Windows Analysis Report
S12.exe

Overview

General Information

Sample name: S12.exe
Analysis ID: 1562140
MD5: ffd8b14a461473ffc4f11bcfcc5455c0
SHA1: decdfeb89ce19547d312b0bd3f905a21d11dac8f
SHA256: 02a5fca125cbaa58a96ad120e3fc159dc9db2b5e5eaa724fa749734ed75546ab
Tags: exemalwaretrojanuser-Joker
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Renames NTDLL to bypass HIPS
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\QQWER.dll ReversingLabs: Detection: 73%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\QQWER.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: S12.exe Joe Sandbox ML: detected

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\S12.exe Unpacked PE file: 0.2.S12.exe.10000000.2.unpack
Source: C:\Users\user\Desktop\S12.exe Unpacked PE file: 5.2.S12.exe.10000000.2.unpack
Uses 32bit PE files
Source: S12.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: devco n.pdbo source: S12.exe
Source: Binary string: wntdll.pdbUGP source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source: Binary string: wntdll.pdb source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source: Binary string: DrvInDM U.pdbe source: S12.exe
Source: Binary string: wuser32.pdb source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr
Source: Binary string: devc@on.pdb source: S12.exe
Source: Binary string: wuser32.pdbUGP source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1000710E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A199
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10018EEA
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_100193C2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_100193C2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10018801
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_10017804
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10011772
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10013C18
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10011C1A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A031
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10024C38
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10006051
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10006051
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001385A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10002461
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1000F472
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_1001847E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10022882
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 0_2_10025484
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10025484
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_10006495
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10006C96
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10014096
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10014096
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_100024AC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000FCB0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_100198CC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100188E1
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001A4E7
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1000210D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1000210D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_1000B90D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10003116
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10017D41
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10017D41
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000FD4D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10001D56
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10025977
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10010199
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_1001419C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_1001419C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10008DA3
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100111A7
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10007DB8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_100151BD
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_100151BD
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_100151BD
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 0_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_100259D9
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_100221E2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_100189E6
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1000FDEA
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100101FB
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10014203
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1000B61E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_1001221F
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_1001221F
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001A236
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1001363D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001363D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10008E40
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10011653
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10011653
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10010255
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10010255
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10007E55
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_10007E55
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000FA6F
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10022A80
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10011E89
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1001A6C7
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_10017ECA
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 0_2_10008EDD
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_1001BADE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_100246E4
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100236FF
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100236FF
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000FF10
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10008B27
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_1001BB29
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_10015B34
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000833D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 0_2_10012B40
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_1000634E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000B353
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_10026356
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10017B68
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10011772
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 0_2_10024781
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10024781
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1002378A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 0_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_1000A7A2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_100137A3
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000F7AC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10008BC4
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10013FC8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10007BCA
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10005FDA
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_100253E7
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_1000B3F0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 5_2_1000710E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1001A199
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_10018AD3
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_10018EEA
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 5_2_100193C2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 5_2_100193C2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_10018801
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_10017804
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_10011772
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10013C18
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_10011C1A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1001A031
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 5_2_10024C38
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 5_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 5_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 5_2_1001AC51
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10006051
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10006051
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1001385A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_10002461
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_1000F472
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 5_2_1001847E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10022882
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 5_2_10025484
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 5_2_10025484
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 5_2_10006495
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10006C96
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_10014096
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_10014096
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_100024AC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1000FCB0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001A8BE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_100198CC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 5_2_100188E1
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1001A4E7
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1000210D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1000210D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 5_2_1000B90D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10003116
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_10017D41
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_10017D41
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1000FD4D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 5_2_10001D56
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 5_2_10025977
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_10010199
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_1001419C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_1001419C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10008DA3
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 5_2_100111A7
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10007DB8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 5_2_100151BD
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 5_2_100151BD
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 5_2_100151BD
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 5_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 5_2_1001D1C4
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 5_2_100259D9
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 5_2_100221E2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_100189E6
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_1000FDEA
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 5_2_100101FB
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 5_2_10014203
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1001121A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_1000B61E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 5_2_1001221F
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 5_2_1001221F
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1001A236
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_1001363D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1001363D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10008E40
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 5_2_10011653
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 5_2_10011653
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10010255
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10010255
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10007E55
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 5_2_10007E55
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 5_2_1000C655
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1000FA6F
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10022A80
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10011E89
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_1002129C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1001A6C7
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 5_2_10017ECA
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10010AD6
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 5_2_10008EDD
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_1001BADE
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_100246E4
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-00000084h], esp 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1001A6F8
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 5_2_100236FF
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 5_2_100236FF
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1000FF10
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10008B27
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_1001BB29
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_10015B34
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1000833D
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 5_2_10012B40
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 5_2_1000634E
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1000B353
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_10026356
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 5_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_1001DB5C
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_10017B68
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_10011772
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 5_2_10024781
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 5_2_10024781
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 5_2_1002378A
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-58h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-44h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-48h], esp 5_2_10014289
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 5_2_1001BFA0
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 5_2_1000A7A2
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_100137A3
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_1000F7AC
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10008BC4
Source: C:\Users\user\Desktop\S12.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 5_2_10013FC8
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: unknown TCP traffic detected without corresponding DNS query: 82.156.239.188
Source: global traffic HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /123.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 82.156.239.188Cache-Control: no-cache
Source: S12.exe, 00000000.00000002.2719852664.0000000000CDA000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/
Source: S12.exe String found in binary or memory: http://82.156.239.188/%E5%AD%98%E6%A1%A3/
Source: S12.exe String found in binary or memory: http://82.156.239.188/%E7%89%88%E6%9C%AC%E6%9B%B4%E6%96%B0.txt
Source: S12.exe String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt.
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt0
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt2658-3693405117-2476756634-1003
Source: S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt8E
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt:&B
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt=
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtbP
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txth
Source: S12.exe String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txthttp://82.156.239.188/123.txt
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtmP
Source: S12.exe, 00000000.00000002.2719852664.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtwsock.dll.mui1
Source: S12.exe, 00000000.00000002.2719852664.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txty
Source: S12.exe, 00000005.00000002.2719959118.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/-E
Source: S12.exe String found in binary or memory: http://82.156.239.188/123.txt
Source: S12.exe, 00000000.00000002.2719852664.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/123.txt-2476756634-1003N
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/123.txtpP
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/123.txtu
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/123.txtxt
Source: S12.exe, 00000000.00000002.2719852664.0000000000C90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/123.txtxt1P
Source: S12.exe, 00000005.00000002.2719959118.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.156.239.188/123.txtz
Source: S12.exe String found in binary or memory: http://ocsp.t
Source: S12.exe String found in binary or memory: http://sf.symc
Source: S12.exe String found in binary or memory: http://ts-ocsp.ws.s
Source: S12.exe String found in binary or memory: http://ts-ocsp.ws.symantec.
Source: S12.exe String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: S12.exe String found in binary or memory: https://ww(w.v
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits, 0_2_1001F2ED
Installs a raw input device (often for capturing keystrokes)
Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_a0b33def-1
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: S12.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: S12.exe PID: 2700, type: MEMORYSTR
Contains functionality to call native functions
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_10007FDD NtClose, 0_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_1001419C ReleaseMutex,NtClose, 0_2_1001419C
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_1001221F NtClose, 0_2_1001221F
Source: C:\Users\user\Desktop\S12.exe Code function: 5_2_10007FDD NtClose, 5_2_10007FDD
Source: C:\Users\user\Desktop\S12.exe Code function: 5_2_1001419C ReleaseMutex,NtClose, 5_2_1001419C
Source: C:\Users\user\Desktop\S12.exe Code function: 5_2_1001221F NtClose, 5_2_1001221F
Detected potential crypto function
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_10002628 0_2_10002628
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_100032EA 0_2_100032EA
Source: C:\Users\user\Desktop\S12.exe Code function: 5_2_10002628 5_2_10002628
Source: C:\Users\user\Desktop\S12.exe Code function: 5_2_100032EA 5_2_100032EA
Enables driver privileges
Source: C:\Users\user\Desktop\S12.exe Process token adjusted: Load Driver Jump to behavior
Enables security privileges
Source: C:\Users\user\Desktop\S12.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\S12.exe Code function: String function: 10029640 appears 130 times
PE file contains executable resources (Code or Archives)
Source: 602d46.tmp.0.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
Source: 60bae0.tmp.5.dr Static PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
PE file does not import any functions
Source: 602d46.tmp.0.dr Static PE information: No import functions for PE file found
Source: 60bae0.tmp.5.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000000.00000002.2720833506.0000000002BEC000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000000.00000002.2721133599.0000000002E24000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe
Source: S12.exe, 00000000.00000003.1469901007.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe
Source: S12.exe, 00000005.00000002.2721522199.0000000002E67000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000005.00000002.2721298956.0000000002D2A000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe
Source: S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs S12.exe
Source: S12.exe, 00000005.00000003.1832201461.0000000002B70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs S12.exe
Uses 32bit PE files
Source: S12.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: QQWER.dll.0.dr Static PE information: Section: .rsrc ZLIB complexity 1.0002780183550337
Source: 602d46.tmp.0.dr Binary string: \Device\IPT[
Source: classification engine Classification label: mal76.evad.winEXE@2/12@0/1
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_0040E048 GetDiskFreeSpaceExA, 0_2_0040E048
Source: C:\Users\user\Desktop\S12.exe File created: C:\Users\user\Desktop\QQWER.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Mutant created: NULL
Source: C:\Users\user\Desktop\S12.exe File created: C:\Users\user\AppData\Local\Temp\602d46.tmp Jump to behavior
Source: S12.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\S12.exe File read: C:\Users\user\Desktop\ .ini Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\S12.exe "C:\Users\user\Desktop\S12.exe"
Source: unknown Process created: C:\Users\user\Desktop\S12.exe "C:\Users\user\Desktop\S12.exe"
Source: C:\Users\user\Desktop\S12.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\S12.exe File written: C:\Users\user\Desktop\ .ini Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Window detected: Number of UI elements: 27
Source: S12.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: S12.exe Static file information: File size 4943872 > 1048576
Source: S12.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13b000
Source: S12.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x256000
Source: S12.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10d000
Source: Binary string: devco n.pdbo source: S12.exe
Source: Binary string: wntdll.pdbUGP source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source: Binary string: wntdll.pdb source: S12.exe, 00000000.00000003.1469901007.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2721133599.0000000002CF7000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721298956.0000000002BFD000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1832201461.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 60bae0.tmp.5.dr, 602d46.tmp.0.dr
Source: Binary string: DrvInDM U.pdbe source: S12.exe
Source: Binary string: wuser32.pdb source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr
Source: Binary string: devc@on.pdb source: S12.exe
Source: Binary string: wuser32.pdbUGP source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2721522199.0000000002DBF000.00000040.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000003.1833009540.0000000002A49000.00000004.00000020.00020000.00000000.sdmp, 60bb2f.tmp.5.dr, 602da4.tmp.0.dr

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\S12.exe Unpacked PE file: 0.2.S12.exe.10000000.2.unpack
Source: C:\Users\user\Desktop\S12.exe Unpacked PE file: 5.2.S12.exe.10000000.2.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_004AB900 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_004AB900
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .rsrc
PE file contains sections with non-standard names
Source: QQWER.dll.0.dr Static PE information: section name: .Upack
Source: 602d46.tmp.0.dr Static PE information: section name: RT
Source: 602d46.tmp.0.dr Static PE information: section name: .mrdata
Source: 602d46.tmp.0.dr Static PE information: section name: .00cfg
Source: 602da4.tmp.0.dr Static PE information: section name: .didat
Source: 60bae0.tmp.5.dr Static PE information: section name: RT
Source: 60bae0.tmp.5.dr Static PE information: section name: .mrdata
Source: 60bae0.tmp.5.dr Static PE information: section name: .00cfg
Source: 60bb2f.tmp.5.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_0051AA60 push eax; ret 0_2_0051AA8E
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_0051CCD4 push eax; ret 0_2_0051CCF2
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_1002C7F8 push edi; ret 0_2_1002C7FC
Source: C:\Users\user\Desktop\S12.exe Code function: 5_2_0051AA60 push eax; ret 5_2_0051AA8E
Source: C:\Users\user\Desktop\S12.exe Code function: 5_2_0051CCD4 push eax; ret 5_2_0051CCF2
Source: C:\Users\user\Desktop\S12.exe Code function: 5_2_1002C7F8 push edi; ret 5_2_1002C7FC
Source: QQWER.dll.0.dr Static PE information: section name: .rsrc entropy: 7.999713933191419
Source: 602d46.tmp.0.dr Static PE information: section name: .text entropy: 6.844715065913507
Source: 60bae0.tmp.5.dr Static PE information: section name: .text entropy: 6.844715065913507
Drops PE files
Source: C:\Users\user\Desktop\S12.exe File created: C:\Users\user\Desktop\QQWER.dll Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe File created: C:\Users\user\AppData\Local\Temp\60bb2f.tmp Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe File created: C:\Users\user\AppData\Local\Temp\602d46.tmp Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe File created: C:\Users\user\AppData\Local\Temp\60bae0.tmp Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe File created: C:\Users\user\AppData\Local\Temp\602da4.tmp Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits, 0_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Code function: 5_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits, 5_2_1001F2ED
Source: C:\Users\user\Desktop\S12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\S12.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Renames NTDLL to bypass HIPS
Source: C:\Users\user\Desktop\S12.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Source: C:\Users\user\Desktop\S12.exe File opened: C:\Windows\SysWOW64\ntdll.dll Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\S12.exe Dropped PE file which has not been started: C:\Users\user\Desktop\QQWER.dll Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\60bb2f.tmp Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\60bae0.tmp Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\602d46.tmp Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\602da4.tmp Jump to dropped file
Source: C:\Users\user\Desktop\S12.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\S12.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_1000710E GetVersionExA,GetSystemInfo,RtlGetNtVersionNumbers, 0_2_1000710E
Source: S12.exe, 00000005.00000002.2719959118.0000000000A38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(&
Source: S12.exe, 00000000.00000002.2719852664.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2719852664.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000005.00000002.2719959118.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: S12.exe, 00000000.00000002.2719852664.0000000000D03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW*
Source: C:\Users\user\Desktop\S12.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\S12.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_10004B1B LdrInitializeThunk, 0_2_10004B1B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_004AB900 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary, 0_2_004AB900
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_1001A4C7 mov eax, dword ptr fs:[00000030h] 0_2_1001A4C7
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_1000AE99 mov eax, dword ptr fs:[00000030h] 0_2_1000AE99
Source: C:\Users\user\Desktop\S12.exe Code function: 5_2_1001A4C7 mov eax, dword ptr fs:[00000030h] 5_2_1001A4C7
Source: C:\Users\user\Desktop\S12.exe Code function: 5_2_1000AE99 mov eax, dword ptr fs:[00000030h] 5_2_1000AE99
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_10027BB0 GetProcessHeap,RtlAllocateHeap,MessageBoxA, 0_2_10027BB0
Enables debug privileges
Source: C:\Users\user\Desktop\S12.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\S12.exe Process token adjusted: Debug Jump to behavior
Source: S12.exe, 00000005.00000002.2719959118.0000000000A38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow@
Source: S12.exe Binary or memory string: Shell_TrayWnd
Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2719852664.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: S12.exe, 00000000.00000003.1470628507.0000000002994000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2719852664.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, S12.exe, 00000000.00000002.2720833506.0000000002B44000.00000040.00000020.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Source: S12.exe Binary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow3260
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_10019EDC cpuid 0_2_10019EDC
Source: C:\Users\user\Desktop\S12.exe Code function: 0_2_00536062 GetVersion,InitializeCriticalSection, 0_2_00536062
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562140 Sample: S12.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 76 24 Multi AV Scanner detection for dropped file 2->24 26 Machine Learning detection for sample 2->26 28 Machine Learning detection for dropped file 2->28 30 AI detected suspicious sample 2->30 5 S12.exe 1 17 2->5         started        10 S12.exe 8 2->10         started        process3 dnsIp4 22 82.156.239.188, 49705, 49711, 80 ECLIPSEGB China 5->22 12 C:\Users\user\Desktop\QQWER.dll, PE32 5->12 dropped 14 C:\Users\user\AppData\Local\Temp\602da4.tmp, PE32 5->14 dropped 16 C:\Users\user\AppData\Local\Temp\602d46.tmp, PE32 5->16 dropped 32 Detected unpacking (creates a PE file in dynamic memory) 5->32 34 Found evasive API chain (may stop execution after checking mutex) 5->34 36 Renames NTDLL to bypass HIPS 5->36 18 C:\Users\user\AppData\Local\Temp\60bb2f.tmp, PE32 10->18 dropped 20 C:\Users\user\AppData\Local\Temp\60bae0.tmp, PE32 10->20 dropped file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
82.156.239.188
 unknown China
12513 ECLIPSEGB false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://82.156.239.188/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt false
  • Avira URL Cloud: safe
 unknown
http://82.156.239.188/123.txt false
  • Avira URL Cloud: safe
 unknown