Loading ...

Play interactive tourEdit tour

Analysis Report 4wyevtsyFK

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:217091
Start date:22.03.2020
Start time:15:59:12
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 16s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:4wyevtsyFK (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@11/8@9/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 17.3% (good quality ratio 15.7%)
  • Quality average: 71.6%
  • Quality standard deviation: 29.8%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 172.217.23.206, 23.5.102.128, 8.241.89.254, 8.241.79.126, 8.253.207.120, 8.241.78.126, 8.241.88.254, 93.184.221.240, 8.241.121.254, 8.241.78.254, 8.241.79.254, 8.241.123.254, 8.248.113.254, 8.253.95.249, 216.58.201.78
  • Excluded domains from analysis (whitelisted): docs.google.com, fs.microsoft.com, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, drive.google.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook Lokibot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Masquerading1Credential Dumping1Virtualization/Sandbox Evasion12Remote File Copy1Email Collection1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesSoftware Packing1Network SniffingProcess Discovery2Remote ServicesMan in the Browser1Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion12Input CaptureSecurity Software Discovery121Windows Remote ManagementData from Local System1Automated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection512Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSystem Information Discovery12Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 4wyevtsyFK.exeVirustotal: Detection: 66%Perma Link
Source: 4wyevtsyFK.exeMetadefender: Detection: 40%Perma Link
Source: 4wyevtsyFK.exeReversingLabs: Detection: 77%
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000001.00000002.814678100.000000001F290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.810878495.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0.4wyevtsyFK.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 1.0.4wyevtsyFK.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 0.2.4wyevtsyFK.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 13.0.qjeduz6s0r.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /w0k/?uda=PcDZAYiJMyi1sNPMwoDVqsoC1cthxoAbOhKng71B3qX+ijDUh+XAYLydGv6YiAGIrKQP&cb=tBgxlt0h7RGt78O HTTP/1.1Host: www.kiheielectricbikes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 172.217.23.225 172.217.23.225
Source: Joe Sandbox ViewIP Address: 172.217.23.225 172.217.23.225
Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /w0k/?uda=PcDZAYiJMyi1sNPMwoDVqsoC1cthxoAbOhKng71B3qX+ijDUh+XAYLydGv6YiAGIrKQP&cb=tBgxlt0h7RGt78O HTTP/1.1Host: www.kiheielectricbikes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-08-3c-docs.googleusercontent.com
Urls found in memory or binary dataShow sources
Source: 4wyevtsyFK.exe, 00000001.00000003.766981937.000000000085A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 4wyevtsyFK.exe, 00000001.00000003.767048705.0000000000836000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl
Source: 4wyevtsyFK.exe, 00000001.00000003.766981937.000000000085A000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: 4wyevtsyFK.exe, 00000001.00000003.766981937.000000000085A000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: 4wyevtsyFK.exe, 00000000.00000002.760942841.00000000022B0000.00000040.00000001.sdmp, 4wyevtsyFK.exe, 00000001.00000002.811061498.00000000004F0000.00000040.00000001.sdmpString found in binary or memory: http://myurl/myfile.bin
Source: 4wyevtsyFK.exe, 00000000.00000002.760942841.00000000022B0000.00000040.00000001.sdmp, 4wyevtsyFK.exe, 00000001.00000002.811061498.00000000004F0000.00000040.00000001.sdmpString found in binary or memory: http://myurl/myfile.bin9
Source: 4wyevtsyFK.exe, 00000001.00000003.766981937.000000000085A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/g2
Source: 4wyevtsyFK.exe, 00000001.00000003.766981937.000000000085A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: 4wyevtsyFK.exe, 00000001.00000003.766981937.000000000085A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: 4wyevtsyFK.exe, 00000001.00000003.766981937.000000000085A000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/)
Source: 4wyevtsyFK.exe, 00000001.00000003.766981937.000000000085A000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: 4wyevtsyFK.exe, 00000001.00000003.767048705.0000000000836000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr29
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.790116999.0000000007B92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.791723918.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: 4wyevtsyFK.exe, 00000001.00000003.766751863.000000000080C000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: 4wyevtsyFK.exe, 00000001.00000003.766751863.000000000080C000.00000004.00000001.sdmpString found in binary or memory: https://doc-08-3c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4sflut51
Source: 4wyevtsyFK.exe, 00000001.00000003.767048705.0000000000836000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?
Source: 4wyevtsyFK.exe, 00000001.00000003.766751863.000000000080C000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1vljQdfYJV76IqjLYwk74NUvaJpYBamtE
Source: 4wyevtsyFK.exe, 00000001.00000003.766751863.000000000080C000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1vljQdfYJV76IqjLYwk74NUvaJpYBamtEa=C
Source: 4wyevtsyFK.exe, 00000001.00000003.766981937.000000000085A000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000001.00000002.814678100.000000001F290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.810878495.00000000000A0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000001.00000002.814678100.000000001F290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.814678100.000000001F290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.810878495.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.810878495.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU UsageShow sources
Source: C:\Windows\SysWOW64\wscript.exeProcess Stats: CPU usage > 98%
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_022B0EBE NtWriteVirtualMemory,0_2_022B0EBE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_022B2697 NtProtectVirtualMemory,0_2_022B2697
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_022B2AEF NtResumeThread,0_2_022B2AEF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A750 NtCreateFile,LdrInitializeThunk,1_2_1F51A750
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A700 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1F51A700
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A720 NtResumeThread,LdrInitializeThunk,1_2_1F51A720
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A610 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1F51A610
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A6A0 NtCreateSection,LdrInitializeThunk,1_2_1F51A6A0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A540 NtDelayExecution,LdrInitializeThunk,1_2_1F51A540
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A560 NtQuerySystemInformation,LdrInitializeThunk,1_2_1F51A560
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A5F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1F51A5F0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A410 NtQueryInformationToken,LdrInitializeThunk,1_2_1F51A410
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A480 NtMapViewOfSection,LdrInitializeThunk,1_2_1F51A480
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A4A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1F51A4A0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A360 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1F51A360
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A3E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1F51A3E0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A240 NtReadFile,LdrInitializeThunk,1_2_1F51A240
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A2D0 NtClose,LdrInitializeThunk,1_2_1F51A2D0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A710 NtQuerySection,1_2_1F51A710
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A780 NtOpenDirectoryObject,1_2_1F51A780
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A650 NtQueueApcThread,1_2_1F51A650
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A6D0 NtCreateProcessEx,1_2_1F51A6D0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51BD40 NtSuspendThread,1_2_1F51BD40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A520 NtEnumerateKey,1_2_1F51A520
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A5A0 NtWriteVirtualMemory,1_2_1F51A5A0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51B470 NtOpenThread,1_2_1F51B470
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A470 NtSetInformationFile,1_2_1F51A470
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A460 NtOpenProcess,1_2_1F51A460
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51B410 NtOpenProcessToken,1_2_1F51B410
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A430 NtQueryVirtualMemory,1_2_1F51A430
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51ACE0 NtCreateMutant,1_2_1F51ACE0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A350 NtQueryValueKey,1_2_1F51A350
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A370 NtQueryInformationProcess,1_2_1F51A370
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A310 NtEnumerateValueKey,1_2_1F51A310
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A3D0 NtCreateKey,1_2_1F51A3D0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A260 NtWriteFile,1_2_1F51A260
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51BA30 NtSetContextThread,1_2_1F51BA30
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A220 NtWaitForSingleObject,1_2_1F51A220
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A2F0 NtQueryInformationFile,1_2_1F51A2F0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51A800 NtSetValueKey,1_2_1F51A800
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51B0B0 NtGetContextThread,1_2_1F51B0B0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_004F12DE Sleep,NtProtectVirtualMemory,1_2_004F12DE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_004F2AEF NtSetInformationThread,1_2_004F2AEF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_004F0BE7 CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,1_2_004F0BE7
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_004F0C11 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_004F0C11
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_004F2697 NtProtectVirtualMemory,1_2_004F2697
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_004F1304 NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_004F1304
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_004F143F LdrInitializeThunk,NtProtectVirtualMemory,1_2_004F143F
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A17461_2_1F5A1746
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A1FCE1_2_1F5A1FCE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5927821_2_1F592782
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F57901_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F76401_2_1F4F7640
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F505E701_2_1F505E70
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504E611_2_1F504E61
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59CE661_2_1F59CE66
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066111_2_1F506611
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A26F81_2_1F5A26F8
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E961_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D0D401_2_1F4D0D40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591D1B1_2_1F591D1B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A25191_2_1F5A2519
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F57C53F1_2_1F57C53F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F15301_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F58FDDB1_2_1F58FDDB
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59D5D21_2_1F59D5D2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F581DE31_2_1F581DE3
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59E5811_2_1F59E581
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F57E58A1_2_1F57E58A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E740C1_2_1F4E740C
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F14101_2_1F4F1410
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F58F42B1_2_1F58F42B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59DCC51_2_1F59DCC5
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A2C9A1_2_1F5A2C9A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A1C9F1_2_1F5A1C9F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5934901_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FFB401_2_1F4FFB40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C21_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DEBE01_2_1F4DEBE0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504B961_2_1F504B96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504A5B1_2_1F504A5B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5AE2141_2_1F5AE214
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F590A021_2_1F590A02
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50523D1_2_1F50523D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A22DD1_2_1F5A22DD
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A1A991_2_1F5A1A99
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F42B01_2_1F4F42B0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5071101_2_1F507110
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5299061_2_1F529906
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5961DF1_2_1F5961DF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A19E21_2_1F5A19E2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5061801_2_1F506180
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5AD9BE1_2_1F5AD9BE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5010701_2_1F501070
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5098101_2_1F509810
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59D0161_2_1F59D016
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50E0201_2_1F50E020
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5000211_2_1F500021
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5048CB1_2_1F5048CB
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A28E81_2_1F5A28E8
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EA0801_2_1F4EA080
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5818B61_2_1F5818B6
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_0006A8521_2_0006A852
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_000610691_2_00061069
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_000610721_2_00061072
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_0006DAAC1_2_0006DAAC
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_00065AEF1_2_00065AEF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_00065AF21_2_00065AF2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_00062CF21_2_00062CF2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_000696791_2_00069679
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_00067F521_2_00067F52
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: String function: 1F4DB0E0 appears 176 times
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: String function: 1F565110 appears 38 times
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: String function: 1F52DDE8 appears 44 times
PE file contains strange resourcesShow sources
Source: 4wyevtsyFK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: 4wyevtsyFK.exe, 00000000.00000002.760872956.0000000002160000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSammen4.exeFE2XuBISOFT vs 4wyevtsyFK.exe
Source: 4wyevtsyFK.exe, 00000000.00000000.733276747.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSammen4.exe vs 4wyevtsyFK.exe
Source: 4wyevtsyFK.exe, 00000000.00000002.760901124.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 4wyevtsyFK.exe
Source: 4wyevtsyFK.exe, 00000001.00000002.815659831.000000001F5CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 4wyevtsyFK.exe
Source: 4wyevtsyFK.exe, 00000001.00000002.810956060.00000000000D0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs 4wyevtsyFK.exe
Source: 4wyevtsyFK.exe, 00000001.00000002.814588986.000000001EEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs 4wyevtsyFK.exe
Source: 4wyevtsyFK.exe, 00000001.00000002.814558350.000000001EDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 4wyevtsyFK.exe
Source: 4wyevtsyFK.exe, 00000001.00000000.759930905.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSammen4.exe vs 4wyevtsyFK.exe
Source: 4wyevtsyFK.exeBinary or memory string: OriginalFilenameSammen4.exe vs 4wyevtsyFK.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\SysWOW64\wscript.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000001.00000002.814678100.000000001F290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.814678100.000000001F290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.810878495.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.810878495.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@11/8@9/3
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\O2116906Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3392:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:552:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Pffbxn4xJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 4wyevtsyFK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\4wyevtsyFK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\4wyevtsyFK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\4wyevtsyFK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: 4wyevtsyFK.exeVirustotal: Detection: 66%
Source: 4wyevtsyFK.exeMetadefender: Detection: 40%
Source: 4wyevtsyFK.exeReversingLabs: Detection: 77%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\4wyevtsyFK.exe 'C:\Users\user\Desktop\4wyevtsyFK.exe'
Source: unknownProcess created: C:\Users\user\Desktop\4wyevtsyFK.exe 'C:\Users\user\Desktop\4wyevtsyFK.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\4wyevtsyFK.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Pffbxn4x\qjeduz6s0r.exe C:\Program Files (x86)\Pffbxn4x\qjeduz6s0r.exe
Source: C:\Users\user\Desktop\4wyevtsyFK.exeProcess created: C:\Users\user\Desktop\4wyevtsyFK.exe 'C:\Users\user\Desktop\4wyevtsyFK.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\4wyevtsyFK.exe'Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile written: C:\Users\user\AppData\Roaming\O2116906\O21logri.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscript.pdbGCTL source: 4wyevtsyFK.exe, 00000001.00000002.810956060.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.787010644.0000000007010000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: 4wyevtsyFK.exe, 00000001.00000002.815659831.000000001F5CF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 4wyevtsyFK.exe
Source: Binary string: wscript.pdb source: 4wyevtsyFK.exe, 00000001.00000002.810956060.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.787010644.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_00402C75 push esp; iretd 0_2_00402C79
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_00401408 push 004022E7h; ret 0_2_00401412
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_004050A3 push ss; iretd 0_2_004050AB
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_00404FA3 push ss; iretd 0_2_00404FAB
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F52DE2D push ecx; ret 1_2_1F52DE40

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JX4HBXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JX4HBXJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\4wyevtsyFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\4wyevtsyFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\4wyevtsyFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\4wyevtsyFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 0000000002D67244 second address: 0000000002D6724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 0000000002D674AE second address: 0000000002D674B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_00406A98 rdtsc 0_2_00406A98
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeAPI coverage: 4.5 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exe TID: 3048Thread sleep count: 185 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 4280Thread sleep time: -56000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 4668Thread sleep time: -40000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000002.00000000.788461950.0000000007340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 4wyevtsyFK.exe, 00000001.00000003.766751863.000000000080C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.788461950.0000000007340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.788461950.0000000007340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.788461950.0000000007340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\4wyevtsyFK.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\4wyevtsyFK.exeThread information set: HideFromDebuggerJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_00406A98 rdtsc 0_2_00406A98
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_022B18A0 LdrInitializeThunk,0_2_022B18A0
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_022B2207 mov eax, dword ptr fs:[00000030h]0_2_022B2207
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_022B126B mov eax, dword ptr fs:[00000030h]0_2_022B126B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_022B2244 mov eax, dword ptr fs:[00000030h]0_2_022B2244
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_022B2481 mov eax, dword ptr fs:[00000030h]0_2_022B2481
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_022B06E0 mov eax, dword ptr fs:[00000030h]0_2_022B06E0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 0_2_022B0B67 mov eax, dword ptr fs:[00000030h]0_2_022B0B67
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FC74A mov eax, dword ptr fs:[00000030h]1_2_1F4FC74A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FC74A mov eax, dword ptr fs:[00000030h]1_2_1F4FC74A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EDF40 mov eax, dword ptr fs:[00000030h]1_2_1F4EDF40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F505744 mov eax, dword ptr fs:[00000030h]1_2_1F505744
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F505744 mov eax, dword ptr fs:[00000030h]1_2_1F505744
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F552F40 mov eax, dword ptr fs:[00000030h]1_2_1F552F40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F583740 mov eax, dword ptr fs:[00000030h]1_2_1F583740
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F519F7A mov eax, dword ptr fs:[00000030h]1_2_1F519F7A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EEF60 mov eax, dword ptr fs:[00000030h]1_2_1F4EEF60
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F501F10 mov eax, dword ptr fs:[00000030h]1_2_1F501F10
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F501F10 mov eax, dword ptr fs:[00000030h]1_2_1F501F10
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F592F18 mov eax, dword ptr fs:[00000030h]1_2_1F592F18
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F592F18 mov eax, dword ptr fs:[00000030h]1_2_1F592F18
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F592F18 mov eax, dword ptr fs:[00000030h]1_2_1F592F18
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6F05 mov eax, dword ptr fs:[00000030h]1_2_1F4E6F05
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6F05 mov eax, dword ptr fs:[00000030h]1_2_1F4E6F05
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6F05 mov eax, dword ptr fs:[00000030h]1_2_1F4E6F05
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6F05 mov eax, dword ptr fs:[00000030h]1_2_1F4E6F05
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6F05 mov eax, dword ptr fs:[00000030h]1_2_1F4E6F05
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A870A mov eax, dword ptr fs:[00000030h]1_2_1F5A870A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59DF39 mov eax, dword ptr fs:[00000030h]1_2_1F59DF39
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F58F7D3 mov eax, dword ptr fs:[00000030h]1_2_1F58F7D3
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5567C9 mov eax, dword ptr fs:[00000030h]1_2_1F5567C9
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5567C9 mov eax, dword ptr fs:[00000030h]1_2_1F5567C9
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5567C9 mov eax, dword ptr fs:[00000030h]1_2_1F5567C9
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5567C9 mov ecx, dword ptr fs:[00000030h]1_2_1F5567C9
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5567C9 mov eax, dword ptr fs:[00000030h]1_2_1F5567C9
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5567C9 mov eax, dword ptr fs:[00000030h]1_2_1F5567C9
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2FD0 mov eax, dword ptr fs:[00000030h]1_2_1F4D2FD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2FD0 mov eax, dword ptr fs:[00000030h]1_2_1F4D2FD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2FD0 mov eax, dword ptr fs:[00000030h]1_2_1F4D2FD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2FD0 mov ecx, dword ptr fs:[00000030h]1_2_1F4D2FD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2FD0 mov eax, dword ptr fs:[00000030h]1_2_1F4D2FD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2FD0 mov eax, dword ptr fs:[00000030h]1_2_1F4D2FD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2FD0 mov eax, dword ptr fs:[00000030h]1_2_1F4D2FD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2FD0 mov eax, dword ptr fs:[00000030h]1_2_1F4D2FD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2FD0 mov eax, dword ptr fs:[00000030h]1_2_1F4D2FD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2FD0 mov eax, dword ptr fs:[00000030h]1_2_1F4D2FD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2FD0 mov eax, dword ptr fs:[00000030h]1_2_1F4D2FD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E77ED mov eax, dword ptr fs:[00000030h]1_2_1F4E77ED
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D3FE5 mov eax, dword ptr fs:[00000030h]1_2_1F4D3FE5
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D3FE5 mov eax, dword ptr fs:[00000030h]1_2_1F4D3FE5
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D3FE5 mov eax, dword ptr fs:[00000030h]1_2_1F4D3FE5
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5887F1 mov eax, dword ptr fs:[00000030h]1_2_1F5887F1
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5047FD mov esi, dword ptr fs:[00000030h]1_2_1F5047FD
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5047FD mov eax, dword ptr fs:[00000030h]1_2_1F5047FD
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5047FD mov eax, dword ptr fs:[00000030h]1_2_1F5047FD
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59F7E2 mov eax, dword ptr fs:[00000030h]1_2_1F59F7E2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59F7E2 mov eax, dword ptr fs:[00000030h]1_2_1F59F7E2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59F7E2 mov eax, dword ptr fs:[00000030h]1_2_1F59F7E2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59F7E2 mov eax, dword ptr fs:[00000030h]1_2_1F59F7E2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DE7F3 mov eax, dword ptr fs:[00000030h]1_2_1F4DE7F3
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FE79A mov eax, dword ptr fs:[00000030h]1_2_1F4FE79A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59AF81 mov eax, dword ptr fs:[00000030h]1_2_1F59AF81
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59AF81 mov eax, dword ptr fs:[00000030h]1_2_1F59AF81
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59AF81 mov eax, dword ptr fs:[00000030h]1_2_1F59AF81
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59AF81 mov eax, dword ptr fs:[00000030h]1_2_1F59AF81
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F592782 mov eax, dword ptr fs:[00000030h]1_2_1F592782
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F592782 mov eax, dword ptr fs:[00000030h]1_2_1F592782
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F592782 mov eax, dword ptr fs:[00000030h]1_2_1F592782
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F592782 mov eax, dword ptr fs:[00000030h]1_2_1F592782
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F592782 mov eax, dword ptr fs:[00000030h]1_2_1F592782
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F592782 mov eax, dword ptr fs:[00000030h]1_2_1F592782
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F592782 mov eax, dword ptr fs:[00000030h]1_2_1F592782
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov ecx, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov ecx, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov ecx, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov ecx, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F5790 mov eax, dword ptr fs:[00000030h]1_2_1F4F5790
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59FFAC mov eax, dword ptr fs:[00000030h]1_2_1F59FFAC
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59FFAC mov eax, dword ptr fs:[00000030h]1_2_1F59FFAC
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FA7B6 mov eax, dword ptr fs:[00000030h]1_2_1F4FA7B6
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50DE50 mov eax, dword ptr fs:[00000030h]1_2_1F50DE50
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F515651 mov eax, dword ptr fs:[00000030h]1_2_1F515651
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F515651 mov eax, dword ptr fs:[00000030h]1_2_1F515651
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DCE50 mov eax, dword ptr fs:[00000030h]1_2_1F4DCE50
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F505E70 mov eax, dword ptr fs:[00000030h]1_2_1F505E70
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F505E70 mov eax, dword ptr fs:[00000030h]1_2_1F505E70
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F505E70 mov eax, dword ptr fs:[00000030h]1_2_1F505E70
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F505E70 mov eax, dword ptr fs:[00000030h]1_2_1F505E70
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50A675 mov eax, dword ptr fs:[00000030h]1_2_1F50A675
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504E61 mov eax, dword ptr fs:[00000030h]1_2_1F504E61
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504E61 mov eax, dword ptr fs:[00000030h]1_2_1F504E61
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504E61 mov eax, dword ptr fs:[00000030h]1_2_1F504E61
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DCE70 mov ecx, dword ptr fs:[00000030h]1_2_1F4DCE70
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F502616 mov eax, dword ptr fs:[00000030h]1_2_1F502616
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DA60B mov eax, dword ptr fs:[00000030h]1_2_1F4DA60B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DA60B mov eax, dword ptr fs:[00000030h]1_2_1F4DA60B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F2600 mov eax, dword ptr fs:[00000030h]1_2_1F4F2600
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591606 mov eax, dword ptr fs:[00000030h]1_2_1F591606
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F55660A mov eax, dword ptr fs:[00000030h]1_2_1F55660A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F55660A mov eax, dword ptr fs:[00000030h]1_2_1F55660A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F55660A mov eax, dword ptr fs:[00000030h]1_2_1F55660A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F55660A mov eax, dword ptr fs:[00000030h]1_2_1F55660A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50CE34 mov eax, dword ptr fs:[00000030h]1_2_1F50CE34
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50CE34 mov eax, dword ptr fs:[00000030h]1_2_1F50CE34
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F56BE30 mov eax, dword ptr fs:[00000030h]1_2_1F56BE30
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F56BE30 mov eax, dword ptr fs:[00000030h]1_2_1F56BE30
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D1638 mov eax, dword ptr fs:[00000030h]1_2_1F4D1638
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FFE37 mov eax, dword ptr fs:[00000030h]1_2_1F4FFE37
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5166D0 mov eax, dword ptr fs:[00000030h]1_2_1F5166D0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F590EFB mov eax, dword ptr fs:[00000030h]1_2_1F590EFB
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D4EFE mov eax, dword ptr fs:[00000030h]1_2_1F4D4EFE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D4EFE mov eax, dword ptr fs:[00000030h]1_2_1F4D4EFE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5016E5 mov eax, dword ptr fs:[00000030h]1_2_1F5016E5
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5016E5 mov eax, dword ptr fs:[00000030h]1_2_1F5016E5
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F513E9A mov eax, dword ptr fs:[00000030h]1_2_1F513E9A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F513E9A mov eax, dword ptr fs:[00000030h]1_2_1F513E9A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F513E9A mov eax, dword ptr fs:[00000030h]1_2_1F513E9A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6682 mov eax, dword ptr fs:[00000030h]1_2_1F4E6682
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593E96 mov eax, dword ptr fs:[00000030h]1_2_1F593E96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DC692 mov eax, dword ptr fs:[00000030h]1_2_1F4DC692
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066B4 mov eax, dword ptr fs:[00000030h]1_2_1F5066B4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066B4 mov eax, dword ptr fs:[00000030h]1_2_1F5066B4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066B4 mov eax, dword ptr fs:[00000030h]1_2_1F5066B4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066B4 mov eax, dword ptr fs:[00000030h]1_2_1F5066B4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066B4 mov eax, dword ptr fs:[00000030h]1_2_1F5066B4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066B4 mov eax, dword ptr fs:[00000030h]1_2_1F5066B4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066B4 mov eax, dword ptr fs:[00000030h]1_2_1F5066B4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066B4 mov eax, dword ptr fs:[00000030h]1_2_1F5066B4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066B4 mov eax, dword ptr fs:[00000030h]1_2_1F5066B4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066B4 mov eax, dword ptr fs:[00000030h]1_2_1F5066B4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5066B4 mov eax, dword ptr fs:[00000030h]1_2_1F5066B4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D3EA0 mov eax, dword ptr fs:[00000030h]1_2_1F4D3EA0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D3EA0 mov eax, dword ptr fs:[00000030h]1_2_1F4D3EA0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A86A9 mov eax, dword ptr fs:[00000030h]1_2_1F5A86A9
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D356C mov eax, dword ptr fs:[00000030h]1_2_1F4D356C
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D356C mov eax, dword ptr fs:[00000030h]1_2_1F4D356C
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50056B mov eax, dword ptr fs:[00000030h]1_2_1F50056B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F590D1B mov eax, dword ptr fs:[00000030h]1_2_1F590D1B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F563D10 mov eax, dword ptr fs:[00000030h]1_2_1F563D10
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A952E mov eax, dword ptr fs:[00000030h]1_2_1F5A952E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50E52F mov ecx, dword ptr fs:[00000030h]1_2_1F50E52F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50E52F mov eax, dword ptr fs:[00000030h]1_2_1F50E52F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50E52F mov eax, dword ptr fs:[00000030h]1_2_1F50E52F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1530 mov eax, dword ptr fs:[00000030h]1_2_1F4F1530
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D95C0 mov eax, dword ptr fs:[00000030h]1_2_1F4D95C0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D95C0 mov ecx, dword ptr fs:[00000030h]1_2_1F4D95C0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F554DCA mov eax, dword ptr fs:[00000030h]1_2_1F554DCA
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F554DCA mov eax, dword ptr fs:[00000030h]1_2_1F554DCA
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5075F0 mov eax, dword ptr fs:[00000030h]1_2_1F5075F0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5075F0 mov eax, dword ptr fs:[00000030h]1_2_1F5075F0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F502DF0 mov eax, dword ptr fs:[00000030h]1_2_1F502DF0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A6DFD mov eax, dword ptr fs:[00000030h]1_2_1F5A6DFD
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A6DFD mov eax, dword ptr fs:[00000030h]1_2_1F5A6DFD
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A6DFD mov eax, dword ptr fs:[00000030h]1_2_1F5A6DFD
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D15E1 mov eax, dword ptr fs:[00000030h]1_2_1F4D15E1
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6DE1 mov eax, dword ptr fs:[00000030h]1_2_1F4E6DE1
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6DE1 mov eax, dword ptr fs:[00000030h]1_2_1F4E6DE1
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6DE1 mov eax, dword ptr fs:[00000030h]1_2_1F4E6DE1
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6DE1 mov eax, dword ptr fs:[00000030h]1_2_1F4E6DE1
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6DE1 mov eax, dword ptr fs:[00000030h]1_2_1F4E6DE1
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E6DE1 mov eax, dword ptr fs:[00000030h]1_2_1F4E6DE1
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A85EA mov eax, dword ptr fs:[00000030h]1_2_1F5A85EA
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F581DE3 mov ecx, dword ptr fs:[00000030h]1_2_1F581DE3
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F581DE3 mov ecx, dword ptr fs:[00000030h]1_2_1F581DE3
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F581DE3 mov eax, dword ptr fs:[00000030h]1_2_1F581DE3
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A5595 mov eax, dword ptr fs:[00000030h]1_2_1F5A5595
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1D9D mov eax, dword ptr fs:[00000030h]1_2_1F4F1D9D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1D9D mov eax, dword ptr fs:[00000030h]1_2_1F4F1D9D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1D9D mov eax, dword ptr fs:[00000030h]1_2_1F4F1D9D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1D9D mov eax, dword ptr fs:[00000030h]1_2_1F4F1D9D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1D9D mov eax, dword ptr fs:[00000030h]1_2_1F4F1D9D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A8589 mov eax, dword ptr fs:[00000030h]1_2_1F5A8589
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F590D8A mov eax, dword ptr fs:[00000030h]1_2_1F590D8A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F500584 mov eax, dword ptr fs:[00000030h]1_2_1F500584
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59E581 mov eax, dword ptr fs:[00000030h]1_2_1F59E581
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F57E58A mov ecx, dword ptr fs:[00000030h]1_2_1F57E58A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F57E58A mov eax, dword ptr fs:[00000030h]1_2_1F57E58A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F57E58A mov eax, dword ptr fs:[00000030h]1_2_1F57E58A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F57E58A mov eax, dword ptr fs:[00000030h]1_2_1F57E58A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FF591 mov eax, dword ptr fs:[00000030h]1_2_1F4FF591
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FF591 mov eax, dword ptr fs:[00000030h]1_2_1F4FF591
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FF591 mov eax, dword ptr fs:[00000030h]1_2_1F4FF591
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2DAA mov eax, dword ptr fs:[00000030h]1_2_1F4D2DAA
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2DAA mov eax, dword ptr fs:[00000030h]1_2_1F4D2DAA
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2DAA mov eax, dword ptr fs:[00000030h]1_2_1F4D2DAA
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2DAA mov eax, dword ptr fs:[00000030h]1_2_1F4D2DAA
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2DAA mov eax, dword ptr fs:[00000030h]1_2_1F4D2DAA
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5915A8 mov eax, dword ptr fs:[00000030h]1_2_1F5915A8
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D35B1 mov eax, dword ptr fs:[00000030h]1_2_1F4D35B1
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F519DAF mov eax, dword ptr fs:[00000030h]1_2_1F519DAF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59145F mov eax, dword ptr fs:[00000030h]1_2_1F59145F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A8452 mov eax, dword ptr fs:[00000030h]1_2_1F5A8452
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59E455 mov eax, dword ptr fs:[00000030h]1_2_1F59E455
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50245F mov eax, dword ptr fs:[00000030h]1_2_1F50245F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50245F mov eax, dword ptr fs:[00000030h]1_2_1F50245F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50245F mov eax, dword ptr fs:[00000030h]1_2_1F50245F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50245F mov eax, dword ptr fs:[00000030h]1_2_1F50245F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50245F mov eax, dword ptr fs:[00000030h]1_2_1F50245F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50245F mov eax, dword ptr fs:[00000030h]1_2_1F50245F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50245F mov eax, dword ptr fs:[00000030h]1_2_1F50245F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50245F mov eax, dword ptr fs:[00000030h]1_2_1F50245F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50245F mov eax, dword ptr fs:[00000030h]1_2_1F50245F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F563C47 mov eax, dword ptr fs:[00000030h]1_2_1F563C47
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50547E mov eax, dword ptr fs:[00000030h]1_2_1F50547E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F7C7D mov eax, dword ptr fs:[00000030h]1_2_1F4F7C7D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F55E460 mov eax, dword ptr fs:[00000030h]1_2_1F55E460
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F58AC60 mov eax, dword ptr fs:[00000030h]1_2_1F58AC60
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F58AC60 mov eax, dword ptr fs:[00000030h]1_2_1F58AC60
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EEC77 mov eax, dword ptr fs:[00000030h]1_2_1F4EEC77
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EEC77 mov eax, dword ptr fs:[00000030h]1_2_1F4EEC77
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EEC77 mov eax, dword ptr fs:[00000030h]1_2_1F4EEC77
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EEC77 mov eax, dword ptr fs:[00000030h]1_2_1F4EEC77
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D1C09 mov eax, dword ptr fs:[00000030h]1_2_1F4D1C09
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50341B mov eax, dword ptr fs:[00000030h]1_2_1F50341B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50341B mov eax, dword ptr fs:[00000030h]1_2_1F50341B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50341B mov eax, dword ptr fs:[00000030h]1_2_1F50341B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59A416 mov eax, dword ptr fs:[00000030h]1_2_1F59A416
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59A416 mov eax, dword ptr fs:[00000030h]1_2_1F59A416
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EEC01 mov eax, dword ptr fs:[00000030h]1_2_1F4EEC01
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EEC01 mov eax, dword ptr fs:[00000030h]1_2_1F4EEC01
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EEC01 mov eax, dword ptr fs:[00000030h]1_2_1F4EEC01
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EEC01 mov eax, dword ptr fs:[00000030h]1_2_1F4EEC01
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F1410 mov ecx, dword ptr fs:[00000030h]1_2_1F4F1410
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F500430 mov eax, dword ptr fs:[00000030h]1_2_1F500430
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FF42B mov eax, dword ptr fs:[00000030h]1_2_1F4FF42B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FF42B mov eax, dword ptr fs:[00000030h]1_2_1F4FF42B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FF42B mov eax, dword ptr fs:[00000030h]1_2_1F4FF42B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FF42B mov eax, dword ptr fs:[00000030h]1_2_1F4FF42B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FF42B mov eax, dword ptr fs:[00000030h]1_2_1F4FF42B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FF42B mov eax, dword ptr fs:[00000030h]1_2_1F4FF42B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EA423 mov eax, dword ptr fs:[00000030h]1_2_1F4EA423
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EA423 mov eax, dword ptr fs:[00000030h]1_2_1F4EA423
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EA423 mov eax, dword ptr fs:[00000030h]1_2_1F4EA423
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F563C38 mov eax, dword ptr fs:[00000030h]1_2_1F563C38
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F590C29 mov eax, dword ptr fs:[00000030h]1_2_1F590C29
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FE4C6 mov eax, dword ptr fs:[00000030h]1_2_1F4FE4C6
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FE4C6 mov eax, dword ptr fs:[00000030h]1_2_1F4FE4C6
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DACC0 mov eax, dword ptr fs:[00000030h]1_2_1F4DACC0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E1CDD mov eax, dword ptr fs:[00000030h]1_2_1F4E1CDD
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E1CDD mov eax, dword ptr fs:[00000030h]1_2_1F4E1CDD
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E1CDD mov eax, dword ptr fs:[00000030h]1_2_1F4E1CDD
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A84CD mov eax, dword ptr fs:[00000030h]1_2_1F5A84CD
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D4CD0 mov eax, dword ptr fs:[00000030h]1_2_1F4D4CD0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5944EF mov eax, dword ptr fs:[00000030h]1_2_1F5944EF
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D2CFB mov eax, dword ptr fs:[00000030h]1_2_1F4D2CFB
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E1C8E mov eax, dword ptr fs:[00000030h]1_2_1F4E1C8E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E1C8E mov eax, dword ptr fs:[00000030h]1_2_1F4E1C8E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E1C8E mov eax, dword ptr fs:[00000030h]1_2_1F4E1C8E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E1C8E mov ecx, dword ptr fs:[00000030h]1_2_1F4E1C8E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E1C8E mov eax, dword ptr fs:[00000030h]1_2_1F4E1C8E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E1C8E mov eax, dword ptr fs:[00000030h]1_2_1F4E1C8E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F590C9A mov eax, dword ptr fs:[00000030h]1_2_1F590C9A
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E7488 mov eax, dword ptr fs:[00000030h]1_2_1F4E7488
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F593490 mov eax, dword ptr fs:[00000030h]1_2_1F593490
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D14A0 mov eax, dword ptr fs:[00000030h]1_2_1F4D14A0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F501356 mov eax, dword ptr fs:[00000030h]1_2_1F501356
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F501356 mov eax, dword ptr fs:[00000030h]1_2_1F501356
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F501356 mov eax, dword ptr fs:[00000030h]1_2_1F501356
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F501356 mov eax, dword ptr fs:[00000030h]1_2_1F501356
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F501356 mov eax, dword ptr fs:[00000030h]1_2_1F501356
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F501356 mov eax, dword ptr fs:[00000030h]1_2_1F501356
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F501356 mov eax, dword ptr fs:[00000030h]1_2_1F501356
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591351 mov eax, dword ptr fs:[00000030h]1_2_1F591351
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A8356 mov eax, dword ptr fs:[00000030h]1_2_1F5A8356
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FFB40 mov eax, dword ptr fs:[00000030h]1_2_1F4FFB40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FFB40 mov eax, dword ptr fs:[00000030h]1_2_1F4FFB40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FFB40 mov eax, dword ptr fs:[00000030h]1_2_1F4FFB40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FFB40 mov eax, dword ptr fs:[00000030h]1_2_1F4FFB40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FFB40 mov eax, dword ptr fs:[00000030h]1_2_1F4FFB40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FFB40 mov eax, dword ptr fs:[00000030h]1_2_1F4FFB40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F59E362 mov eax, dword ptr fs:[00000030h]1_2_1F59E362
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51536C mov eax, dword ptr fs:[00000030h]1_2_1F51536C
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F51536C mov eax, dword ptr fs:[00000030h]1_2_1F51536C
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EE370 mov eax, dword ptr fs:[00000030h]1_2_1F4EE370
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EE370 mov eax, dword ptr fs:[00000030h]1_2_1F4EE370
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4EE370 mov eax, dword ptr fs:[00000030h]1_2_1F4EE370
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50AB0C mov eax, dword ptr fs:[00000030h]1_2_1F50AB0C
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50AB0C mov eax, dword ptr fs:[00000030h]1_2_1F50AB0C
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DC330 mov eax, dword ptr fs:[00000030h]1_2_1F4DC330
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DC330 mov eax, dword ptr fs:[00000030h]1_2_1F4DC330
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DC330 mov eax, dword ptr fs:[00000030h]1_2_1F4DC330
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5913D8 mov eax, dword ptr fs:[00000030h]1_2_1F5913D8
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F563BD8 mov eax, dword ptr fs:[00000030h]1_2_1F563BD8
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov ecx, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov ecx, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov eax, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov ecx, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov ecx, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov eax, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov ecx, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov ecx, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov eax, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov ecx, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov ecx, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5063C2 mov eax, dword ptr fs:[00000030h]1_2_1F5063C2
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F519BC7 mov eax, dword ptr fs:[00000030h]1_2_1F519BC7
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DF3E0 mov eax, dword ptr fs:[00000030h]1_2_1F4DF3E0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DF3E0 mov eax, dword ptr fs:[00000030h]1_2_1F4DF3E0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DF3E0 mov eax, dword ptr fs:[00000030h]1_2_1F4DF3E0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50ABFE mov eax, dword ptr fs:[00000030h]1_2_1F50ABFE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50ABFE mov eax, dword ptr fs:[00000030h]1_2_1F50ABFE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504B96 mov eax, dword ptr fs:[00000030h]1_2_1F504B96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504B96 mov eax, dword ptr fs:[00000030h]1_2_1F504B96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504B96 mov eax, dword ptr fs:[00000030h]1_2_1F504B96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504B96 mov eax, dword ptr fs:[00000030h]1_2_1F504B96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504B96 mov eax, dword ptr fs:[00000030h]1_2_1F504B96
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F516399 mov eax, dword ptr fs:[00000030h]1_2_1F516399
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F516399 mov eax, dword ptr fs:[00000030h]1_2_1F516399
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F516399 mov eax, dword ptr fs:[00000030h]1_2_1F516399
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F599B89 mov eax, dword ptr fs:[00000030h]1_2_1F599B89
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F599B89 mov ecx, dword ptr fs:[00000030h]1_2_1F599B89
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F554BBE mov eax, dword ptr fs:[00000030h]1_2_1F554BBE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F554BBE mov eax, dword ptr fs:[00000030h]1_2_1F554BBE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F554BBE mov eax, dword ptr fs:[00000030h]1_2_1F554BBE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F554BBE mov eax, dword ptr fs:[00000030h]1_2_1F554BBE
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50BBBC mov eax, dword ptr fs:[00000030h]1_2_1F50BBBC
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5563A6 mov eax, dword ptr fs:[00000030h]1_2_1F5563A6
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D4BB4 mov edi, dword ptr fs:[00000030h]1_2_1F4D4BB4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5943A4 mov eax, dword ptr fs:[00000030h]1_2_1F5943A4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5943A4 mov eax, dword ptr fs:[00000030h]1_2_1F5943A4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5943A4 mov eax, dword ptr fs:[00000030h]1_2_1F5943A4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5943A4 mov eax, dword ptr fs:[00000030h]1_2_1F5943A4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504A5B mov eax, dword ptr fs:[00000030h]1_2_1F504A5B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F504A5B mov eax, dword ptr fs:[00000030h]1_2_1F504A5B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D4A40 mov eax, dword ptr fs:[00000030h]1_2_1F4D4A40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D4A40 mov eax, dword ptr fs:[00000030h]1_2_1F4D4A40
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591243 mov eax, dword ptr fs:[00000030h]1_2_1F591243
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591A71 mov eax, dword ptr fs:[00000030h]1_2_1F591A71
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A0A74 mov eax, dword ptr fs:[00000030h]1_2_1F5A0A74
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D5275 mov eax, dword ptr fs:[00000030h]1_2_1F4D5275
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D5275 mov eax, dword ptr fs:[00000030h]1_2_1F4D5275
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D5275 mov eax, dword ptr fs:[00000030h]1_2_1F4D5275
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D5275 mov eax, dword ptr fs:[00000030h]1_2_1F4D5275
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D5275 mov eax, dword ptr fs:[00000030h]1_2_1F4D5275
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50EA6E mov eax, dword ptr fs:[00000030h]1_2_1F50EA6E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50EA6E mov eax, dword ptr fs:[00000030h]1_2_1F50EA6E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50EA6E mov eax, dword ptr fs:[00000030h]1_2_1F50EA6E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F556A16 mov eax, dword ptr fs:[00000030h]1_2_1F556A16
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F556A16 mov eax, dword ptr fs:[00000030h]1_2_1F556A16
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F556A16 mov eax, dword ptr fs:[00000030h]1_2_1F556A16
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D8209 mov eax, dword ptr fs:[00000030h]1_2_1F4D8209
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D8209 mov eax, dword ptr fs:[00000030h]1_2_1F4D8209
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D8209 mov eax, dword ptr fs:[00000030h]1_2_1F4D8209
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D3200 mov eax, dword ptr fs:[00000030h]1_2_1F4D3200
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D9210 mov eax, dword ptr fs:[00000030h]1_2_1F4D9210
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D9210 mov eax, dword ptr fs:[00000030h]1_2_1F4D9210
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D9210 mov eax, dword ptr fs:[00000030h]1_2_1F4D9210
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D9210 mov eax, dword ptr fs:[00000030h]1_2_1F4D9210
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A3A05 mov eax, dword ptr fs:[00000030h]1_2_1F5A3A05
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5A3A05 mov eax, dword ptr fs:[00000030h]1_2_1F5A3A05
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50523D mov eax, dword ptr fs:[00000030h]1_2_1F50523D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50523D mov eax, dword ptr fs:[00000030h]1_2_1F50523D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50523D mov eax, dword ptr fs:[00000030h]1_2_1F50523D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50523D mov eax, dword ptr fs:[00000030h]1_2_1F50523D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50523D mov eax, dword ptr fs:[00000030h]1_2_1F50523D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50523D mov eax, dword ptr fs:[00000030h]1_2_1F50523D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D1AC0 mov eax, dword ptr fs:[00000030h]1_2_1F4D1AC0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5022C3 mov eax, dword ptr fs:[00000030h]1_2_1F5022C3
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5022C3 mov eax, dword ptr fs:[00000030h]1_2_1F5022C3
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5022C3 mov eax, dword ptr fs:[00000030h]1_2_1F5022C3
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F5912CA mov eax, dword ptr fs:[00000030h]1_2_1F5912CA
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F56B2C0 mov eax, dword ptr fs:[00000030h]1_2_1F56B2C0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F56B2C0 mov ecx, dword ptr fs:[00000030h]1_2_1F56B2C0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F56B2C0 mov eax, dword ptr fs:[00000030h]1_2_1F56B2C0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F56B2C0 mov eax, dword ptr fs:[00000030h]1_2_1F56B2C0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F56B2C0 mov eax, dword ptr fs:[00000030h]1_2_1F56B2C0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F56B2C0 mov eax, dword ptr fs:[00000030h]1_2_1F56B2C0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D12F4 mov eax, dword ptr fs:[00000030h]1_2_1F4D12F4
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F553284 mov eax, dword ptr fs:[00000030h]1_2_1F553284
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F553284 mov eax, dword ptr fs:[00000030h]1_2_1F553284
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50F289 mov eax, dword ptr fs:[00000030h]1_2_1F50F289
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50328D mov eax, dword ptr fs:[00000030h]1_2_1F50328D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50328D mov eax, dword ptr fs:[00000030h]1_2_1F50328D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50328D mov eax, dword ptr fs:[00000030h]1_2_1F50328D
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D5A90 mov eax, dword ptr fs:[00000030h]1_2_1F4D5A90
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D5A90 mov eax, dword ptr fs:[00000030h]1_2_1F4D5A90
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D5A90 mov eax, dword ptr fs:[00000030h]1_2_1F4D5A90
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E9AA0 mov eax, dword ptr fs:[00000030h]1_2_1F4E9AA0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4E9AA0 mov eax, dword ptr fs:[00000030h]1_2_1F4E9AA0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4FB2A0 mov eax, dword ptr fs:[00000030h]1_2_1F4FB2A0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F42B0 mov eax, dword ptr fs:[00000030h]1_2_1F4F42B0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F42B0 mov eax, dword ptr fs:[00000030h]1_2_1F4F42B0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F42B0 mov eax, dword ptr fs:[00000030h]1_2_1F4F42B0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F42B0 mov eax, dword ptr fs:[00000030h]1_2_1F4F42B0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4F42B0 mov ecx, dword ptr fs:[00000030h]1_2_1F4F42B0
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F591151 mov eax, dword ptr fs:[00000030h]1_2_1F591151
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D3158 mov ecx, dword ptr fs:[00000030h]1_2_1F4D3158
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50594B mov eax, dword ptr fs:[00000030h]1_2_1F50594B
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F50214F mov eax, dword ptr fs:[00000030h]1_2_1F50214F
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D516E mov eax, dword ptr fs:[00000030h]1_2_1F4D516E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D516E mov ecx, dword ptr fs:[00000030h]1_2_1F4D516E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D397E mov eax, dword ptr fs:[00000030h]1_2_1F4D397E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4D397E mov eax, dword ptr fs:[00000030h]1_2_1F4D397E
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DB171 mov eax, dword ptr fs:[00000030h]1_2_1F4DB171
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DB171 mov eax, dword ptr fs:[00000030h]1_2_1F4DB171
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_1F4DB171 mov eax, dword ptr fs:[00000030h]1_2_1F4DB171
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeCode function: 1_2_004F0C11 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_004F0C11

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80Jump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\4wyevtsyFK.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\4wyevtsyFK.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeThread register set: target process: 2928Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 2928Jump to behavior
Queues an APC in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
Sample uses process hollowing techniqueShow sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: 100000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\4wyevtsyFK.exeProcess created: C:\Users\user\Desktop\4wyevtsyFK.exe 'C:\Users\user\Desktop\4wyevtsyFK.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\4wyevtsyFK.exe'Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 00000002.00000000.772468687.0000000001170000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.772468687.0000000001170000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000002.00000000.772468687.0000000001170000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: explorer.exe, 00000002.00000000.772468687.0000000001170000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.771084067.0000000000A30000.00000004.00000020.sdmpBinary or memory string: Progman{
Source: explorer.exe, 00000002.00000000.771084067.0000000000A30000.00000004.00000020.sdmpBinary or memory string: PProgmancci\Ap

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\wscript.exeQueries volume information: C:\ VolumeInformationJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000001.00000002.814678100.000000001F290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.810878495.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Yara detected Generic DropperShow sources
Source: Yara matchFile source: Process Memory Space: 4wyevtsyFK.exe PID: 5076, type: MEMORY
Yara detected LokibotShow sources
Source: Yara matchFile source: Process Memory Space: 4wyevtsyFK.exe PID: 4848, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4wyevtsyFK.exe PID: 5076, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\6c4zjj0s.default\cert9.dbJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\6c4zjj0s.default\pkcs11.txtJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\6c4zjj0s.default\logins.jsonJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

Remote Access Functionality:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000001.00000002.814678100.000000001F290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000001.00000002.810878495.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Yara detected LokibotShow sources
Source: Yara matchFile source: Process Memory Space: 4wyevtsyFK.exe PID: 4848, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4wyevtsyFK.exe PID: 5076, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 217091