Windows Analysis Report
47879282.EXE.exe

Overview

General Information

Sample name: 47879282.EXE.exe
Analysis ID: 1522589
MD5: bdc14e906213d80c6fcab22665329f9c
SHA1: afcd74d3ad99ede80adb8574278c344ea6bf9147
SHA256: 5db9bae3849011553274c1149e83d594e9c3cb6adb3480f92ae1239ad26c4171
Tags: exeuser-adam_zbadam
Infos:

Detection

DarkTortilla, FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected FormBook
AI detected suspicious sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
Name Description Attribution Blogpost URLs Link
Formbook, Formbo FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
 https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 47879282.EXE.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 47879282.EXE.exe ReversingLabs: Detection: 18%
Yara detected FormBook
Source: Yara match File source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 47879282.EXE.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 47879282.EXE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 47879282.EXE.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: 47879282.EXE.exe, 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 47879282.EXE.exe, 47879282.EXE.exe, 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0042C3C3 NtClose, 11_2_0042C3C3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822DF0 NtQuerySystemInformation,LdrInitializeThunk, 11_2_01822DF0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822C70 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_01822C70
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018235C0 NtCreateMutant,LdrInitializeThunk, 11_2_018235C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01824340 NtSetContextThread, 11_2_01824340
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01824650 NtSuspendThread, 11_2_01824650
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822B80 NtQueryInformationFile, 11_2_01822B80
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822BA0 NtEnumerateValueKey, 11_2_01822BA0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822BE0 NtQueryValueKey, 11_2_01822BE0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822BF0 NtAllocateVirtualMemory, 11_2_01822BF0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822B60 NtClose, 11_2_01822B60
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822AB0 NtWaitForSingleObject, 11_2_01822AB0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822AD0 NtReadFile, 11_2_01822AD0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822AF0 NtWriteFile, 11_2_01822AF0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822DB0 NtEnumerateKey, 11_2_01822DB0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822DD0 NtDelayExecution, 11_2_01822DD0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822D00 NtSetInformationFile, 11_2_01822D00
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822D10 NtMapViewOfSection, 11_2_01822D10
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822D30 NtUnmapViewOfSection, 11_2_01822D30
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822CA0 NtQueryInformationToken, 11_2_01822CA0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822CC0 NtQueryVirtualMemory, 11_2_01822CC0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822CF0 NtOpenProcess, 11_2_01822CF0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822C00 NtQueryInformationProcess, 11_2_01822C00
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822C60 NtCreateKey, 11_2_01822C60
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822F90 NtProtectVirtualMemory, 11_2_01822F90
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822FA0 NtQuerySection, 11_2_01822FA0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822FB0 NtResumeThread, 11_2_01822FB0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822FE0 NtCreateFile, 11_2_01822FE0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822F30 NtCreateSection, 11_2_01822F30
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822F60 NtCreateProcessEx, 11_2_01822F60
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822E80 NtReadVirtualMemory, 11_2_01822E80
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822EA0 NtAdjustPrivilegesToken, 11_2_01822EA0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822EE0 NtQueueApcThread, 11_2_01822EE0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822E30 NtWriteVirtualMemory, 11_2_01822E30
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01823090 NtSetValueKey, 11_2_01823090
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01823010 NtOpenDirectoryObject, 11_2_01823010
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018239B0 NtGetContextThread, 11_2_018239B0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01823D10 NtOpenProcessToken, 11_2_01823D10
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01823D70 NtOpenThread, 11_2_01823D70
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A5B508 CreateProcessAsUserW, 6_2_08A5B508
Detected potential crypto function
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_003726A8 6_2_003726A8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_00ACF6B8 6_2_00ACF6B8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_00ACCE34 6_2_00ACCE34
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06A38778 6_2_06A38778
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06A38758 6_2_06A38758
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06FD7538 6_2_06FD7538
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06FDFC88 6_2_06FDFC88
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06FDFC78 6_2_06FDFC78
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06FD3018 6_2_06FD3018
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06FD3008 6_2_06FD3008
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_07483348 6_2_07483348
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748F3E8 6_2_0748F3E8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748DB80 6_2_0748DB80
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748B650 6_2_0748B650
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748C6E8 6_2_0748C6E8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748D2F8 6_2_0748D2F8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_07487A98 6_2_07487A98
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748E548 6_2_0748E548
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748F369 6_2_0748F369
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748DB72 6_2_0748DB72
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748F3C0 6_2_0748F3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748F383 6_2_0748F383
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_07482248 6_2_07482248
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748B64A 6_2_0748B64A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_07482238 6_2_07482238
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748C6DA 6_2_0748C6DA
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_074832E6 6_2_074832E6
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748D2F2 6_2_0748D2F2
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_0748E542 6_2_0748E542
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A5A408 6_2_08A5A408
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A511E0 6_2_08A511E0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A54510 6_2_08A54510
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A5C158 6_2_08A5C158
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A5F668 6_2_08A5F668
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A5BE50 6_2_08A5BE50
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A5B770 6_2_08A5B770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A56778 6_2_08A56778
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A504E0 6_2_08A504E0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A504D0 6_2_08A504D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A51028 6_2_08A51028
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A51038 6_2_08A51038
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A58468 6_2_08A58468
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A50DB1 6_2_08A50DB1
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A51D90 6_2_08A51D90
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A50DC0 6_2_08A50DC0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A59DC8 6_2_08A59DC8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A511D0 6_2_08A511D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A55528 6_2_08A55528
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A54501 6_2_08A54501
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A51D7D 6_2_08A51D7D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A59660 6_2_08A59660
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A50B88 6_2_08A50B88
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A507E0 6_2_08A507E0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A5C7F0 6_2_08A5C7F0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A507D0 6_2_08A507D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A56768 6_2_08A56768
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_08A50B7A 6_2_08A50B7A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06FD750D 6_2_06FD750D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0042EA03 11_2_0042EA03
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00402A0D 11_2_00402A0D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00402A10 11_2_00402A10
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0040FB4A 11_2_0040FB4A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0040FB53 11_2_0040FB53
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_004164F3 11_2_004164F3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0040FD73 11_2_0040FD73
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0040DDF3 11_2_0040DDF3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00402E60 11_2_00402E60
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0040DFCB 11_2_0040DFCB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B01AA 11_2_018B01AA
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A41A2 11_2_018A41A2
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A81CC 11_2_018A81CC
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E0100 11_2_017E0100
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188A118 11_2_0188A118
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01878158 11_2_01878158
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01882000 11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B03E6 11_2_018B03E6
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FE3F0 11_2_017FE3F0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AA352 11_2_018AA352
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018702C0 11_2_018702C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B0591 11_2_018B0591
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0535 11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0189E4F6 11_2_0189E4F6
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01894420 11_2_01894420
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A2446 11_2_018A2446
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EC7C0 11_2_017EC7C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01814750 11_2_01814750
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180C6E0 11_2_0180C6E0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018BA9A6 11_2_018BA9A6
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01806962 11_2_01806962
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F2840 11_2_017F2840
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FA840 11_2_017FA840
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E8F0 11_2_0181E8F0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017D68B8 11_2_017D68B8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A6BD7 11_2_018A6BD7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AAB40 11_2_018AAB40
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EEA80 11_2_017EEA80
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01808DBF 11_2_01808DBF
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FAD00 11_2_017FAD00
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188CD1F 11_2_0188CD1F
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EADE0 11_2_017EADE0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890CB5 11_2_01890CB5
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0C00 11_2_017F0C00
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E0CF2 11_2_017E0CF2
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186EFA0 11_2_0186EFA0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FCFE0 11_2_017FCFE0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01832F28 11_2_01832F28
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01810F30 11_2_01810F30
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E2FC8 11_2_017E2FC8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01892F30 11_2_01892F30
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01864F40 11_2_01864F40
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01802E90 11_2_01802E90
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018ACE93 11_2_018ACE93
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0E59 11_2_017F0E59
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AEEDB 11_2_018AEEDB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AEE26 11_2_018AEE26
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DF172 11_2_017DF172
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FB1B0 11_2_017FB1B0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018BB16B 11_2_018BB16B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0182516C 11_2_0182516C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0189F0CC 11_2_0189F0CC
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A70E9 11_2_018A70E9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AF0E0 11_2_018AF0E0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F70C0 11_2_017F70C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0183739A 11_2_0183739A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DD34C 11_2_017DD34C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A132D 11_2_018A132D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180B2C0 11_2_0180B2C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018912ED 11_2_018912ED
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F52A0 11_2_017F52A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188D5B0 11_2_0188D5B0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B95C3 11_2_018B95C3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A7571 11_2_018A7571
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E1460 11_2_017E1460
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AF43F 11_2_018AF43F
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AF7B0 11_2_018AF7B0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A16CC 11_2_018A16CC
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01835630 11_2_01835630
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F9950 11_2_017F9950
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01885910 11_2_01885910
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180B950 11_2_0180B950
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185D800 11_2_0185D800
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F38E0 11_2_017F38E0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180FB80 11_2_0180FB80
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01865BF0 11_2_01865BF0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0182DBF9 11_2_0182DBF9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AFB76 11_2_018AFB76
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01835AA0 11_2_01835AA0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188DAAC 11_2_0188DAAC
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01891AA3 11_2_01891AA3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0189DAC6 11_2_0189DAC6
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AFA49 11_2_018AFA49
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A7A46 11_2_018A7A46
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01863A6C 11_2_01863A6C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F3D40 11_2_017F3D40
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180FDC0 11_2_0180FDC0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A1D5A 11_2_018A1D5A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A7D73 11_2_018A7D73
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AFCF2 11_2_018AFCF2
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01869C32 11_2_01869C32
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AFFB1 11_2_018AFFB1
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AFF09 11_2_018AFF09
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017B3FD2 11_2_017B3FD2
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017B3FD5 11_2_017B3FD5
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F1F92 11_2_017F1F92
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F9EB0 11_2_017F9EB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: String function: 01837E54 appears 111 times
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: String function: 01825130 appears 58 times
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: String function: 0185EA12 appears 86 times
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: String function: 0186F290 appears 105 times
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: String function: 017DB970 appears 277 times
PE file contains executable resources (Code or Archives)
Source: 47879282.EXE.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: 47879282.EXE.exe, 00000006.00000000.1274404238.000000000026A000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilename4787928266362882.exeP vs 47879282.EXE.exe
Source: 47879282.EXE.exe, 00000006.00000002.1977004939.00000000066D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTokenTableApp.dll> vs 47879282.EXE.exe
Source: 47879282.EXE.exe, 00000006.00000002.1968825704.000000000088E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 47879282.EXE.exe
Source: 47879282.EXE.exe, 00000006.00000002.1977997974.0000000007860000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRP8SH.dll6 vs 47879282.EXE.exe
Source: 47879282.EXE.exe, 0000000B.00000002.2038261791.00000000018DD000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 47879282.EXE.exe
Source: 47879282.EXE.exe Binary or memory string: OriginalFilename4787928266362882.exeP vs 47879282.EXE.exe
Uses 32bit PE files
Source: 47879282.EXE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\47879282.EXE.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\47879282.EXE.exe.log Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Mutant created: NULL
Source: 47879282.EXE.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 47879282.EXE.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\47879282.EXE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 47879282.EXE.exe, 00000006.00000000.1274077759.000000000025C000.00000020.00000001.01000000.00000004.sdmp Binary or memory string: SELECT * FROM Tasks WHERE DueDate = @Today OR RepeatedDays LIKE '%' + CAST(@TodayDay AS NVARCHAR) + '%' ORDER BY CASE WHEN ReminderDateTime IS NULL THEN 1 ELSE 0 END, ReminderDateTime, IsImportant DESC;
Source: 47879282.EXE.exe, 00000006.00000000.1274077759.000000000025C000.00000020.00000001.01000000.00000004.sdmp Binary or memory string: Select TaskID, Task FROM Tasks WHERE DueDate = @Today Or RepeatedDays Like '%' + CAST(@TodayDay AS NVARCHAR) + '%';
Source: 47879282.EXE.exe, 00000006.00000000.1274077759.000000000025C000.00000020.00000001.01000000.00000004.sdmp Binary or memory string: SELECT * FROM Tasks WHERE (DueDate = @Today OR RepeatedDays LIKE '%' + CAST(@TodayDay AS NVARCHAR) + '%') AND IsDone = 0 ORDER BY CASE WHEN ReminderDateTime IS NULL THEN 1 ELSE 0 END, ReminderDateTime, IsImportant DESC;
Source: 47879282.EXE.exe, 00000006.00000000.1274077759.000000000025C000.00000020.00000001.01000000.00000004.sdmp Binary or memory string: SELECT * FROM Tasks WHERE DueDate = @Today OR RepeatedDays LIKE '%' + CAST(@TodayDay AS NVARCHAR) + '%' ORDER BY IsDone ASC, CASE WHEN ReminderDateTime IS NULL THEN 1 ELSE 0 END, ReminderDateTime, IsImportant DESC;
Source: 47879282.EXE.exe ReversingLabs: Detection: 18%
Source: unknown Process created: C:\Users\user\Desktop\47879282.EXE.exe "C:\Users\user\Desktop\47879282.EXE.exe"
Source: C:\Users\user\Desktop\47879282.EXE.exe Process created: C:\Users\user\Desktop\47879282.EXE.exe "C:\Users\user\Desktop\47879282.EXE.exe"
Source: C:\Users\user\Desktop\47879282.EXE.exe Process created: C:\Users\user\Desktop\47879282.EXE.exe "C:\Users\user\Desktop\47879282.EXE.exe" Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 47879282.EXE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 47879282.EXE.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 47879282.EXE.exe Static file information: File size 1278976 > 1048576
Source: 47879282.EXE.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x137a00
Source: 47879282.EXE.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: 47879282.EXE.exe, 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 47879282.EXE.exe, 47879282.EXE.exe, 0000000B.00000002.2038261791.00000000017B0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected DarkTortilla Crypter
Source: Yara match File source: 6.2.47879282.EXE.exe.66d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.47879282.EXE.exe.66d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1977004939.00000000066D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1969277153.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 47879282.EXE.exe PID: 5260, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_00AC4519 push edx; retf 0000h 6_2_00AC451A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_00AC7D38 push 8C00CAFEh; retf 6_2_00AC7D3D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06A325C9 push esp; retf 6_2_06A325CA
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06FDEAA0 pushad ; ret 6_2_06FDEAB3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06FD0DD7 push ecx; retf EFCDh 6_2_06FD0F42
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_06FDD181 push ecx; retf 0046h 6_2_06FDD1A2
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_074869FB push edi; ret 6_2_07486BF6
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_07486C04 push eax; ret 6_2_07486C35
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 6_2_074890CD push ds; retf 0040h 6_2_0748911E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00402072 push ecx; retf 11_2_0040207D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00403100 push eax; ret 11_2_00403102
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_004049CC pushfd ; retf 11_2_004049D4
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00404A79 push eax; iretd 11_2_00404A85
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0041F2F7 push ebx; iretd 11_2_0041F2FC
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00426AB3 push ebp; ret 11_2_00426B3B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0041A4BA push ebx; retf 11_2_0041A4BB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0041A509 push ebp; iretd 11_2_0041A50A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0040DDEE push 00000015h; iretd 11_2_0040DDF0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00414701 push ebp; ret 11_2_00414707
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00401F2C push ecx; retf 11_2_00401FAE
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00406FCF push esp; retf 11_2_00406FFE
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00406FEA push esp; retf 11_2_00406FFE
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00401FF0 push ecx; retf 11_2_00401FF3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_00413798 push AA78ECC2h; ret 11_2_0041379D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017B225F pushad ; ret 11_2_017B27F9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017B27FA pushad ; ret 11_2_017B27F9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E09AD push ecx; mov dword ptr [esp], ecx 11_2_017E09B6
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017B283D push eax; iretd 11_2_017B2858
Source: 47879282.EXE.exe, z8.cs High entropy of concatenated method names: 'x6Q8Nd', 'MoveNext', 'Yp0s4A', 'SetStateMachine', 'w5WZm2', 'd7', 'Ro', 'z8', 'x4', 'g2'

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\47879282.EXE.exe File opened: C:\Users\user\Desktop\47879282.EXE.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 47879282.EXE.exe PID: 5260, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory allocated: AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory allocated: 2480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory allocated: 4480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory allocated: 7880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory allocated: 8880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory allocated: 8A60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory allocated: 9A60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory allocated: 9E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory allocated: AE00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory allocated: BE00000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0182096E rdtsc 11_2_0182096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\47879282.EXE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\47879282.EXE.exe Window / User API: threadDelayed 8306 Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Window / User API: threadDelayed 1552 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\47879282.EXE.exe API coverage: 0.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\47879282.EXE.exe TID: 7180 Thread sleep time: -22136092888451448s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe TID: 7180 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe TID: 7540 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Thread delayed: delay time: 30000 Jump to behavior
Source: 47879282.EXE.exe, 00000006.00000002.1977004939.00000000066D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: VBoxTray
Source: 47879282.EXE.exe, 00000006.00000002.1977004939.00000000066D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth
Source: C:\Users\user\Desktop\47879282.EXE.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\47879282.EXE.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0182096E rdtsc 11_2_0182096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_004174A3 LdrLoadDll, 11_2_004174A3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0189C188 mov eax, dword ptr fs:[00000030h] 11_2_0189C188
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0189C188 mov eax, dword ptr fs:[00000030h] 11_2_0189C188
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01820185 mov eax, dword ptr fs:[00000030h] 11_2_01820185
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01884180 mov eax, dword ptr fs:[00000030h] 11_2_01884180
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01884180 mov eax, dword ptr fs:[00000030h] 11_2_01884180
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186019F mov eax, dword ptr fs:[00000030h] 11_2_0186019F
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186019F mov eax, dword ptr fs:[00000030h] 11_2_0186019F
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186019F mov eax, dword ptr fs:[00000030h] 11_2_0186019F
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186019F mov eax, dword ptr fs:[00000030h] 11_2_0186019F
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E6154 mov eax, dword ptr fs:[00000030h] 11_2_017E6154
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E6154 mov eax, dword ptr fs:[00000030h] 11_2_017E6154
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DC156 mov eax, dword ptr fs:[00000030h] 11_2_017DC156
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A61C3 mov eax, dword ptr fs:[00000030h] 11_2_018A61C3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A61C3 mov eax, dword ptr fs:[00000030h] 11_2_018A61C3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E1D0 mov eax, dword ptr fs:[00000030h] 11_2_0185E1D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E1D0 mov eax, dword ptr fs:[00000030h] 11_2_0185E1D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E1D0 mov ecx, dword ptr fs:[00000030h] 11_2_0185E1D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E1D0 mov eax, dword ptr fs:[00000030h] 11_2_0185E1D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E1D0 mov eax, dword ptr fs:[00000030h] 11_2_0185E1D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B61E5 mov eax, dword ptr fs:[00000030h] 11_2_018B61E5
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018101F8 mov eax, dword ptr fs:[00000030h] 11_2_018101F8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h] 11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E10E mov ecx, dword ptr fs:[00000030h] 11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h] 11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h] 11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E10E mov ecx, dword ptr fs:[00000030h] 11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h] 11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h] 11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E10E mov ecx, dword ptr fs:[00000030h] 11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E10E mov eax, dword ptr fs:[00000030h] 11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E10E mov ecx, dword ptr fs:[00000030h] 11_2_0188E10E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188A118 mov ecx, dword ptr fs:[00000030h] 11_2_0188A118
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188A118 mov eax, dword ptr fs:[00000030h] 11_2_0188A118
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188A118 mov eax, dword ptr fs:[00000030h] 11_2_0188A118
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188A118 mov eax, dword ptr fs:[00000030h] 11_2_0188A118
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A0115 mov eax, dword ptr fs:[00000030h] 11_2_018A0115
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01810124 mov eax, dword ptr fs:[00000030h] 11_2_01810124
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01874144 mov eax, dword ptr fs:[00000030h] 11_2_01874144
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01874144 mov eax, dword ptr fs:[00000030h] 11_2_01874144
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01874144 mov ecx, dword ptr fs:[00000030h] 11_2_01874144
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01874144 mov eax, dword ptr fs:[00000030h] 11_2_01874144
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01874144 mov eax, dword ptr fs:[00000030h] 11_2_01874144
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01878158 mov eax, dword ptr fs:[00000030h] 11_2_01878158
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DA197 mov eax, dword ptr fs:[00000030h] 11_2_017DA197
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DA197 mov eax, dword ptr fs:[00000030h] 11_2_017DA197
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DA197 mov eax, dword ptr fs:[00000030h] 11_2_017DA197
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4164 mov eax, dword ptr fs:[00000030h] 11_2_018B4164
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4164 mov eax, dword ptr fs:[00000030h] 11_2_018B4164
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E2050 mov eax, dword ptr fs:[00000030h] 11_2_017E2050
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018780A8 mov eax, dword ptr fs:[00000030h] 11_2_018780A8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A60B8 mov eax, dword ptr fs:[00000030h] 11_2_018A60B8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A60B8 mov ecx, dword ptr fs:[00000030h] 11_2_018A60B8
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018620DE mov eax, dword ptr fs:[00000030h] 11_2_018620DE
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DA020 mov eax, dword ptr fs:[00000030h] 11_2_017DA020
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DC020 mov eax, dword ptr fs:[00000030h] 11_2_017DC020
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018660E0 mov eax, dword ptr fs:[00000030h] 11_2_018660E0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FE016 mov eax, dword ptr fs:[00000030h] 11_2_017FE016
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FE016 mov eax, dword ptr fs:[00000030h] 11_2_017FE016
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FE016 mov eax, dword ptr fs:[00000030h] 11_2_017FE016
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FE016 mov eax, dword ptr fs:[00000030h] 11_2_017FE016
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018220F0 mov ecx, dword ptr fs:[00000030h] 11_2_018220F0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01864000 mov ecx, dword ptr fs:[00000030h] 11_2_01864000
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h] 11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h] 11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h] 11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h] 11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h] 11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h] 11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h] 11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01882000 mov eax, dword ptr fs:[00000030h] 11_2_01882000
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DC0F0 mov eax, dword ptr fs:[00000030h] 11_2_017DC0F0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E80E9 mov eax, dword ptr fs:[00000030h] 11_2_017E80E9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DA0E3 mov ecx, dword ptr fs:[00000030h] 11_2_017DA0E3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01876030 mov eax, dword ptr fs:[00000030h] 11_2_01876030
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01866050 mov eax, dword ptr fs:[00000030h] 11_2_01866050
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017D80A0 mov eax, dword ptr fs:[00000030h] 11_2_017D80A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180C073 mov eax, dword ptr fs:[00000030h] 11_2_0180C073
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E208A mov eax, dword ptr fs:[00000030h] 11_2_017E208A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180438F mov eax, dword ptr fs:[00000030h] 11_2_0180438F
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180438F mov eax, dword ptr fs:[00000030h] 11_2_0180438F
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0189C3CD mov eax, dword ptr fs:[00000030h] 11_2_0189C3CD
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018663C0 mov eax, dword ptr fs:[00000030h] 11_2_018663C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E3DB mov eax, dword ptr fs:[00000030h] 11_2_0188E3DB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E3DB mov eax, dword ptr fs:[00000030h] 11_2_0188E3DB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E3DB mov ecx, dword ptr fs:[00000030h] 11_2_0188E3DB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188E3DB mov eax, dword ptr fs:[00000030h] 11_2_0188E3DB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018843D4 mov eax, dword ptr fs:[00000030h] 11_2_018843D4
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018843D4 mov eax, dword ptr fs:[00000030h] 11_2_018843D4
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DC310 mov ecx, dword ptr fs:[00000030h] 11_2_017DC310
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018163FF mov eax, dword ptr fs:[00000030h] 11_2_018163FF
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181A30B mov eax, dword ptr fs:[00000030h] 11_2_0181A30B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181A30B mov eax, dword ptr fs:[00000030h] 11_2_0181A30B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181A30B mov eax, dword ptr fs:[00000030h] 11_2_0181A30B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FE3F0 mov eax, dword ptr fs:[00000030h] 11_2_017FE3F0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FE3F0 mov eax, dword ptr fs:[00000030h] 11_2_017FE3F0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FE3F0 mov eax, dword ptr fs:[00000030h] 11_2_017FE3F0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01800310 mov ecx, dword ptr fs:[00000030h] 11_2_01800310
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h] 11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h] 11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h] 11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h] 11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h] 11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h] 11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h] 11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F03E9 mov eax, dword ptr fs:[00000030h] 11_2_017F03E9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B8324 mov eax, dword ptr fs:[00000030h] 11_2_018B8324
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B8324 mov ecx, dword ptr fs:[00000030h] 11_2_018B8324
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B8324 mov eax, dword ptr fs:[00000030h] 11_2_018B8324
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B8324 mov eax, dword ptr fs:[00000030h] 11_2_018B8324
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h] 11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h] 11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h] 11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h] 11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h] 11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA3C0 mov eax, dword ptr fs:[00000030h] 11_2_017EA3C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E83C0 mov eax, dword ptr fs:[00000030h] 11_2_017E83C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E83C0 mov eax, dword ptr fs:[00000030h] 11_2_017E83C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E83C0 mov eax, dword ptr fs:[00000030h] 11_2_017E83C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E83C0 mov eax, dword ptr fs:[00000030h] 11_2_017E83C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B634F mov eax, dword ptr fs:[00000030h] 11_2_018B634F
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01862349 mov eax, dword ptr fs:[00000030h] 11_2_01862349
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AA352 mov eax, dword ptr fs:[00000030h] 11_2_018AA352
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01888350 mov ecx, dword ptr fs:[00000030h] 11_2_01888350
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186035C mov eax, dword ptr fs:[00000030h] 11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186035C mov eax, dword ptr fs:[00000030h] 11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186035C mov eax, dword ptr fs:[00000030h] 11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186035C mov ecx, dword ptr fs:[00000030h] 11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186035C mov eax, dword ptr fs:[00000030h] 11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186035C mov eax, dword ptr fs:[00000030h] 11_2_0186035C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017D8397 mov eax, dword ptr fs:[00000030h] 11_2_017D8397
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017D8397 mov eax, dword ptr fs:[00000030h] 11_2_017D8397
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017D8397 mov eax, dword ptr fs:[00000030h] 11_2_017D8397
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188437C mov eax, dword ptr fs:[00000030h] 11_2_0188437C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DE388 mov eax, dword ptr fs:[00000030h] 11_2_017DE388
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DE388 mov eax, dword ptr fs:[00000030h] 11_2_017DE388
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DE388 mov eax, dword ptr fs:[00000030h] 11_2_017DE388
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01860283 mov eax, dword ptr fs:[00000030h] 11_2_01860283
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01860283 mov eax, dword ptr fs:[00000030h] 11_2_01860283
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01860283 mov eax, dword ptr fs:[00000030h] 11_2_01860283
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E284 mov eax, dword ptr fs:[00000030h] 11_2_0181E284
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E284 mov eax, dword ptr fs:[00000030h] 11_2_0181E284
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017D826B mov eax, dword ptr fs:[00000030h] 11_2_017D826B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E4260 mov eax, dword ptr fs:[00000030h] 11_2_017E4260
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E4260 mov eax, dword ptr fs:[00000030h] 11_2_017E4260
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E4260 mov eax, dword ptr fs:[00000030h] 11_2_017E4260
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018762A0 mov eax, dword ptr fs:[00000030h] 11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018762A0 mov ecx, dword ptr fs:[00000030h] 11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018762A0 mov eax, dword ptr fs:[00000030h] 11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018762A0 mov eax, dword ptr fs:[00000030h] 11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018762A0 mov eax, dword ptr fs:[00000030h] 11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018762A0 mov eax, dword ptr fs:[00000030h] 11_2_018762A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E6259 mov eax, dword ptr fs:[00000030h] 11_2_017E6259
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DA250 mov eax, dword ptr fs:[00000030h] 11_2_017DA250
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017D823B mov eax, dword ptr fs:[00000030h] 11_2_017D823B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B62D6 mov eax, dword ptr fs:[00000030h] 11_2_018B62D6
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F02E1 mov eax, dword ptr fs:[00000030h] 11_2_017F02E1
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F02E1 mov eax, dword ptr fs:[00000030h] 11_2_017F02E1
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F02E1 mov eax, dword ptr fs:[00000030h] 11_2_017F02E1
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA2C3 mov eax, dword ptr fs:[00000030h] 11_2_017EA2C3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA2C3 mov eax, dword ptr fs:[00000030h] 11_2_017EA2C3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA2C3 mov eax, dword ptr fs:[00000030h] 11_2_017EA2C3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA2C3 mov eax, dword ptr fs:[00000030h] 11_2_017EA2C3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA2C3 mov eax, dword ptr fs:[00000030h] 11_2_017EA2C3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01868243 mov eax, dword ptr fs:[00000030h] 11_2_01868243
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01868243 mov ecx, dword ptr fs:[00000030h] 11_2_01868243
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B625D mov eax, dword ptr fs:[00000030h] 11_2_018B625D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0189A250 mov eax, dword ptr fs:[00000030h] 11_2_0189A250
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0189A250 mov eax, dword ptr fs:[00000030h] 11_2_0189A250
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F02A0 mov eax, dword ptr fs:[00000030h] 11_2_017F02A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F02A0 mov eax, dword ptr fs:[00000030h] 11_2_017F02A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01890274 mov eax, dword ptr fs:[00000030h] 11_2_01890274
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01814588 mov eax, dword ptr fs:[00000030h] 11_2_01814588
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E59C mov eax, dword ptr fs:[00000030h] 11_2_0181E59C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018605A7 mov eax, dword ptr fs:[00000030h] 11_2_018605A7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018605A7 mov eax, dword ptr fs:[00000030h] 11_2_018605A7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018605A7 mov eax, dword ptr fs:[00000030h] 11_2_018605A7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E8550 mov eax, dword ptr fs:[00000030h] 11_2_017E8550
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E8550 mov eax, dword ptr fs:[00000030h] 11_2_017E8550
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018045B1 mov eax, dword ptr fs:[00000030h] 11_2_018045B1
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018045B1 mov eax, dword ptr fs:[00000030h] 11_2_018045B1
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h] 11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h] 11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h] 11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h] 11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h] 11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0535 mov eax, dword ptr fs:[00000030h] 11_2_017F0535
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E5CF mov eax, dword ptr fs:[00000030h] 11_2_0181E5CF
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E5CF mov eax, dword ptr fs:[00000030h] 11_2_0181E5CF
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181A5D0 mov eax, dword ptr fs:[00000030h] 11_2_0181A5D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181A5D0 mov eax, dword ptr fs:[00000030h] 11_2_0181A5D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h] 11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h] 11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h] 11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h] 11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h] 11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h] 11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h] 11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E5E7 mov eax, dword ptr fs:[00000030h] 11_2_0180E5E7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181C5ED mov eax, dword ptr fs:[00000030h] 11_2_0181C5ED
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181C5ED mov eax, dword ptr fs:[00000030h] 11_2_0181C5ED
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01876500 mov eax, dword ptr fs:[00000030h] 11_2_01876500
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h] 11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h] 11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h] 11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h] 11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h] 11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h] 11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4500 mov eax, dword ptr fs:[00000030h] 11_2_018B4500
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E25E0 mov eax, dword ptr fs:[00000030h] 11_2_017E25E0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E65D0 mov eax, dword ptr fs:[00000030h] 11_2_017E65D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E53E mov eax, dword ptr fs:[00000030h] 11_2_0180E53E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E53E mov eax, dword ptr fs:[00000030h] 11_2_0180E53E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E53E mov eax, dword ptr fs:[00000030h] 11_2_0180E53E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E53E mov eax, dword ptr fs:[00000030h] 11_2_0180E53E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E53E mov eax, dword ptr fs:[00000030h] 11_2_0180E53E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181656A mov eax, dword ptr fs:[00000030h] 11_2_0181656A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181656A mov eax, dword ptr fs:[00000030h] 11_2_0181656A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181656A mov eax, dword ptr fs:[00000030h] 11_2_0181656A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E2582 mov eax, dword ptr fs:[00000030h] 11_2_017E2582
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E2582 mov ecx, dword ptr fs:[00000030h] 11_2_017E2582
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0189A49A mov eax, dword ptr fs:[00000030h] 11_2_0189A49A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017D645D mov eax, dword ptr fs:[00000030h] 11_2_017D645D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018144B0 mov ecx, dword ptr fs:[00000030h] 11_2_018144B0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186A4B0 mov eax, dword ptr fs:[00000030h] 11_2_0186A4B0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DC427 mov eax, dword ptr fs:[00000030h] 11_2_017DC427
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DE420 mov eax, dword ptr fs:[00000030h] 11_2_017DE420
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DE420 mov eax, dword ptr fs:[00000030h] 11_2_017DE420
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DE420 mov eax, dword ptr fs:[00000030h] 11_2_017DE420
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01818402 mov eax, dword ptr fs:[00000030h] 11_2_01818402
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01818402 mov eax, dword ptr fs:[00000030h] 11_2_01818402
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01818402 mov eax, dword ptr fs:[00000030h] 11_2_01818402
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E04E5 mov ecx, dword ptr fs:[00000030h] 11_2_017E04E5
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h] 11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h] 11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h] 11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h] 11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h] 11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h] 11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01866420 mov eax, dword ptr fs:[00000030h] 11_2_01866420
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181A430 mov eax, dword ptr fs:[00000030h] 11_2_0181A430
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h] 11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h] 11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h] 11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h] 11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h] 11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h] 11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h] 11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181E443 mov eax, dword ptr fs:[00000030h] 11_2_0181E443
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E64AB mov eax, dword ptr fs:[00000030h] 11_2_017E64AB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180245A mov eax, dword ptr fs:[00000030h] 11_2_0180245A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0189A456 mov eax, dword ptr fs:[00000030h] 11_2_0189A456
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186C460 mov ecx, dword ptr fs:[00000030h] 11_2_0186C460
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180A470 mov eax, dword ptr fs:[00000030h] 11_2_0180A470
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180A470 mov eax, dword ptr fs:[00000030h] 11_2_0180A470
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180A470 mov eax, dword ptr fs:[00000030h] 11_2_0180A470
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188678E mov eax, dword ptr fs:[00000030h] 11_2_0188678E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E8770 mov eax, dword ptr fs:[00000030h] 11_2_017E8770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0770 mov eax, dword ptr fs:[00000030h] 11_2_017F0770
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018947A0 mov eax, dword ptr fs:[00000030h] 11_2_018947A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E0750 mov eax, dword ptr fs:[00000030h] 11_2_017E0750
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018607C3 mov eax, dword ptr fs:[00000030h] 11_2_018607C3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186E7E1 mov eax, dword ptr fs:[00000030h] 11_2_0186E7E1
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018027ED mov eax, dword ptr fs:[00000030h] 11_2_018027ED
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018027ED mov eax, dword ptr fs:[00000030h] 11_2_018027ED
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018027ED mov eax, dword ptr fs:[00000030h] 11_2_018027ED
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E0710 mov eax, dword ptr fs:[00000030h] 11_2_017E0710
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181C700 mov eax, dword ptr fs:[00000030h] 11_2_0181C700
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E47FB mov eax, dword ptr fs:[00000030h] 11_2_017E47FB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E47FB mov eax, dword ptr fs:[00000030h] 11_2_017E47FB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01810710 mov eax, dword ptr fs:[00000030h] 11_2_01810710
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181C720 mov eax, dword ptr fs:[00000030h] 11_2_0181C720
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181C720 mov eax, dword ptr fs:[00000030h] 11_2_0181C720
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185C730 mov eax, dword ptr fs:[00000030h] 11_2_0185C730
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181273C mov eax, dword ptr fs:[00000030h] 11_2_0181273C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181273C mov ecx, dword ptr fs:[00000030h] 11_2_0181273C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181273C mov eax, dword ptr fs:[00000030h] 11_2_0181273C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EC7C0 mov eax, dword ptr fs:[00000030h] 11_2_017EC7C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181674D mov esi, dword ptr fs:[00000030h] 11_2_0181674D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181674D mov eax, dword ptr fs:[00000030h] 11_2_0181674D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181674D mov eax, dword ptr fs:[00000030h] 11_2_0181674D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E07AF mov eax, dword ptr fs:[00000030h] 11_2_017E07AF
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822750 mov eax, dword ptr fs:[00000030h] 11_2_01822750
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822750 mov eax, dword ptr fs:[00000030h] 11_2_01822750
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01864755 mov eax, dword ptr fs:[00000030h] 11_2_01864755
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186E75D mov eax, dword ptr fs:[00000030h] 11_2_0186E75D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181C6A6 mov eax, dword ptr fs:[00000030h] 11_2_0181C6A6
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018166B0 mov eax, dword ptr fs:[00000030h] 11_2_018166B0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FC640 mov eax, dword ptr fs:[00000030h] 11_2_017FC640
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181A6C7 mov ebx, dword ptr fs:[00000030h] 11_2_0181A6C7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181A6C7 mov eax, dword ptr fs:[00000030h] 11_2_0181A6C7
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E262C mov eax, dword ptr fs:[00000030h] 11_2_017E262C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017FE627 mov eax, dword ptr fs:[00000030h] 11_2_017FE627
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h] 11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h] 11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h] 11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h] 11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h] 11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h] 11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F260B mov eax, dword ptr fs:[00000030h] 11_2_017F260B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E6F2 mov eax, dword ptr fs:[00000030h] 11_2_0185E6F2
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E6F2 mov eax, dword ptr fs:[00000030h] 11_2_0185E6F2
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E6F2 mov eax, dword ptr fs:[00000030h] 11_2_0185E6F2
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E6F2 mov eax, dword ptr fs:[00000030h] 11_2_0185E6F2
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018606F1 mov eax, dword ptr fs:[00000030h] 11_2_018606F1
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018606F1 mov eax, dword ptr fs:[00000030h] 11_2_018606F1
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E609 mov eax, dword ptr fs:[00000030h] 11_2_0185E609
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01822619 mov eax, dword ptr fs:[00000030h] 11_2_01822619
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01816620 mov eax, dword ptr fs:[00000030h] 11_2_01816620
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01818620 mov eax, dword ptr fs:[00000030h] 11_2_01818620
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181A660 mov eax, dword ptr fs:[00000030h] 11_2_0181A660
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181A660 mov eax, dword ptr fs:[00000030h] 11_2_0181A660
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A866E mov eax, dword ptr fs:[00000030h] 11_2_018A866E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A866E mov eax, dword ptr fs:[00000030h] 11_2_018A866E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E4690 mov eax, dword ptr fs:[00000030h] 11_2_017E4690
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E4690 mov eax, dword ptr fs:[00000030h] 11_2_017E4690
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01812674 mov eax, dword ptr fs:[00000030h] 11_2_01812674
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018689B3 mov esi, dword ptr fs:[00000030h] 11_2_018689B3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018689B3 mov eax, dword ptr fs:[00000030h] 11_2_018689B3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018689B3 mov eax, dword ptr fs:[00000030h] 11_2_018689B3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018769C0 mov eax, dword ptr fs:[00000030h] 11_2_018769C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018149D0 mov eax, dword ptr fs:[00000030h] 11_2_018149D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AA9D3 mov eax, dword ptr fs:[00000030h] 11_2_018AA9D3
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017D8918 mov eax, dword ptr fs:[00000030h] 11_2_017D8918
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017D8918 mov eax, dword ptr fs:[00000030h] 11_2_017D8918
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186E9E0 mov eax, dword ptr fs:[00000030h] 11_2_0186E9E0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018129F9 mov eax, dword ptr fs:[00000030h] 11_2_018129F9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018129F9 mov eax, dword ptr fs:[00000030h] 11_2_018129F9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E908 mov eax, dword ptr fs:[00000030h] 11_2_0185E908
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185E908 mov eax, dword ptr fs:[00000030h] 11_2_0185E908
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186C912 mov eax, dword ptr fs:[00000030h] 11_2_0186C912
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186892A mov eax, dword ptr fs:[00000030h] 11_2_0186892A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0187892B mov eax, dword ptr fs:[00000030h] 11_2_0187892B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h] 11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h] 11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h] 11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h] 11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h] 11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017EA9D0 mov eax, dword ptr fs:[00000030h] 11_2_017EA9D0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01860946 mov eax, dword ptr fs:[00000030h] 11_2_01860946
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4940 mov eax, dword ptr fs:[00000030h] 11_2_018B4940
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E09AD mov eax, dword ptr fs:[00000030h] 11_2_017E09AD
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E09AD mov eax, dword ptr fs:[00000030h] 11_2_017E09AD
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F29A0 mov eax, dword ptr fs:[00000030h] 11_2_017F29A0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01806962 mov eax, dword ptr fs:[00000030h] 11_2_01806962
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01806962 mov eax, dword ptr fs:[00000030h] 11_2_01806962
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01806962 mov eax, dword ptr fs:[00000030h] 11_2_01806962
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0182096E mov eax, dword ptr fs:[00000030h] 11_2_0182096E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0182096E mov edx, dword ptr fs:[00000030h] 11_2_0182096E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0182096E mov eax, dword ptr fs:[00000030h] 11_2_0182096E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01884978 mov eax, dword ptr fs:[00000030h] 11_2_01884978
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01884978 mov eax, dword ptr fs:[00000030h] 11_2_01884978
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186C97C mov eax, dword ptr fs:[00000030h] 11_2_0186C97C
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186C89D mov eax, dword ptr fs:[00000030h] 11_2_0186C89D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E4859 mov eax, dword ptr fs:[00000030h] 11_2_017E4859
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E4859 mov eax, dword ptr fs:[00000030h] 11_2_017E4859
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F2840 mov ecx, dword ptr fs:[00000030h] 11_2_017F2840
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180E8C0 mov eax, dword ptr fs:[00000030h] 11_2_0180E8C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B08C0 mov eax, dword ptr fs:[00000030h] 11_2_018B08C0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AA8E4 mov eax, dword ptr fs:[00000030h] 11_2_018AA8E4
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181C8F9 mov eax, dword ptr fs:[00000030h] 11_2_0181C8F9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181C8F9 mov eax, dword ptr fs:[00000030h] 11_2_0181C8F9
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186C810 mov eax, dword ptr fs:[00000030h] 11_2_0186C810
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181A830 mov eax, dword ptr fs:[00000030h] 11_2_0181A830
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188483A mov eax, dword ptr fs:[00000030h] 11_2_0188483A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188483A mov eax, dword ptr fs:[00000030h] 11_2_0188483A
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01802835 mov eax, dword ptr fs:[00000030h] 11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01802835 mov eax, dword ptr fs:[00000030h] 11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01802835 mov eax, dword ptr fs:[00000030h] 11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01802835 mov ecx, dword ptr fs:[00000030h] 11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01802835 mov eax, dword ptr fs:[00000030h] 11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01802835 mov eax, dword ptr fs:[00000030h] 11_2_01802835
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01810854 mov eax, dword ptr fs:[00000030h] 11_2_01810854
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186E872 mov eax, dword ptr fs:[00000030h] 11_2_0186E872
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186E872 mov eax, dword ptr fs:[00000030h] 11_2_0186E872
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01876870 mov eax, dword ptr fs:[00000030h] 11_2_01876870
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01876870 mov eax, dword ptr fs:[00000030h] 11_2_01876870
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E0887 mov eax, dword ptr fs:[00000030h] 11_2_017E0887
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017DCB7E mov eax, dword ptr fs:[00000030h] 11_2_017DCB7E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017D8B50 mov eax, dword ptr fs:[00000030h] 11_2_017D8B50
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01894BB0 mov eax, dword ptr fs:[00000030h] 11_2_01894BB0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01894BB0 mov eax, dword ptr fs:[00000030h] 11_2_01894BB0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01800BCB mov eax, dword ptr fs:[00000030h] 11_2_01800BCB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01800BCB mov eax, dword ptr fs:[00000030h] 11_2_01800BCB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01800BCB mov eax, dword ptr fs:[00000030h] 11_2_01800BCB
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188EBD0 mov eax, dword ptr fs:[00000030h] 11_2_0188EBD0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186CBF0 mov eax, dword ptr fs:[00000030h] 11_2_0186CBF0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180EBFC mov eax, dword ptr fs:[00000030h] 11_2_0180EBFC
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4B00 mov eax, dword ptr fs:[00000030h] 11_2_018B4B00
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E8BF0 mov eax, dword ptr fs:[00000030h] 11_2_017E8BF0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E8BF0 mov eax, dword ptr fs:[00000030h] 11_2_017E8BF0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E8BF0 mov eax, dword ptr fs:[00000030h] 11_2_017E8BF0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h] 11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h] 11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h] 11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h] 11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h] 11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h] 11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h] 11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h] 11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0185EB1D mov eax, dword ptr fs:[00000030h] 11_2_0185EB1D
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180EB20 mov eax, dword ptr fs:[00000030h] 11_2_0180EB20
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180EB20 mov eax, dword ptr fs:[00000030h] 11_2_0180EB20
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A8B28 mov eax, dword ptr fs:[00000030h] 11_2_018A8B28
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018A8B28 mov eax, dword ptr fs:[00000030h] 11_2_018A8B28
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E0BCD mov eax, dword ptr fs:[00000030h] 11_2_017E0BCD
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E0BCD mov eax, dword ptr fs:[00000030h] 11_2_017E0BCD
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E0BCD mov eax, dword ptr fs:[00000030h] 11_2_017E0BCD
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0BBE mov eax, dword ptr fs:[00000030h] 11_2_017F0BBE
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0BBE mov eax, dword ptr fs:[00000030h] 11_2_017F0BBE
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01894B4B mov eax, dword ptr fs:[00000030h] 11_2_01894B4B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01894B4B mov eax, dword ptr fs:[00000030h] 11_2_01894B4B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01876B40 mov eax, dword ptr fs:[00000030h] 11_2_01876B40
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01876B40 mov eax, dword ptr fs:[00000030h] 11_2_01876B40
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018AAB40 mov eax, dword ptr fs:[00000030h] 11_2_018AAB40
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01888B42 mov eax, dword ptr fs:[00000030h] 11_2_01888B42
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188EB50 mov eax, dword ptr fs:[00000030h] 11_2_0188EB50
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B2B57 mov eax, dword ptr fs:[00000030h] 11_2_018B2B57
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B2B57 mov eax, dword ptr fs:[00000030h] 11_2_018B2B57
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B2B57 mov eax, dword ptr fs:[00000030h] 11_2_018B2B57
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B2B57 mov eax, dword ptr fs:[00000030h] 11_2_018B2B57
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_018B4A80 mov eax, dword ptr fs:[00000030h] 11_2_018B4A80
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01818A90 mov edx, dword ptr fs:[00000030h] 11_2_01818A90
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0A5B mov eax, dword ptr fs:[00000030h] 11_2_017F0A5B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017F0A5B mov eax, dword ptr fs:[00000030h] 11_2_017F0A5B
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01836AA4 mov eax, dword ptr fs:[00000030h] 11_2_01836AA4
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h] 11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h] 11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h] 11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h] 11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h] 11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h] 11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E6A50 mov eax, dword ptr fs:[00000030h] 11_2_017E6A50
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01836ACC mov eax, dword ptr fs:[00000030h] 11_2_01836ACC
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01836ACC mov eax, dword ptr fs:[00000030h] 11_2_01836ACC
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01836ACC mov eax, dword ptr fs:[00000030h] 11_2_01836ACC
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01814AD0 mov eax, dword ptr fs:[00000030h] 11_2_01814AD0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01814AD0 mov eax, dword ptr fs:[00000030h] 11_2_01814AD0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181AAEE mov eax, dword ptr fs:[00000030h] 11_2_0181AAEE
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181AAEE mov eax, dword ptr fs:[00000030h] 11_2_0181AAEE
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0186CA11 mov eax, dword ptr fs:[00000030h] 11_2_0186CA11
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181CA24 mov eax, dword ptr fs:[00000030h] 11_2_0181CA24
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0180EA2E mov eax, dword ptr fs:[00000030h] 11_2_0180EA2E
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E0AD0 mov eax, dword ptr fs:[00000030h] 11_2_017E0AD0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01804A35 mov eax, dword ptr fs:[00000030h] 11_2_01804A35
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_01804A35 mov eax, dword ptr fs:[00000030h] 11_2_01804A35
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181CA38 mov eax, dword ptr fs:[00000030h] 11_2_0181CA38
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E8AA0 mov eax, dword ptr fs:[00000030h] 11_2_017E8AA0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_017E8AA0 mov eax, dword ptr fs:[00000030h] 11_2_017E8AA0
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0188EA60 mov eax, dword ptr fs:[00000030h] 11_2_0188EA60
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181CA6F mov eax, dword ptr fs:[00000030h] 11_2_0181CA6F
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181CA6F mov eax, dword ptr fs:[00000030h] 11_2_0181CA6F
Source: C:\Users\user\Desktop\47879282.EXE.exe Code function: 11_2_0181CA6F mov eax, dword ptr fs:[00000030h] 11_2_0181CA6F
Enables debug privileges
Source: C:\Users\user\Desktop\47879282.EXE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\47879282.EXE.exe Memory written: C:\Users\user\Desktop\47879282.EXE.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\47879282.EXE.exe Process created: C:\Users\user\Desktop\47879282.EXE.exe "C:\Users\user\Desktop\47879282.EXE.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\47879282.EXE.exe Queries volume information: C:\Users\user\Desktop\47879282.EXE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\47879282.EXE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 11.2.47879282.EXE.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.47879282.EXE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2037666483.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2038050513.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522589 Sample: 47879282.EXE.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 14 Malicious sample detected (through community Yara rule) 2->14 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 5 other signatures 2->20 6 47879282.EXE.exe 3 2->6         started        process3 file4 12 C:\Users\user\...\47879282.EXE.exe.log, ASCII 6->12 dropped 22 Hides that the sample has been downloaded from the Internet (zone.identifier) 6->22 24 Injects a PE file into a foreign processes 6->24 10 47879282.EXE.exe 6->10         started        signatures5 process6
No contacted IP infos