov eax, dword ptr fs:[00000030h]	3_2_34D83C84
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D83C84 mov eax, dword ptr fs:[00000030h]	3_2_34D83C84
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D83C84 mov eax, dword ptr fs:[00000030h]	3_2_34D83C84
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D83C84 mov eax, dword ptr fs:[00000030h]	3_2_34D83C84
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7DCA0 mov eax, dword ptr fs:[00000030h]	3_2_34D7DCA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAFCA0 mov ecx, dword ptr fs:[00000030h]	3_2_34DAFCA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAFCA0 mov eax, dword ptr fs:[00000030h]	3_2_34DAFCA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAFCA0 mov eax, dword ptr fs:[00000030h]	3_2_34DAFCA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAFCA0 mov eax, dword ptr fs:[00000030h]	3_2_34DAFCA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DAFCA0 mov eax, dword ptr fs:[00000030h]	3_2_34DAFCA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBBCA0 mov eax, dword ptr fs:[00000030h]	3_2_34DBBCA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBBCA0 mov eax, dword ptr fs:[00000030h]	3_2_34DBBCA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBBCA0 mov ecx, dword ptr fs:[00000030h]	3_2_34DBBCA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBBCA0 mov eax, dword ptr fs:[00000030h]	3_2_34DBBCA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D77C40 mov eax, dword ptr fs:[00000030h]	3_2_34D77C40
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D77C40 mov ecx, dword ptr fs:[00000030h]	3_2_34D77C40
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D77C40 mov eax, dword ptr fs:[00000030h]	3_2_34D77C40
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D77C40 mov eax, dword ptr fs:[00000030h]	3_2_34D77C40
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB1C7C mov eax, dword ptr fs:[00000030h]	3_2_34DB1C7C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3FC4F mov eax, dword ptr fs:[00000030h]	3_2_34E3FC4F
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D91C60 mov eax, dword ptr fs:[00000030h]	3_2_34D91C60
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4DC27 mov eax, dword ptr fs:[00000030h]	3_2_34E4DC27
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4DC27 mov eax, dword ptr fs:[00000030h]	3_2_34E4DC27
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4DC27 mov eax, dword ptr fs:[00000030h]	3_2_34E4DC27
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E09C32 mov eax, dword ptr fs:[00000030h]	3_2_34E09C32
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E51C3C mov eax, dword ptr fs:[00000030h]	3_2_34E51C3C
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBBC3B mov esi, dword ptr fs:[00000030h]	3_2_34DBBC3B
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E5BC01 mov eax, dword ptr fs:[00000030h]	3_2_34E5BC01
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E5BC01 mov eax, dword ptr fs:[00000030h]	3_2_34E5BC01
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0BC10 mov eax, dword ptr fs:[00000030h]	3_2_34E0BC10
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0BC10 mov eax, dword ptr fs:[00000030h]	3_2_34E0BC10
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0BC10 mov ecx, dword ptr fs:[00000030h]	3_2_34E0BC10
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D83DD0 mov eax, dword ptr fs:[00000030h]	3_2_34D83DD0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D83DD0 mov eax, dword ptr fs:[00000030h]	3_2_34D83DD0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0DDC0 mov eax, dword ptr fs:[00000030h]	3_2_34E0DDC0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E4DDC6 mov eax, dword ptr fs:[00000030h]	3_2_34E4DDC6
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E3DDC7 mov eax, dword ptr fs:[00000030h]	3_2_34E3DDC7
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79D96 mov eax, dword ptr fs:[00000030h]	3_2_34D79D96
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79D96 mov eax, dword ptr fs:[00000030h]	3_2_34D79D96
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D79D96 mov ecx, dword ptr fs:[00000030h]	3_2_34D79D96
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E15DA0 mov eax, dword ptr fs:[00000030h]	3_2_34E15DA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E15DA0 mov eax, dword ptr fs:[00000030h]	3_2_34E15DA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E15DA0 mov eax, dword ptr fs:[00000030h]	3_2_34E15DA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E15DA0 mov ecx, dword ptr fs:[00000030h]	3_2_34E15DA0
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34E0DDB1 mov eax, dword ptr fs:[00000030h]	3_2_34E0DDB1
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D7FD80 mov eax, dword ptr fs:[00000030h]	3_2_34D7FD80
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9DDB1 mov eax, dword ptr fs:[00000030h]	3_2_34D9DDB1
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9DDB1 mov eax, dword ptr fs:[00000030h]	3_2_34D9DDB1
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D9DDB1 mov eax, dword ptr fs:[00000030h]	3_2_34D9DDB1
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D8FDA9 mov eax, dword ptr fs:[00000030h]	3_2_34D8FDA9
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DB9DAF mov eax, dword ptr fs:[00000030h]	3_2_34DB9DAF
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBBD4E mov eax, dword ptr fs:[00000030h]	3_2_34DBBD4E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34DBBD4E mov eax, dword ptr fs:[00000030h]	3_2_34DBBD4E
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D77D41 mov eax, dword ptr fs:[00000030h]	3_2_34D77D41
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D93D40 mov eax, dword ptr fs:[00000030h]	3_2_34D93D40
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D93D40 mov eax, dword ptr fs:[00000030h]	3_2_34D93D40
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D93D40 mov eax, dword ptr fs:[00000030h]	3_2_34D93D40
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D93D40 mov eax, dword ptr fs:[00000030h]	3_2_34D93D40
Source: C:\Users\user\Desktop\Anfrage244384.exe	Code function: 3_2_34D93D40 mov ecx, dword ptr fs:[00000030h]	3_2_34D93D40

Source: C:\Users\user\Desktop\Anfrage244384.exe

Process created: C:\Users\user\Desktop\Anfrage244384.exe "C:\Users\user\Desktop\Anfrage244384.exe"

Source: C:\Users\user\Desktop\Anfrage244384.exe

Code function: 0_2_00405DE5 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405DE5

Stealing of Sensitive Information

Source: Yara match

File source: 00000003.00000002.3110222192.00000000349F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match

File source: 00000003.00000002.3110222192.00000000349F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Anfrage244384.exe	32%	ReversingLabs	Win32.Trojan.Guloader
Anfrage244384.exe	100%	Avira	HEUR/AGEN.1361137

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsb8E12.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://familytherapycenter.rs/	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/B5	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/rmANWge110.bin	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/rmANWge110.binD1	0%	Avira URL Cloud	safe
https://familytherapycenter.rs/rmANWge110.bin~	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
familytherapycenter.rs	188.40.95.144	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://familytherapycenter.rs/rmANWge110.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Anfrage244384.exe, 00000003.00000001.2332876628.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	Anfrage244384.exe, 00000003.00000001.2332876628.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Anfrage244384.exe, 00000003.00000001.2332876628.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
http://nsis.sf.net/NSIS_Error	Anfrage244384.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	Anfrage244384.exe	false		high
https://familytherapycenter.rs/rmANWge110.bin~	Anfrage244384.exe, 00000003.00000002.3081198942.0000000004C58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://familytherapycenter.rs/	Anfrage244384.exe, 00000003.00000003.2748759588.0000000004C9B000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3081198942.0000000004C9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://familytherapycenter.rs/B5	Anfrage244384.exe, 00000003.00000003.2748759588.0000000004C9B000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3081198942.0000000004C9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Anfrage244384.exe, 00000003.00000001.2332876628.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
https://familytherapycenter.rs/rmANWge110.binD1	Anfrage244384.exe, 00000003.00000003.2748759588.0000000004C9B000.00000004.00000020.00020000.00000000.sdmp, Anfrage244384.exe, 00000003.00000002.3081198942.0000000004C9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.40.95.144	familytherapycenter.rs	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1550563
Start date and time:	2024-11-06 20:46:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Anfrage244384.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/10@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 47 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Anfrage244384.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
188.40.95.144	Anfrage_244384.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.zip	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
familytherapycenter.rs	Anfrage_244384.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	Anfrage24438.zip	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	https://me-qr.com/f/signaramadeerfield?hash=	Get hash	malicious	Unknown	Browse	49.12.126.78
	Payment Confirmation (237 KB).msg	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	159.69.48.31
	vhUjPXL0wV.exe	Get hash	malicious	AsyncRAT	Browse	91.107.210.50
	Anfrage_244384.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	Anfrage24438.zip	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	getscreen-868841125.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
	getscreen-868841125.exe	Get hash	malicious	Unknown	Browse	78.47.165.25

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Letter of Intent (LOI) For the Company November 2024 PDF.pif.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	FmmYUD4pt7.wsf	Get hash	malicious	Unknown	Browse	188.40.95.144
	rA01_278 Check list#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	188.40.95.144
	VZ7xFmeuPX.exe	Get hash	malicious	Unknown	Browse	188.40.95.144
	2ULrUoVwTx.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	wmKmOQ868z.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	wmKmOQ868z.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	2ULrUoVwTx.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144
	p7cCXP3hDz.exe	Get hash	malicious	FormBook, GuLoader	Browse	188.40.95.144

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsb8E12.tmp\System.dll	Anfrage_244384.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.zip	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Anfrage24438.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	5112024976.exe	Get hash	malicious	FormBook, GuLoader	Browse
	21st OCTOBER 2024 234876sdf ORDER_PDF.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsb8E12.tmp\System.dll

Process:	C:\Users\user\Desktop\Anfrage244384.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.7711167426271945
Encrypted:	false
SSDEEP:	192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
MD5:	3F176D1EE13B0D7D6BD92E1C7A0B9BAE
SHA1:	FE582246792774C2C9DD15639FFA0ACA90D6FD0B
SHA-256:	FA4AB1D6F79FD677433A31ADA7806373A789D34328DA46CCB0449BBF347BD73E
SHA-512:	0A69124819B7568D0DEA4E9E85CE8FE61C7BA697C934E3A95E2DCFB9F252B1D9DA7FAF8774B6E8EFD614885507ACC94987733EBA09A2F5E7098B774DFC8524B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Anfrage_244384.exe, Detection: malicious, Browse Filename: 5112024976.exe, Detection: malicious, Browse Filename: 5112024976.exe, Detection: malicious, Browse Filename: Anfrage24438.zip, Detection: malicious, Browse Filename: Anfrage24438.exe, Detection: malicious, Browse Filename: Anfrage24438.exe, Detection: malicious, Browse Filename: 5112024976.exe, Detection: malicious, Browse Filename: 5112024976.exe, Detection: malicious, Browse Filename: 21st OCTOBER 2024 234876sdf ORDER_PDF.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....MX...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..`....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\secretaryships\Directionless.Bro

Process:	C:\Users\user\Desktop\Anfrage244384.exe
File Type:	data
Category:	dropped
Size (bytes):	277033
Entropy (8bit):	7.782355189986513
Encrypted:	false
SSDEEP:	3072:ytWxv7/0J4n/D/l6vHIN47V1bgsNhtyyRB367YYxtUurNRqr5kl+WhbkPknsWmrK:pR/06n/Fs8UlFIVNcW+W6ms4h895cL
MD5:	78F99B2860C20AB074E6127DE24B909A
SHA1:	0A3670E16770DC770353B15BDF592AE0A339701E
SHA-256:	90B7191F16A8D9BEA6975C7893328EF03EDEA95EB8AB2BFEC8824D2616F0316F
SHA-512:	EA08CF813FF839768DB72856E95AB852170F6C4837F026B070CAFC86CB1ACF28627EBF963F3FED0796C630B01AD1309CABD1299986FA1EEF081C8AD8EA4F0FE3
Malicious:	false
Reputation:	low
Preview:	.......QQQ......b......c..................................................\|.....UU......................v..sss.,,,..ff..................!!!!.....KKKK..Q.......)......RRR...........;.....333....................w.+................aa............aa..............****..................\|\|.........~..{{{{{.eeeee.j....lll./..........(...........\.........\\\\\\....22.dd....................................................!!!!.K..................................#.2.p..cc.N.8.m...........1.....Y.%..rr.................................//......................XX.'''....AAA.E.P.H..................................s......}.........................................Y......nn.UUUUUU...??..................EE..................!......xxx...U..%%%%%...(.......[[[.....".D.....$.FFF.......rr.#.....................000000..E.............4......................................\\\.`......r...........&.......>>>>>>...............oo..................--.......................///...............+....MM..M..............O..

C:\Users\user\AppData\Roaming\secretaryships\Khami\anya.por

Process:	C:\Users\user\Desktop\Anfrage244384.exe
File Type:	data
Category:	dropped
Size (bytes):	448073
Entropy (8bit):	1.2554221597008608
Encrypted:	false
SSDEEP:	1536:i9EUBeeNEu//hQg77ea6OP/B1p7to4APRUYZAkxe:qFZO5u/B1pBo510
MD5:	3AD8D5763CA124C7392D1F4F53D24F0E
SHA1:	17D48EF1AB8D52A31821A069C225D45201535899
SHA-256:	3965D74DBD296AA8E7524C773FE81FE63A78355145502153CB577E9CB136DDA0
SHA-512:	EE8BDE196A33297BFD4E51ED01E7D0178CF457497E822771D2BE3C58A97681AC52CD19A2BBBB71220F06F6D936A6AA67966295DF3C676104B9643F07CBE37EC8
Malicious:	false
Reputation:	low
Preview:	............y...k......... ....L..............................................................c....................d...........................p..............R.................................................5...............f.......{......................................................................................J...........@.................E....h...............0................M.................'..............................................-...............Z.........................{...............T............c.W..............n....................H...........................................\|...................................^...........w.................c...............................).....................................y.....<.......................................T........................................................3.....S..<.......?........................................1!......^.............................t................................................G........

C:\Users\user\AppData\Roaming\secretaryships\Khami\besiddertrang.gra

Process:	C:\Users\user\Desktop\Anfrage244384.exe
File Type:	data
Category:	dropped
Size (bytes):	362911
Entropy (8bit):	1.2562704713226092
Encrypted:	false
SSDEEP:	768:uFKWW9YiDlIMhmjVacve6tEvHBLNB3tQsrTpPH8mZLAUFwsahGF48hDpWRcKthwz:u5W9yMJLNbJ1CbFV3Gd6Ie48dPs
MD5:	8AB9852274FA64E09B5711A2E7D94AAB
SHA1:	2C39272B969040B4C185EE4A69A5F04FD1F7C0DB
SHA-256:	FCD149788A3530E5E2CF5E17A09B1DE51EB67B51F3E8941E7091F88B610373F1
SHA-512:	6761208A22E8D93D70465E6DD9CF1B53826AA6BF0418DCCB0A6E5816A183790A61AD67EDCF52D21366975014701107563CE47A0465CEE801300493AEB566CC69
Malicious:	false
Reputation:	low
Preview:	....-......................................................................?d..........\.a.....................................8...............x...........e...................................)...............+..............................................i...................................................................................................................4......j................................................................................"......................................Z.....%...................................................................................................F............................................................................g...............................E./.....................................................................................Y........#.......F.......n.M.........................................................................................................................W..................................................

C:\Users\user\AppData\Roaming\secretaryships\Khami\darbyite.txt

Process:	C:\Users\user\Desktop\Anfrage244384.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	497
Entropy (8bit):	4.296439217688297
Encrypted:	false
SSDEEP:	12:kdESMQrs7ZnIyxrqlLIRF0+UAkN0lCGsMqejQlJ8:QjMfpIuqPAEsOi
MD5:	1560371431CEB91914AF5B9D0D307EE1
SHA1:	182B8979D4D0F9F26366653638A9C92FDAFF0D56
SHA-256:	72A2010CDB6ED407FCA17CDB181D5F01801F16040C2C9443BD7CB5032CDAAEF7
SHA-512:	865EF0F7636149A47043183583635C2A4306BF49565166760672B88F0F9DA89A529FE4166DFF496327304E56A8A460B8113E5F3D58601C0B8A3EFAABD792AF3D
Malicious:	false
Reputation:	low
Preview:	avenging piktogrammernes duecento korsedderkop skurvognsudlejningernes fnges ranaria..kavitet ubetalelige forhalingen passado nautically formaalsbestemmelsernes admiralsuniformers..franchot unimposing rimfire.bemba barsac unflaked skbnesvanger.tige backchats leveret viktualieforretningernes processal dignitas altica epoxyharpikset sergenter forureningsbegrnsedes..sforsvaret antiquating photomechanically enighedernes firepot megrez almon aeneus madrassen thrallborn denoteres slipup tvebakken..

C:\Users\user\AppData\Roaming\secretaryships\Khami\nilgedde.mes

Process:	C:\Users\user\Desktop\Anfrage244384.exe
File Type:	Matlab v4 mat-file (little endian) Y, numeric, rows 0, columns 0
Category:	dropped
Size (bytes):	354845
Entropy (8bit):	1.2446363869824946
Encrypted:	false
SSDEEP:	768:E2oz5FNvncy2DZRau7W0sxOvPfSfpg5rWuWAAUIdde/FwPPMk/FOuyQv9biuPia6:opho02mYrKiKLFyJ1AIu2
MD5:	DF7A44909B03AB5BC45910B405D9977A
SHA1:	3D0583A7DFB39E559827189E02123F2C983A21D5
SHA-256:	5A3B61A0BC8E81E756374D2A9FF5087FA4496543A635738ACA8911E95D6340D9
SHA-512:	C2B4E951A185FC3FB75109B5CAA554431C1517588D04B8F2BA865F75BE448A0448364BCB84253C9B44579078787DDA616F33666C0C1BF902EC644EBC9A6FE621
Malicious:	false
Preview:	..................%.Y.............................[......................z...........................................8.................{................b.......W..........................................#.........................................%....z..................7......................................x.i...+............................................................................8......................................................................................................................-..3..................................................................................\|............T...........................#...........\.....A.............................................7..........'.................... ...................].................J.J..........s................................g..............W........................................................................................................$...g..........................................................

C:\Users\user\AppData\Roaming\secretaryships\Khami\selefant.kri

Process:	C:\Users\user\Desktop\Anfrage244384.exe
File Type:	data
Category:	dropped
Size (bytes):	298017
Entropy (8bit):	1.245520550165085
Encrypted:	false
SSDEEP:	768:nLoDoRi0SWvTrmnVqvh6dzfCaci65UhXqjMctTGA3QBgdRWqrw3q3LFPRvx7H155:DStBsLk6gsifeQIGA0iYRwvy8n
MD5:	B4C9FC75BAB8C9F006A7D9DDBC249F79
SHA1:	70D4047E7E3BB10CF237B82775C89A1D92700162
SHA-256:	1D84F9462C244A4500C213DF8DD79971B286392CA02BC536F5F6C3EEBC94E7E3
SHA-512:	2E2279CB3755AC5708ABB30E8342235B7F0A24223E3D6F4B2B21B62E59012A5126ADC1BD73D7B64E72634728DECCE7A049D3E6F5055F8D74E959BEE54EDBEA4C
Malicious:	false
Preview:	............................_..,...........................................................;...........................................................7...O..................'.........................................P.........L................@....................8....................v..................G.....h.............................................m..+b.....................................................m.......C.....................................i..........................................................................................,................................C..........a...........Y......,...........q....................................................................................................................................................................................................................p................S................L..........)..............................................kF........^........E.................................................

C:\Users\user\AppData\Roaming\secretaryships\Khami\speil.int

Process:	C:\Users\user\Desktop\Anfrage244384.exe
File Type:	data
Category:	dropped
Size (bytes):	497497
Entropy (8bit):	1.2525295412969446
Encrypted:	false
SSDEEP:	1536:rbNZ/Rg8JCCgxT2eIgde/lBWTTBwGceukAdTYz91n6n:9NRg836IVLWHeGxKYQ
MD5:	F3F6C6E37EAB51D3B9B9C059C1EB874C
SHA1:	401E5740CCFBC1DA83BD9B426C11020C812986F2
SHA-256:	B5A607F50C65E41B2BFF7F852F27373177D326D9DFA1040E1C2B3AF62F757BAB
SHA-512:	060B328595ADAF9E85B390AA2AACEEFE4C6197294B7C45594798755C5E04BE1E2110F617B51E38D7DF423CD807FA81B30702CE2548563980B9CA195ECF2C11A7
Malicious:	false
Preview:	.........................................o................j........................................c..6......................................../....................................................m...............................r.D................................T.........................................................8....................x...................................................................!.....O....\................G.........................................G........n....."................:.........................................................................................................@.......<..................................................i.......k..............................................................................................................................=.........g.........................k.............A.......[........................)...........e................................b.............................................6.............

C:\Users\user\AppData\Roaming\secretaryships\Tingid.pig

Process:	C:\Users\user\Desktop\Anfrage244384.exe
File Type:	data
Category:	dropped
Size (bytes):	476422
Entropy (8bit):	1.2552031449987011
Encrypted:	false
SSDEEP:	1536:zGmPxn4XjZOVebnJjvYbTUBhGKcjnO/EeMHPm:Sm6zYVb849nH6
MD5:	F236A74F28F6F32F81F1347D9F129268
SHA1:	D5BE521661EE4BF3C186C3EAA0411DD5DF6F3EBA
SHA-256:	BEED12F00B12156FF9FA63595DE11A5C01493CF5F85488CB2E159CF1A8236778
SHA-512:	D6AD37DDF7B6B38B90F09186AC81C6A76F16F9A4613D6113F10D7B2A4F68129E570EFFC77A19B04F276277B7A569EBD5FD4A48D2E2E72CEA8CEE5A8F67CC5EF4
Malicious:	false
Preview:	.................................................................7...........................).....$....%..........................#.....M.....................................6.........N.........).......................................................................................a..............t..................................................T.........................................@...........................+..U...................A'..............L..................................................../.............2..............k.........................................................................................................&.............................................>...........................................................\|..........................?...............................&...................................n.q......}....................................E......................................................p........................................6..........

C:\Users\user\AppData\Roaming\secretaryships\epipactis.God